RSM Cybersecurity Report Reveals Major Threats Still Persist Despite Slight Drop in Reported Breaches in the Middle Market

CHICAGO (June 02, 2022) – Middle market firms face an increasingly volatile cybersecurity environment, with threats coming from more directions than ever before and more skilled criminals targeting the segment, according to the RSM US Middle Market Business Index (MMBI) Cybersecurity Special Report released today from RSM US LLP (RSM), in partnership with the U.S. Chamber of Commerce. However, there is good news as the number of breaches reported in the last year among middle market companies slightly decreased with protections becoming more available and executives understanding the consequences related to potential incidents. Twenty-two percent of middle market leaders claimed that their company experienced a data breach in the last year, representing a drop from 28% in last year’s survey, suggesting that even with enhanced protections in place and the decrease in attacks, companies cannot afford to let their guard down.

“The middle market encountered a roller coaster of risks in the last year, from lingering threats related to the COVID-19 pandemic to geopolitical conflicts and economic uncertainty,” said Tauseef Ghazi, national leader of security and privacy services with RSM US LLP. “The small drop in reported breaches is encouraging, and we largely attribute it to middle market companies beginning to implement better identity and access management controls. Yet, even with the decline in reported attacks, companies recognize the risks posed by the current dynamic threat environment, with 72% of executives anticipating that unauthorized users will attempt to access data or systems in 2022, a sharp rise from 64% last year and the highest number since RSM began tracking data in 2015.”

The report further reveals relevant middle market cybersecurity insights and data privacy trends, along with tactics organizations can utilize to strengthen security and privacy programs.

Ransomware Attacks Down Slightly, Though Significant Concerns Persist in the Middle Market
Despite the heightened threat environment, MMBI survey respondents reported a drop in ransomware attacks and demands for the first time since RSM began collecting such data in 2018. Twenty-three percent of middle market executives disclosed that they experienced a ransomware attack or demand in the past year, down from 33% last year. Larger middle market companies reported a bigger drop in attacks with 29% this year compared to 43% in last year’s report, while 16% of smaller organizations suffered an attack or demand in contrast to 24% in 2021. While the number of attacks dropped, middle market leaders do not expect the ransomware threat to diminish, with 62% reporting they are at risk for a ransomware attack in the next 12 months, which increased from 57% last year.

The reported frequency of business takeover attempts has remained consistent over the last few years, and 2022 MMBI data is no different. Forty-five percent of respondents said that outside parties attempted to manipulate employees by pretending to be trusted third parties or company executives, compared to 51% in 2021. RSM’s survey reported that 27% of those attempts to manipulate employees were successful over the last year, a considerable drop from 45% in 2021’s data. While business takeover attempts became less successful in the middle market, there is no end in sight to the potential threat. In the MMBI study, 73% said their organization is at risk of an attack by manipulating employees in the next 12 months, a slight increase over last year and the highest number ever recorded in the MMBI.

“We see businesses of all sizes encountering cyber threats, such as ransomware attacks. With the ongoing Russia-Ukraine conflict, the U.S. homeland and national security communities are urging businesses to take steps to protect their networks and partner with the government,” said Matthew Eggers, Vice President of Cyber Security Policy with the U.S. Chamber of Commerce. “The Chamber will continue to advocate for the importance of public-private partnerships, operational collaboration, and information sharing to increase our nation’s cybersecurity.”

Companies Taking Cyber Threats Seriously and Working to Respond
Organizations took a wide variety of actions in response to publicized data security breaches in the past year, including 61% updating security protocols, and nearly half reporting enhancing the security of existing remote workforce solutions and strengthening staff training and education efforts (49% each). Additionally, the RSM survey found that 61% of respondents currently utilize a cyber insurance policy to protect against internet-based risks, falling slightly from 65% in last year's report. In fact, this year’s survey revealed that two-thirds (67%) of respondents reported increased policy premiums compared with their prior period, with only 2% seeing a decrease.

“As cyberattacks rose in 2021, people became more cautious. Executives were more focused on understanding what was in their cyber insurance policies and working through them,” said Ghazi. “The rise in premiums for cyber insurance is also prompting many middle market organizations to take a closer look at their policy and the stipulations they need to adhere to.”

The cloud has also been an extremely valuable tool for the middle market, and almost every company uses the cloud in some way. Many organizations initially moved files and systems to the cloud to decrease reliance on on-premises servers and increase access and visibility to key data, but companies have found that the cloud is also an effective security tool. The MMBI data shows that 36% of middle market companies moved or migrated data to the cloud as a result of security concerns during the past year. That represents a drop from last year’s data when 40% reported transitioning data to the cloud. Among middle market executives who reported moving data to the cloud for security concerns, 90% believe the data residing in the cloud is more secure, representing a small increase from last year’s survey (88%).

With business takeover attacks capable of coming from many angles, middle market companies need to utilize several strategies to address them. Of the organizations surveyed that encountered unsuccessful attacks, 76% listed employees not acting on the fraudulent request as a reason for the failed breach, a 12% drop from last year’s survey. In addition, 65% of middle market executives said that secondary controls prevented the completion of an attack, and 53% acknowledged system controls that prevented delivery of fraudulent communications or materials to employees.

While implementing protective cybersecurity measures are an ongoing priority for the middle market, companies cannot lose sight of progressive legislative efforts toward enhanced data privacy. The European Union’s General Data Protection Regulation (GDPR) was developed and implemented in 2018 and has served as the model for several subsequent data privacy standards worldwide. Following the success of the GDPR, data privacy standards have slowly made their way to the U.S. As of early 2022, at least 16 individual states have implemented some form of data privacy laws, including comprehensive standards in California, Colorado and Virginia. Fifty-eight percent of executives in the MMBI survey said they are familiar with the requirements of the GDPR, up from 55% in 2021. Among the survey respondents familiar with GDPR requirements, 90% said that their organizations would likely have to comply with privacy legislation similar to the GDPR at a state or federal level in the U.S. during the next two years, a 2% decrease from last year’s data. Ninety-six percent of leaders in the survey who are familiar with the GDPR said preparing for emerging privacy regulations is a priority, almost identical to last year.

Considerations of a Global Economy
A significant number of U.S.-based companies have business interests in the U.K. or may be considering future expansion in the region. Understanding the risks at home is certainly important, but middle market organizations must also know the threats that are prevalent in the countries where they do business. This year’s report also explores comparisons to concerns and protective measures in the U.S. and the U.K. using new data from the RSM U.K. MMBI Cybersecurity Special Report. Key findings include that in 2021 more middle market leaders in the U.K. reported a data breach than in the U.S. (34% compared to 22%). However, while 72% of U.S. respondents expect unauthorized users to attempt to access data or systems in 2022, 67% of U.K. counterparts expect a breach attempt. The risks are high in both countries, but with reported breaches more than doubling in the past year, U.K. companies may need to implement additional controls or adjust cybersecurity strategies.

The survey data that informs the index reading was gathered between January 10 to January 31, 2022. To learn more about the middle market and the MMBI, visit RSM’s website.

About the RSM US Middle Market Business Index 
RSM US LLP and the U.S. Chamber of Commerce have partnered to present the RSM US Middle Market Business Index (MMBI). It is based on research of middle market firms conducted by Harris Poll, which began in the first quarter of 2015. The survey is conducted four times a year, in the first month of each quarter: January, April, July and October. The survey panel consists of approximately 1,500 middle market executives and is designed to accurately reflect conditions in the middle market.

Built in collaboration with Moody’s Analytics, the MMBI is borne out of the subset of questions in the survey that asks respondents to report the change in a variety of indicators. Respondents are asked a total of 20 questions patterned after those in other qualitative business surveys, such as those from the Institute of Supply Management and National Federation of Independent Businesses.

The 20 questions relate to changes in various measures of their business, such as revenues, profits, capital expenditures, hiring, employee compensation, prices paid, prices received and inventories. There are also questions that pertain to the economy and outlook, as well as to credit availability and borrowing. For 10 of the questions, respondents are asked to report the change from the previous quarter; for the other 10 they are asked to state the likely direction of these same indicators six months ahead.

The responses to each question are reported as diffusion indexes. The MMBI is a composite index computed as an equal weighted sum of the diffusion indexes for 10 survey questions plus 100 to keep the MMBI from becoming negative. A reading above 100 for the MMBI indicates that the middle market is generally expanding; below 100 indicates that it is generally contracting. The distance from 100 is indicative of the strength of the expansion or contraction.

About The U.S. Chamber of Commerce
The U.S. Chamber of Commerce is the world’s largest business organization representing companies of all sizes across every sector of the economy. Members range from the small businesses and local chambers of commerce that line the Main Streets of America to leading industry associations and large corporations.

They all share one thing:  They count on the U.S. Chamber to be their voice in Washington, across the country, and around the world. For more than 100 years, we have advocated for pro-business policies that help businesses create jobs and grow our economy.