© 2021 RSM US LLP. All rights reserved.
RSM US Middle Market Business Index 2021 Cybersecurity Special Report
When it comes to cyberthreats, the old adage held true in 2020: the more things change, the more they stay the same. Hackers and other electronic criminals continued their relentless pursuit of data and sensitive information from middle market businesses, leading to record levels of several types of attacks. The middle market continues to represent a sweet spot for hackers, with companies possessing a significant amount of valuable data, but lacking the level of protective controls and staffing of larger organizations.
The COVID-19 pandemic also altered the threat landscape in the middle market due to the rapid large-scale shift to a remote work environment and more dependency on the internet to remain productive. Many companies simply did not have experience with managing such a transition, and security vulnerabilities—even for a short amount of time—were almost inevitable. Criminals were quick to strike, unleashing a host of attacks ranging from widespread malware and viruses to targeted social engineering and phishing attacks.
After years of increasing breach attempts and successful breaches, the middle market understands the risks that cybercriminals can pose. However, while the pandemic caused a global lockdown and generally kept people at home without the luxury of venturing out to a restaurant or a movie, hackers were locked down as well with little to do but hone their craft and exploit vulnerabilities.
Recognizing and addressing increased cybersecurity risks
Middle market executives provided insight into the rise in data breaches in a recent RSM US Middle Market Business Index survey, while also detailing ongoing cybersecurity concerns and the evolving controls and strategies employed to address security threats and combat hackers.
According to first quarter 2021 MMBI data, 28% of middle market executives claimed that their company experienced a data breach in the last year, the highest level since RSM began tracking data in 2015 and a sharp rise from 18% just last year. Larger middle market organizations were most at risk, as 42% of executives at such companies reported a breach, compared to 16% at smaller counterparts.
The middle market continues to increase investment in a variety of protective measures and 71% of respondents have a dedicated function focused on data security and privacy. However, with the frequency of breach attempts and the ongoing uncertainty and unknown road back to normal in the wake of COVID-19, 64% of respondents anticipate that unauthorized users will attempt to access data or systems in 2021, another significant increase from 55% in both 2019 and 2020.
In this challenging threat environment, cyber insurance should become even more of a priority. The RSM survey found that 65% of middle market organizations carry a cyber insurance policy, a slight increase from last year’s 62%. Even more important though was the jump in respondents who claim familiarity with what their policy covers—up to 64% from 48% last year.
Managing an evolving data privacy landscape
In addition to consistently rising cybersecurity risks, the data privacy regulatory landscape continues to shift, and compliance demands are becoming more of a reality for middle market businesses. The European Union’s General Data Protection Regulation was implemented in 2018, providing a new standard for how EU resident data is collected and stored. Unlike security guidelines, the GDPR is not focused on how companies secure data, but why they have that data.
The GDPR has inspired several subsequent data privacy regulations in several individual states, including the California Consumer Privacy Act. Over a dozen states have signed privacy regulations into law, and a federal standard is likely on the horizon. During the 2020 presidential election, data privacy was an element of both parties’ platforms, but it was a bigger point of emphasis for the Biden campaign. With the middle market’s reliance on data to drive decision-making, new laws could require substantial changes to policies and processes.
Awareness is critical with data privacy legislation, and RSM MMBI data shows that 55% of executives are familiar with the requirements of the GDPR, another significant jump from last year’s data (39%). In addition, nearly all respondents familiar with the GDPR (97%) indicated that preparing for emerging privacy legislation is at least a priority of minor importance, which is consistent with last year’s data.
Utilizing peer data and insight into middle market trends
Cyberattacks and breach attempts were already steadily on the rise in the middle market, and the COVID-19 pandemic has only intensified the threat. In this environment, companies must take advantage of benchmarking opportunities and peer insights to develop an effective defensive stance with generally limited resources. RSM has developed this report to provide relevant middle market cybersecurity insights and data privacy trends, as well as to outline strategies organizations can implement to strengthen security and privacy programs.