United States

Cyberthreats and the middle market

RSM US Middle Market Business Index Cybersecurity Special Report


Cybercrime has become a reality for the middle market. While major cyber incidents and data breaches at large corporations such as Marriott and Facebook continue to capture global headlines, middle market companies are starting to recognize that they are often the prime target for cybercriminals.

In the past, midsize companies often held the perception that they were too small to be a target for hackers. However, with rising concern across the board about several types of cybersecurity attacks uncovered in the RSM US Middle Market Business Index survey, these companies are starting to take notice.

According to first quarter 2019 MMBI data, 15 percent of middle market C-suite executives said their companies experienced a data breach in the last year, up from 13 percent in 2018 and a significant jump from 5 percent just four years ago. Larger middle market organizations continue to be most at risk, with high volumes of valuable data to attract cybercriminals, but lacking the robust security resources of their large-cap peers.

However, the focus on data breaches can be misleading, as the term data breach typically entails a cyber incident resulting in stolen sensitive data. A wide variety of cyber incidents does not result in theft of data, such as ransomware, which interrupts business operations or types of social engineering that could cause the direct theft of funds from bank accounts.

There are few signs that the cybersecurity threat is relenting; in fact, even amid increased attention and investment toward security, it continues to grow. Over half of middle market executives surveyed indicated it is likely that unauthorized users will attempt to access their organization’s data or systems in 2019.

In an effort to protect their firms and individual users against cybersecurity threats, more than half of midsize companies report carrying cyber insurance. However, among those organizations with coverage, only 43 percent of executives claim familiarity with policy details.

In addition to cybersecurity challenges, emerging data privacy regulations are requiring organizations to make a significant shift in how they collect and store data. The European Union’s General Data Privacy Regulation, known as GDPR, took effect in May 2018. Similar legislation is emerging in the United States, led by the California Consumer Protection Act, and congressional hearings have discussed regulation at the federal level.

The new laws do not focus on how companies protect data, but rather why they have it in the first place, and these regulations create an array of new business challenges for organizations highly reliant on customer data. As data privacy moves to the forefront, only 40 percent of executives report familiarity with the guidelines of GDPR or other privacy regulations.

Cybersecurity threats to the middle market are very broad and evolving. The 2018 NetDiligence[1] Cyber Claims Study, sponsored by RSM, showed ransomware has become the most common form of cyber incident, but traditional hacking, malware and business email compromises are still very popular with attackers. Organizations must develop cybersecurity strategies that consider several threats to limit the risk of as many varieties of these attacks as possible.

Other studies, such as the Identity Theft Resource Center’s[2] 2018 End of Year Data Breach Report, also show that the number of data breaches actually fell last year by 23 percent. RSM’s survey shows that criminals show no signs of backing down in the middle market, but they are slowly shifting from attacks meant to steal data to those meant to extract payment directly from the victim. Attacks come by several means: forcing the victim to pay a ransom, stealing funds by compromising corporate bank accounts or tricking the victim into making fraudulent payments.

With generally limited resources, middle market organizations must place a premium on awareness and benchmarking to help mitigate the threat of cybersecurity attacks and to comply with data privacy regulations. RSM has developed this report to provide insights into relevant middle market cybersecurity and data privacy trends, and to highlight steps companies can take to enhance security and privacy efforts.

Download the full 2019 Cybersecurity Special Report

(* = Required fields)

[1] NetDiligence is a privately held cyber risk assessment and data breach services company, utilized by leading cyber liability insurers in the United States and United Kingdom to support loss control and education objectives.[2] The Identity Theft Resource Center is a nonprofit organization established to support victims of identity theft and to broaden the awareness of identity theft, data breaches, cybersecurity, scams and fraud, and privacy issues.

Download the full report