Companies must remain diligent as cybersecurity threats evolve

A comprehensive analysis of emerging cybersecurity threats and risk mitigation strategies

Cybersecurity remains a prime concern for middle market companies, as evolving risks present nonstop threats to sensitive data and operations. Organizations face a daily challenge as cybercriminals continue leveraging traditional strategies like ransomware to launch harmful attacks, while new technology such as artificial intelligence and geopolitical concerns present elevated risks.

While the threat environment continues to become more complex, reported breaches have declined in new RSM research. According to findings in the Q1 2025 RSM US Middle Market Business Index survey, nearly one in five (18%) middle market companies experienced a data breach in the previous year, falling from a record-high 28% in last year’s data.

The decline in reported breaches is certainly positive, but this year’s results are consistent with data from previous years outside of the spike in 2024. In addition, with methods becoming more sophisticated, some attacks may go undetected, highlighting the importance of continuously strengthening controls.     

At this point, middle market companies generally understand the risks cybersecurity threats can pose. But as such threats evolve, companies need to continually address potential vulnerabilities and resist the temptation to get overconfident about current controls.

The share of MMBI survey respondents who are confident in their existing cybersecurity strategies reached an all-time high in this year’s data. In fact, 97% of middle market executives reported that they are either very confident or somewhat confident in their current measures to safeguard data, rising slightly from 95% in the 2024 survey and 96% in the two previous years.

Ghazi suggests that higher spending and more outsourced security have contributed to the high confidence.

“It’s likely because they increased investment or, with outsourcing, not many companies are actually facing the cyberattacks themselves,” he says. “So that automatically gives you more confidence.”

Ransomware continues to be a significant threat to the middle market, with attacks that can restrict access to specific systems, business units or even all company data until certain financial conditions are met. With the interconnected nature of today’s businesses and related entities, the harmful effects of these breaches can spread very quickly. In fact, recently ransomware has been in the national spotlight more often after multiple attacks had ripple effects across entire industries and brought productivity to a halt for many companies.

The highly publicized ransomware incidents may be contributing to a continued drop in reported incidents in the MMBI data. This year, 26% of respondents said they experienced at least one ransomware attack or demand in the previous 12 months, a decrease from 30% in the 2024 survey and 35% in 2023. Larger middle market companies are more of a prime target for criminals, as 35% of respondents in this segment reported at least one attack or request, compared to 15% of smaller firms. 

“I think there were a lot of lessons learned in the last year or two after some of these significant incidents,” says Franko. “The major theme comes back to knowing your environment.

“In our maturity and risk assessments, a typical finding is that organizations are not completing a proper business impact analysis or are not completing them across their entire company,” he continues. “Organizations often avoid these assessments because they can be resource-intensive [in terms of money and people], but without them, companies often do not have a comprehensive understanding of how many entities they are connected to and the operational and financial damage that could occur if one had an incident. If they do these analyses, they could be more effective in their continuity processes and reduce their risk.”

Despite the drop in ransomware attacks, companies cannot afford to lose focus. Just one successful attack can have significant repercussions, from financial losses and regulatory penalties to reputational damage and various opportunity costs, depending on the amount and breadth of downtime and how resources need to shift to manage recovery efforts.  

Among companies that experienced at least one ransomware attack in the past year, on average, existing security defense measures were reported as unsuccessful for 31% of ransomware attacks, partially successful for 28% of attacks and completely successful for 41% of attacks.

Compared to the previous year, the average percentage of ransomware attacks successfully defended against increased slightly, as did the percentage of unsuccessful defenses, while the average percentage of partially successful defenses decreased by nearly 5%. For the second consecutive year, the survey data showed minimal differences in the effectiveness of ransomware defenses between smaller and larger middle market companies.

Artificial intelligence has already revolutionized many key processes for middle market organizations, delivering increased efficiency, insight and productivity. But like other new technology implementations, AI does come with significant risks. Middle market companies must be careful to avoid introducing new vulnerabilities to critical data when integrating AI solutions and expanding their use.

While AI does certainly carry risks, its implementation has rapidly evolved into an imperative for ongoing business success.

“In many ways, AI is still emerging,” says Antalik. “Some organizations are further along than others, and some are just at the tip of the iceberg of experimenting with it. But the ones that are scared are missing the boat. While companies that are diving in are bringing on additional risk, if they do things thoughtfully, AI can provide significant benefits across the business.”

To successfully deploy AI technology while mitigating potential risk exposure, organizations must implement an effective governance framework. Several frameworks are currently available, including platforms from the National Institute of Standards and Technology (NIST), Google, and Microsoft, as well as guidelines from several countries and industry organizations.

However, data is at the heart of any AI deployment, so data governance—understanding what data assets companies have and where it is stored, processed, transmitted and accessed from—and core AI governance go hand in hand.

“I often talk to clients about how AI governance is really data governance with a few different components added on, and if you struggle with data governance, then you’re going to have struggles with AI governance,” says Franko. “A vast majority of an AI governance framework is derived from data governance and data protection frameworks. Know your data, protect your data, govern your data. Yes, you must worry about bias and how it makes decisions and whether you are getting the right answers, but you can’t get there unless you have those core principles solved.”

Regarding leading AI governance practices, MMBI survey respondents identified monitoring and auditing AI system performance and outcomes as the most widely implemented control (39%). Close behind were defined roles and responsibilities for enterprise AI decision making (37%), staff training on responsible AI usage and development (36%), and AI-focused risk assessments of products (35%).

Of note, 34% of smaller middle market companies indicated that AI governance steps are not yet in place. This means that more than a third of these companies are not yet using AI, or if they are, their data is likely at an elevated risk.

Beyond AI governance processes, organizations have a growing list of regulatory guidelines to consider when deploying AI strategies. Similar to data security and privacy, AI is not subject to a federal AI regulatory standard in the U.S., but several states are introducing and passing new AI laws. Several specific industries are also rolling out AI standards to promote safe and secure AI usage.

For companies that operate overseas, the European Union has become a pacesetter for AI standards since adopting the first comprehensive set of rules by a major regulator in 2024. Its Artificial Intelligence Act establishes obligations for providers and users depending on the level of risk presented by specific AI tools and applications. Much like the General Data Protection Regulation (GDPR) the EU passed for data privacy in 2018, the AI Act could serve as a global blueprint for AI regulatory actions.

Of course, middle market organizations also must be aware of an entirely new level of threats as criminals harness the power of AI to launch sophisticated attacks. For example, AI is making social engineering attacks feel more realistic by providing attackers with more details about an organization and enabling mimicry of company representatives and leadership with vishing (voice phishing) campaigns and deepfake-enabled impersonations. These attacks are focused squarely on the weakest link in security: people.

“At the end of the day, training your users to understand AI risks is essential,” says Franko. “Your people are your first line of defense, and providing them with the right knowledge is critical. At the same time, the technical and procedural controls that support your users must be strengthened, including your organization’s capability to monitor and swiftly respond when an incident does ultimately occur.”

While companies need to adjust protective strategies and increase awareness to account for more complex AI-supported attacks, the underlying protective strategies are still generally the same as they have always been.

“It’s all the same blocking and tackling that has been used for many years,” says Franko. “It’s making sure you’re strengthening your protection mechanisms, monitoring so you can identify when an attack has been successful, getting the bad guys out, learning from it and getting better. AI risks are no different. Your tactics may change, but your principles don’t.”

Expanding AI risks can understandably be very scary for middle market organizations, but Franko highlights a bright spot.

“The good guys are also armed with AI because it is built into many tools,” he says. “So, your defense capabilities are getting better.” 

A company’s most valuable asset is its data, and that asset must be secured against persistent cybersecurity threats. In a difficult risk environment, companies have multiple options to protect their data and establish effective business continuity processes. However, companies need to carefully determine the right mix of solutions to align with business processes and successfully protect their environment.

Cyber insurance is one of the most utilized tools to protect data and quickly recover if a cyberattack occurs. However, policies have undergone significant changes in recent years. Rising costs have required adjustments from insurers, with increased premiums in some cases and confirmation of certain conditions and controls before issuance of policies. Despite these changes, though, companies still understand the importance of cyber insurance and the peace of mind it can provide.

Once again, the use of cyber insurance is trending up in the middle market, according to MMBI data. In fact, 82% of survey respondents indicated that they carry a cyber insurance policy, up from 76% the previous year and marking the highest percentage in the history of the report.

“It has gotten harder to get the same coverage levels, and you definitely cannot get them for the same price as you used to,” says Alden Hutchison, a principal at RSM US. “There are a lot more requirements, and they make the client prove a lot more security controls are in place to get coverage. But companies are purchasing the policies because they care, and they see the risk.”

Both smaller and larger middle market firms increased their use of cyber insurance in the past year, with smaller middle market companies reporting a rise to 75% from 72% the previous year and larger counterparts jumping to 88% from 83%.

“I’m encouraged,” says Antalik. “There have been a lot of changes in the industry, but organizations are moving in the right direction, and cyber insurance is moving from a ‘nice to have’ to a ‘need to have’ thing. It just goes to show the state of cyberthreats—it’s harder to deal with new threats, so companies need to protect themselves from an insurance standpoint.”

Despite the increase in cyber insurance usage, though, fewer companies understand what their cyber insurance policies cover. In the MMBI survey, 69% of respondents indicated they are familiar with their policy coverages, down from 75% in last year’s data. Familiarity with policy coverages dropped significantly among smaller middle market respondents (from 66% to 51%) while larger middle market companies reported a drop from 86% to 82%. 

With the changes to cyber insurance coverage in recent years, Antalik believes that in many cases the parties directly involved with negotiations may be the only people who truly understand policy details.

“With a lot of new policies being established, only those that negotiated them know them in depth,” he says. “That’s a little scary; what kinds of things are organizations agreeing to and how protected are they?”

In addition to carrying cyber insurance, middle market companies can implement several strategies to limit business disruptions. In this year’s MMBI survey, the leading processes respondents reported having in place to address disruption and ensure continuity are developing communication plans for crises or disruptions (52%), developing and maintaining a business continuity plan (51%), and implementing disaster recovery plans for critical systems (50%). 

Interestingly, those strategies were also the top three among smaller middle market companies, with each strategy cited by 58% of respondents. Responses from larger middle market companies differed slightly, with leveraging technology to hunt for threats and respond to cyber events ranking as the top continuity strategy (47%), likely driven by more funding availability.

However, in the MMBI survey, only 46% of larger middle market companies and 37% of their smaller counterparts reported collaborating with external partners (e.g. suppliers or regulators) for coordinated resilience planning. These figures represent a potential gap and an improvement opportunity for all middle market companies.

Many businesses are deeply interconnected with external parties and third-party service providers, and recent incidents have clearly demonstrated the potential risks when security controls and business practices fall out of alignment.

“Given how dependent organizations have become on one another, stronger collaboration is essential” says Rich Servillas, a director at RSM US. “To address skills gaps effectively, companies would benefit from being more aligned with the partners and third-party providers that support them.”

Hutchison also emphasizes the potential risks involved with not being effectively connected with third-party vendors.

“We have seen so many of these large third-party incidents occur that have disrupted entire industries,” he says. “The automotive industry and the health care industry were both hit really hard, and they weren’t prepared for how they were going to work with their suppliers to recover from it.”

A plan to protect data and recover from a potential cybersecurity incident is not one-size-fits-all. Middle market companies need to have a customized plan in place and adjust it as necessary to align with evolving risks and business processes.

“If you don’t have a business continuity and crisis plan of some sort in place, you’re at risk of not recovering from a breach quickly enough,” says Hutchison. “That plan can keep you from losing your customers, losing the trust of your partners and even potentially losing the business.”

At this point, almost every middle market company has transitioned at least some of its critical data and applications to the cloud for enhanced security. While companies still retain the responsibility for their data security, cloud vendors typically have more extensive security capabilities due to their economies of scale.

MMBI data shows how middle market companies have established different balances of what should reside in the cloud versus on-premises. The greatest share of survey respondents (34%) reported having 21%−50% of their environment operating in the cloud; the next largest group (22%) reported having 51%−75% of their operations in the cloud. For larger middle market companies, the top result (42%) was 21%−50%, while the leading responses for smaller middle market respondents were 21%−50% and 51%−75%, cited by 24% of respondents respectively.

“Migration to the cloud is an ever-evolving journey,” says Steve Kane, a managing director at RSM US. “Given the remote workforce and the ability to do anything anywhere, moving things to the cloud to make them accessible and more secure is going to continue to drive adoption.”   

While moving to the cloud is not a new idea, companies can utilize several strategies to protect their assets there. In the MMBI data, middle market respondents cited cloud-native tools and practices (31%), hybrid solutions combining on-premises and cloud security (31%), and a cloud provider’s built-in security measures without additional enhancements (26%) as the leading cloud technologies used to enhance cybersecurity efforts. 

Many middle market companies are being increasingly exposed to multicloud environments, where assets are divided among multiple cloud providers. For larger companies with complex operations and extensive assets, a multicloud environment can help offset the concentration risk that might come with using only one cloud provider. But the strategy almost always brings more complexity than middle market companies truly need.

“The need for a multicloud environment really has to be compelling,” says Justin Devine, a director at RSM US. “Concentration risk is worth considering, but the effort, cost and complexity of going multicloud to avoid it are generally not worth the benefit. Unless you are running exceptionally critical workloads where downtime could affect the global economy or endanger people's lives, going multicloud is generally not the best approach. Given today's modern cloud services, it's possible to build extremely resilient architectures without going multicloud. I'd advise consulting with cloud resilience professionals before adding a cloud service provider as the ‘easy button’—as building, securing and managing a multicloud environment is anything but easy.”

But Devine believes that many middle market companies that choose to implement a multicloud environment may be getting ahead of themselves and introducing unnecessary risk to the organization.

“My honest opinion is that people go multicloud way too early,” he says. “I have seen organizations go multicloud when they really don’t have a handle on one cloud yet. They double the complexity, split resources in half, make upskilling people twice as difficult, double the attack surface and double the risk.”

However, Gabriel believes most middle market companies that have a multicloud environment got there not necessarily by choice, but because of a transaction. “Most of our clients, you will only see them in a multicloud situation after they acquired another organization,” he says. “You end up acquiring someone that is an Azure shop, but you just happen to be an Amazon Web Services shop. The question becomes: What do you do, and is this something you want to manage?”

In most cases, the answer is no. To effectively manage both environments and the complexity between them, companies need duplicative resources with different skill sets. In addition, the authentication source would likely need to be externalized, adding another layer of complexity just to ensure that if something is compromised, the issue doesn’t spread to both environments.

“You basically have three options,” says Devine. “The first is to double your cloud engineering team so you can support multiple cloud platforms. The second is to refactor and migrate all the workloads to a single platform, and that probably is not worth the effort. Then the third is to limit the risk by transferring the management of the new cloud platform and transferring the risk to a managed service provider. Out of the three options, the first two are not very good.”

Ultimately, outsourcing the management of the new cloud environment—the platform with which internal staff lack experience—is the most effective path forward in many situations.

“You have to weigh your options,” says Gabriel. “You have two things you must deal with, but your core capabilities likely only align with one of them. Can you find a qualified advisor to help you? They can support you as you grow as an organization and determine where your cloud journey is eventually headed.”

As security threats continue to evolve, the network no longer represents a company’s security perimeter. In today’s cybersecurity environment, identity is the new perimeter. With internal users, applications, customers and services providers needing varying levels of access to systems while hackers are constantly attempting to break in, middle market companies need to understand, clearly define and control how much access, if any, employees and vendors need to perform specific tasks.

“A truly effective digital identity strategy must cover capabilities and services to address inherent and compliance risk, introduce operational efficiencies, and be flexible as access requirements for humans and nonhuman resources dynamically change,” says Omer Arshed, a partner at RSM Canada. “As organizations go through digital transformations and continue to invest in technology, the right approach can protect sensitive data and improve the digital experience for both customers and employees.”

In this year’s MMBI survey, the top method middle market respondents said they are leveraging to manage digital identity and secure systems access is a centralized identity and access management (IAM) system with support for multifactor authentication (MFA). As identity is a multifaceted service addressing employees, customers and applications, organizations must prioritize quantifiable risk reduction and enable foundational controls such as MFA. IAM with support for MFA was cited by 46% of overall survey respondents and was the leading method for both large (52%) and smaller (38%) middle market organizations.

The second-leading digital identity method (20%) in the MMBI survey was password management that relies on strict policies, such as regular updates and complexity requirements, but with no IAM system in place. Providing employees with password management tools to secure access ranked third at 14%.

“Some people just think of identity as a username and password that provides access to different groups and functions,” says Kane. “But people don’t often consider that sometimes even the lowest permissioned user can be an internal threat if their credentials are spoofed or obtained through social engineering or other methods. With a credential, a threat actor has the keys to the kingdom and can start getting access to data.”

Effective digital identity processes have rapidly evolved into a critical element of a middle market cybersecurity strategy. Unfortunately, some companies may see digital identity as an obstacle to productivity when the opposite is true: It can boost efficiency while supporting increased security.

“Many organizations see digital identity as a large initiative that can introduce complex change and affect the organization,” says Arshed. “On the contrary, digital identity investments, planned and implemented in the correct manner, are enablers and improve the digital experience for employees and customers while reducing inherent risks and creating cost efficiencies.” 

Outsourcing is a proven strategy for success within many middle market businesses, filling talent gaps with trusted third-party personnel. The need for outsourcing is even more pronounced within the cybersecurity function, where a challenging talent environment has made it difficult for middle market companies to attract and retain security staff with the necessary knowledge and experience.

“The need for outsourcing is probably greater than it’s ever been,” says Kane. “As organizations focus on doing more with less, the cyberthreats are still extremely prevalent and they are not going anywhere.”

“Although I think that the talent shortage is starting to shrink a bit as AI creeps in and starts to automate more functions,” he continues, “it’s still going to take at least 10 years to get to a point where we are not in a talent shortage mindset.”

For now, many middle market companies typically cultivate an ecosystem of outside vendors that can address talent gaps while increasing productivity, efficiency and security. But in an optimal scenario, companies can obtain all outsourced services with a single trusted vendor. With vendor consolidation, services are more consistent, and communication is more efficient with several services under one roof and a single point of contact.

In the MMBI data, the leading cybersecurity function outsourced by respondents is cybersecurity risk and compliance management (51%). Other leading outsourced functions include cyber incident response and forensics (46%), security operations center (24/7/365 monitoring) (46%), security awareness training (44%), and vulnerability management (44%).

“It's hard for middle market companies to keep the necessary talent internally, so they often don't have a choice but to go outside,” says Antalik.

In addition to providing more experienced personnel, outsourcing gives companies direct access to advanced technology that would be out of reach otherwise. “A lot of organizations don’t have the financial backing to buy all of the requisite tools and instruments necessary to address today’s complex threats, on top of managing and maintaining the right staffing levels,” says Kane.

In most cases, the most significant benefit related to outsourcing is the perspective from a qualified external provider that understands emerging issues and can leverage experience gained with other clients.

“Many organizations hire managed services providers like RSM to come in as an independent lens to look at their programs and help them identify actual gaps and make recommendations to make security programs better,” says Antalik. “With internal personnel, human nature can get involved, and people may not want to lift up the rug and look under it.

“Firms like RSM work with hundreds and hundreds of different clients,” he continues. “We see a lot of different things and bring those industry and client leading practices to create effective security solutions. It’s no fault of internal personnel; they just don’t have the perspective of what other organizations are doing and what’s working against current threats.”

The cybersecurity environment is only becoming more challenging, making managed security services a more attractive option for middle market companies. With an effective outsourcing approach, companies can gain direct access to the talent and tools necessary to address evolving and persistent cybersecurity threats. 

The Q1 2025 RSM US Middle Market Business Index survey data was gleaned from a panel of approximately 1,600 executives (the Middle Market Leadership Council) recruited by The Harris Poll using a sample supplied by Dun & Bradstreet. All individuals were full-time, executive-level decision makers working across a broad range of industries (excluding public service administration): nonfinancial or financial services companies with annual revenues of $10 million to $1 billion or CA$10 to CA$1 billion; and financial institutions with assets under management of $250 million to $10 billion or CA$250 million to CA$10 billion.

These panel members are invited to participate in four surveys over the course of a year that include special issue-based question sets, as well as quarterly index-only surveys; the Q1 2025 survey was conducted from Jan. 6 to Jan. 27. Information was collected by phone and online from 402 U.S. middle market executives, including 164 panel members and a sample of 238 online respondents, and 101 Canadian middle market executives. Data is weighted by industry. Download the cybersecurity special report.