United States

Key cybersecurity considerations for middle market companies

RSM US MMBI Cybersecurity Special Report 2018


Middle market organizations must evaluate several important issues to address their potential cyber vulnerabilities.

  • Third-party vendor management: This area is often overlooked, but many third parties store, process, access and transmit potentially sensitive data. Therefore, companies need to make sure that this information is protected when using third parties, such as cloud providers.
  • Identify and access management (IAM): Companies should invest in technology to secure their applications and systems  by  leveraging  centralized single sign-in and two-factor  authentication (such as a username and password, but then also token or text message to a smart phone).
  • Vulnerability management program (VMP): Organizations should conduct regular testing for known vulnerabilities, for both external (internet) and internal environments. Developing and implementing a program will help ensure that identified vulnerabilities are mitigated in a timely manner.
  • Culture and awareness: Employee awareness of security-related issues can have a significant impact on the overall security program. By implementing a proactive security awareness campaign in conjunction with periodic phishing tests, companies can help ensure that end users are actively aware of the latest  threats.
  • Benchmarking: Conducting annual risk assessments can provide visibility into an organization’s overall risk posture. Benchmarking results year over year and comparing the results to industry averages can provide context to risk appetite developed by senior leadership.
  • Compliance: Companies should be aware of the various compliance regulations they are required to adhere to. In addition, once they trip the middle market threshold, companies will likely face multiple additional regulations they need to comply with, and they should therefore consider  cross-compliance mapping.
  • Incident response planning: As companies start to develop a larger footprint, their data breach risks will likely increase. In addition, with a larger staff, the need for formal processes is critical so employees understand what to do and are prepared to respond to a breach, both from a technical standpoint as well as a reputational perspective.
  • Cyber liability insurance (CLI): The ability to transfer some portion of risk is advantageous to middle market companies. Keep in mind when renewing or looking to purchase a CLI policy,the aforementioned focus areas must be addressed. Failure to have an awareness program or an incident response program, etc., may cause premiums to increase or, in many instances, be contingent on having processes in place prior to a claim.
  • Cybersecurity steering committee: This group can provide a platform to have open discussions surrounding cyberrisks. The committee should include a variety of individuals, including audit, legal, human resources, IT, business owners and cybersecurity resources. The primary objective is to establish a risk appetite and provide overall business guidance on risk decisions.

Download the full report»

How can we help you?

Learn more about our security, privacy and risk services.  Or get in touch with our risk advisory professionals.