Confidence in cybersecurity controls is rising, but significant threats persist

At this point, middle market companies generally understand the risks cybersecurity threats can pose. But as such threats evolve, companies need to continually address potential vulnerabilities and resist the temptation to get overconfident about current controls.

The share of MMBI survey respondents who are confident in their existing cybersecurity strategies reached an all-time high in this year’s data. In fact, 97% of middle market executives reported that they are either very confident or somewhat confident in their current measures to safeguard data, rising slightly from 95% in the 2024 survey and 96% in the two previous years.

Ghazi suggests that higher spending and more outsourced security have contributed to the high confidence.

“It’s likely because they increased investment or, with outsourcing, not many companies are actually facing the cyberattacks themselves,” he says. “So that automatically gives you more confidence.”

Ransomware continues to be a significant threat to the middle market, with attacks that can restrict access to specific systems, business units or even all company data until certain financial conditions are met. With the interconnected nature of today’s businesses and related entities, the harmful effects of these breaches can spread very quickly. In fact, recently ransomware has been in the national spotlight more often after multiple attacks had ripple effects across entire industries and brought productivity to a halt for many companies.

The highly publicized ransomware incidents may be contributing to a continued drop in reported incidents in the MMBI data. This year, 26% of respondents said they experienced at least one ransomware attack or demand in the previous 12 months, a decrease from 30% in the 2024 survey and 35% in 2023. Larger middle market companies are more of a prime target for criminals, as 35% of respondents in this segment reported at least one attack or request, compared to 15% of smaller firms. 

“I think there were a lot of lessons learned in the last year or two after some of these significant incidents,” says Franko. “The major theme comes back to knowing your environment.

“In our maturity and risk assessments, a typical finding is that organizations are not completing a proper business impact analysis or are not completing them across their entire company,” he continues. “Organizations often avoid these assessments because they can be resource-intensive [in terms of money and people], but without them, companies often do not have a comprehensive understanding of how many entities they are connected to and the operational and financial damage that could occur if one had an incident. If they do these analyses, they could be more effective in their continuity processes and reduce their risk.”

Despite the drop in ransomware attacks, companies cannot afford to lose focus. Just one successful attack can have significant repercussions, from financial losses and regulatory penalties to reputational damage and various opportunity costs, depending on the amount and breadth of downtime and how resources need to shift to manage recovery efforts.  

Among companies that experienced at least one ransomware attack in the past year, on average, existing security defense measures were reported as unsuccessful for 31% of ransomware attacks, partially successful for 28% of attacks and completely successful for 41% of attacks.

Compared to the previous year, the average percentage of ransomware attacks successfully defended against increased slightly, as did the percentage of unsuccessful defenses, while the average percentage of partially successful defenses decreased by nearly 5%. For the second consecutive year, the survey data showed minimal differences in the effectiveness of ransomware defenses between smaller and larger middle market companies.