Executive summary

Middle market companies depend on effective and resilient cybersecurity controls for ongoing sustainability and growth, but the risk environment remains volatile and challenging. Though the percentage of respondents reporting breaches over a one-year term in the Q1 2025 RSM US MMBI survey fell significantly compared to a record high in the previous year, companies cannot afford to be complacent in an environment of constantly emerging threats. As threat actors' tactics, techniques and procedures continually evolve amid advances in generative artificial intelligence and ongoing geopolitical tensions, protective measures must adapt and evolve in tandem.   

Nearly 1 in 5 (18%) of the middle market executives surveyed in 2025 said their organizations experienced a data breach in the previous year, a sharp decline from 28% in the 2024 survey and the lowest percentage since the 2020 survey. Drops were seen for both larger and smaller middle market companies, but larger companies were twice as likely to suffer a breach, with 24% of respondents in this segment reporting a breach compared to 12% of their smaller counterparts. However, this discrepancy may be due to smaller companies either lacking sufficient controls to effectively detect incidents or facing less regulatory pressure to report them. 

With reported breaches falling and 91% of respondents reporting an increase in cybersecurity investments, companies generally feel secure in their protective strategies. In fact, 97% of survey respondents are confident in their current security measures, the highest level in the 10-year history of the report. In addition, this year’s survey saw a record-high number of companies that carry a cyber insurance policy (82%).

Despite the drop in reported breaches, RSM risk professionals caution middle market companies against getting too comfortable in the face of cybersecurity risks, as the threats are still very real.

Tauseef Ghazi, a principal at RSM US LLP and leader of the firm’s cybersecurity practice, believes the reported breaches may have simply normalized after the spike in the previous year’s data. “The influx in 2024 is explainable because of the sanctions and the disruption in the financial networks related to the Russia-Ukraine conflict,” he says. “After this year’s drop in breaches, we are very comparable in terms of historical breach levels in the survey. Therefore, continued vigilance is required, especially with the augmentation of AI to support such malicious activities.”

The increased complexity of attacks also may at least partially explain the decline in reported breaches, as some companies may not have identified the presence of an attacker in their systems. For example, when a ransomware attack takes place, the attacker announces themselves to collect the ransom. But now, many bad actors are attempting to access networks and operate silently within them to collect sensitive data.

“The scary part for companies is that attacks have become so sophisticated, and they may not be able to detect them,” says Daniel Gabriel, an RSM US principal. “If attackers are backing down on ransomware, the goal of the attack is to not disclose yourself.”

However, RSM US Principal Matt Franko sees companies taking advantage of some cybersecurity controls and strategies that could also contribute to the drop in reported breaches. “Our No. 1 recommendation still to this day is to develop a strong asset inventory,” he says. “We are seeing a lot more organizations start to address asset management and inventory, which is helping them in a variety of other areas, such as vulnerability management and access management. You can do a much better job protecting yourself when you know what you need to protect.

“We have helped a lot of organizations automate their configuration management database with intelligent platforms like ServiceNow,” he continues. “Sometimes, it’s a combination of tools that creates a consolidated viewpoint of tools and systems. Once that program is up and running, and you’re getting a consistent view of your population, you can understand what you have and then go protect it.”

Franko also believes that the growing reliance on managed security services and the increased specialization of those platforms have put companies in a stronger position to address evolving threats. “Organizations have invested a lot more in working with companies like RSM and our RSM Defense^TM managed security solution,” he says. “Buyers are becoming smarter; they want more sophisticated managed services providers that know and understand their environment.”

Meanwhile, Mark Antalik, a managing director at RSM US, highlights the severity of the threat that still exists. “Even with everything that companies are doing to combat cyber risks, a breach is still happening to roughly 1 in 5 organizations,” he says. “That’s why you need to understand your data and need modern cybersecurity controls in place.”

Two significant cybersecurity challenges are projected to persist: staffing and AI governance. Qualified cybersecurity talent has been increasingly difficult to attract and expensive to retain in a very competitive market. 

“Talent is still a huge issue,” says Ghazi. “Finding people with the right skill sets is a big challenge, and they are not coming out of universities at that level. Also, we’ve always cultivated an apprenticeship model in cybersecurity, and people are often not staying long enough to be an apprentice for anyone.”

In the past, many companies have relied on offshore talent, but even that staffing strategy is now often out of reach from a financial perspective.

“There are very few people who can solve the complex problems companies have today,” says Ghazi. “At a macro level, we are struggling with talent, and offshoring is steadily becoming more and more expensive.”

To fill these critical cyber personnel gaps, more companies are turning to increased automation and expanded managed services strategies.

Companies are still generally finding their footing with AI in the middle market, and risks related to data and governance continue to crop up. Organizations need to understand what data they have and manage how it is used with an effective AI governance model.

“AI is not a silver bullet,” says Ghazi. “It’s still a model that you must train and closely manage. When you’re putting data out for AI use, how are you controlling it?”

As attack methods and potential vulnerabilities continue to evolve, protective strategies are advancing in response. To address modern threats moving forward, companies should build proactive cybersecurity strategies by focusing on:

Methodology

The Q1 2025 RSM US Middle Market Business Index survey data was gleaned from a panel of approximately 1,600 executives (the Middle Market Leadership Council) recruited by The Harris Poll using a sample supplied by Dun & Bradstreet. All individuals were full-time, executive-level decision makers working across a broad range of industries (excluding public service administration): nonfinancial or financial services companies with annual revenues of $10 million to $1 billion or CA$10 to CA$1 billion; and financial institutions with assets under management of $250 million to $10 billion or CA$250 million to CA$10 billion.

These panel members are invited to participate in four surveys over the course of a year that include special issue-based question sets, as well as quarterly index-only surveys; the Q1 2025 survey was conducted from Jan. 6 to Jan. 27. Information was collected by phone and online from 402 U.S. middle market executives, including 164 panel members and a sample of 238 online respondents, and 101 Canadian middle market executives. Data is weighted by industry. Download the cybersecurity special report.