Middle market companies face an increasingly volatile cybersecurity environment, with threats coming from more directions than ever before and more skilled criminals targeting the segment, according to an RSM US and U.S. Chamber of Commerce report.
However, there is good news as the number of breaches reported in the last year among middle market companies slightly decreased with protections becoming more available and executives understanding the consequences related to potential incidents. Twenty-two percent of middle market leaders claimed that their company experienced a data breach in the last year, representing a drop from 28% in last year’s survey, suggesting that even with enhanced protections in place and the decrease in attacks, companies cannot afford to let their guard down.
“The middle market encountered a roller coaster of risks in the last year, from lingering threats related to the COVID-19 pandemic to geopolitical conflicts and economic uncertainty,” said Tauseef Ghazi, national leader of security and privacy services with RSM US.
“The small drop in reported breaches is encouraging, and we largely attribute it to middle market companies beginning to implement better identity and access management controls. Yet, even with the decline in reported attacks, companies recognize the risks posed by the current dynamic threat environment, with 72% of executives anticipating that unauthorized users will attempt to access data or systems in 2022, a sharp rise from 64% last year and the highest number since RSM began tracking data in 2015.”
Ransomware attacks down slightly, though significant concerns persist in the middle market
Despite the heightened threat environment, the survey respondents reported a drop in ransomware attacks and demands for the first time since RSM began collecting such data in 2018. Twenty-three percent of middle market executives disclosed that they experienced a ransomware attack or demand in the past year, down from 33% last year.
Larger middle market companies reported a bigger drop in attacks with 29% this year compared to 43% in last year’s report, while 16% of smaller organizations suffered an attack or demand in contrast to 24% in 2021. While the number of attacks dropped, middle market leaders do not expect the ransomware threat to diminish, with 62% reporting they are at risk for a ransomware attack in the next 12 months, which increased from 57% last year.
The reported frequency of business takeover attempts has remained consistent over the last few years, and 2022 survey data is no different. Forty-five percent of respondents said that outside parties attempted to manipulate employees by pretending to be trusted third parties or company executives, compared to 51% in 2021.
The survey reported that 27% of those attempts to manipulate employees were successful over the last year, a considerable drop from 45% in 2021’s data. While business takeover attempts became less successful in the middle market, there is no end in sight to the potential threat. In the study, 73% said their organization is at risk of an attack by manipulating employees in the next 12 months, a slight increase over last year and the highest number ever recorded.
“We see businesses of all sizes encountering cyber threats, such as ransomware attacks. With the ongoing Russia-Ukraine conflict, the U.S. homeland and national security communities are urging businesses to take steps to protect their networks and partner with the government,” said Matthew Eggers, VP of Cyber Security Policy with the U.S. Chamber of Commerce.
Middle market companies taking cyber threats seriously and working to respond
Organizations took a wide variety of actions in response to publicized data security breaches in the past year, including 61% updating security protocols, and nearly half reporting enhancing the security of existing remote workforce solutions and strengthening staff training and education efforts (49% each).
Additionally, the survey found that 61% of respondents currently utilize a cyber insurance policy to protect against internet-based risks, falling slightly from 65% in last year’s report. In fact, this year’s survey revealed that two-thirds (67%) of respondents reported increased policy premiums compared with their prior period, with only 2% seeing a decrease.
“As cyberattacks rose in 2021, people became more cautious. Executives were more focused on understanding what was in their cyber insurance policies and working through them,” said Ghazi. “The rise in premiums for cyber insurance is also prompting many middle market organizations to take a closer look at their policy and the stipulations they need to adhere to.”
The cloud has also been an extremely valuable tool for the middle market, and almost every company uses the cloud in some way. Many organizations initially moved files and systems to the cloud to decrease reliance on on-premises servers and increase access and visibility to key data, but companies have found that the cloud is also an effective security tool.
The data shows that 36% of middle market companies moved or migrated data to the cloud as a result of security concerns during the past year. That represents a drop from last year’s data when 40% reported transitioning data to the cloud. Among middle market executives who reported moving data to the cloud for security concerns, 90% believe the data residing in the cloud is more secure, representing a small increase from last year’s survey (88%).
With business takeover attacks capable of coming from many angles, middle market companies need to utilize several strategies to address them. Of the organizations surveyed that encountered unsuccessful attacks, 76% listed employees not acting on the fraudulent request as a reason for the failed breach, a 12% drop from last year’s survey. In addition, 65% of middle market executives said that secondary controls prevented the completion of an attack, and 53% acknowledged system controls that prevented delivery of fraudulent communications or materials to employees.
While implementing protective cybersecurity measures are an ongoing priority for the middle market, companies cannot lose sight of progressive legislative efforts toward enhanced data privacy. The European Union’s General Data Protection Regulation (GDPR) was developed and implemented in 2018 and has served as the model for several subsequent data privacy standards worldwide.
Following the success of the GDPR, data privacy standards have slowly made their way to the U.S. As of early 2022, at least 16 individual states have implemented some form of data privacy laws, including comprehensive standards in California, Colorado and Virginia. Fifty-eight percent of executives in the survey said they are familiar with the requirements of the GDPR, up from 55% in 2021.
Among the survey respondents familiar with GDPR requirements, 90% said that their organizations would likely have to comply with privacy legislation similar to the GDPR at a state or federal level in the U.S. during the next two years, a 2% decrease from last year’s data. Ninety-six percent of leaders in the survey who are familiar with the GDPR said preparing for emerging privacy regulations is a priority, almost identical to last year.
Considerations of a global economy
A significant number of U.S.-based companies have business interests in the U.K. or may be considering future expansion in the region. Understanding the risks at home is certainly important, but middle market organizations must also know the threats that are prevalent in the countries where they do business.
This year’s report also explores comparisons to concerns and protective measures in the U.S. and the U.K. using new data from the RSM U.K. report. Key findings include that in 2021 more middle market leaders in the U.K. reported a data breach than in the U.S. (34% compared to 22%).
However, while 72% of U.S. respondents expect unauthorized users to attempt to access data or systems in 2022, 67% of U.K. counterparts expect a breach attempt. The risks are high in both countries, but with reported breaches more than doubling in the past year, U.K. companies may need to implement additional controls or adjust cybersecurity strategies.