Kimberly Bartok, Enterprise Public Relations Leader, kim.bartok@rsmus.com, 212.372.1239
Andreia DeVries, Enterprise Public Relations Manager, andreia.devries@rsmus.com, 919.645.6821
for media use only
High Contrast
Kimberly Bartok, Enterprise Public Relations Leader, kim.bartok@rsmus.com, 212.372.1239
Andreia DeVries, Enterprise Public Relations Manager, andreia.devries@rsmus.com, 919.645.6821
for media use only
CHICAGO – (May 25, 2023) – Cybersecurity attacks remain a risk to middle market businesses as the threat environment evolves with ongoing geopolitical tensions, economic uncertainty and the lingering effects of the COVID-19 pandemic, according to the RSM US Middle Market Business Index (MMBI) Cybersecurity Special Report, presented by RSM US LLP (“RSM”) in partnership with the U.S. Chamber of Commerce.
The RSM MMBI survey shows that while breach risks remain elevated, the number of reported breaches has fallen slightly for the second-straight year. Twenty percent of middle market executives reported their company experienced a data breach in the last year, representing a slight decline from 22% a year ago. Despite the decline in reported breaches, the amount is still twice as high as it was seven years ago. The number of executives at smaller middle market companies ($10 million to less than $50 million in revenue) that reported a breach remained consistent with last year’s data (12%), while larger organizations ($50 million to $1 billion in annual revenue) reported a decline in breaches (30% in 2022 to 28% this year).
“While cybersecurity threats have been a concern for years, the biggest amount of digital transformation that you could have imagined in the middle market has taken place because of the COVID-19 pandemic,” said Tauseef Ghazi, national leader of security and privacy with RSM US LLP. “The pandemic resulted in a seismic shift in the entire business environment, with aftereffects still being felt today. But with those dramatic changes, middle market companies have also made strategic process changes that show how seriously they are taking cybersecurity. In 2020, middle market companies were scrambling to find and implement solutions. In 2021, companies were working through their new environments and making necessary adjustments. Now, three years since the start of the pandemic, everything is up and running and it’s a new way of managing the business.”
The MMBI survey results show that middle market businesses are taking proactive steps to mitigate cybersecurity threats, as indicated by the 68% of respondents who stated they currently utilize a cyber insurance policy to protect against internet-based risks. This is an increase from 61% in last year’s report. A closer look at the data shows that the number of smaller middle market companies with cyber insurance increased to 67% from 65% in 2022, while larger companies that reported carrying a policy jumped significantly to 70% this year from 57% in 2022.
The report details relevant middle market cybersecurity insights and data privacy trends, along with tactics organizations can use to strengthen security and privacy programs.
Ransomware Attacks and Business Takeover Threats Increasing, Employee Manipulation Tactics a Key Concern
Consistent with previous years, ransomware remains the primary cybersecurity threat to the middle market, with attacks resulting in several layers of harmful consequences. In this year’s MMBI data, 35% of middle market executives disclosed that they experienced a ransomware attack or demand, up from 23% last year. Larger middle market companies reported a sizable increase in attacks with 54% this year compared to 29% in last year’s report, while smaller organizations saw a slight decline in incidents to 13% from 16% last year.
Business takeover threats are one of the most persistent and pervasive cybersecurity attacks to middle market companies. The reported frequency of business takeover attempts increased significantly in this year’s data, with 58% of middle market executives indicating that outside parties attempted to manipulate employees by pretending to be trusted third parties or company executives, compared to 45% last year. Executives at smaller middle market companies reported a small increase in attacks to 53% this year from 51% in 2022, while larger companies indicated a sharp jump in incidents to 63% from 40%.
Surveyed executives also reported that 48% of attempts to manipulate employees were successful over the last year, a considerable increase from 27% in 2022’s data. Larger middle market organizations showed the largest increase, reporting a 68% success rate for attacks, compared to 38% just last year. Smaller middle market companies reported a small increase this year, up to 21% from 15%.
Companies Taking Cyber Threats Seriously and Continuing to Respond
Most middle market companies understand the value of training as a defense against business takeover attacks, with 89% of executives reporting their organization provides training to at least some employees on how to detect, identify and prevent attempts to gain unauthorized access, consistent with last year’s data. Larger middle market companies appear to offer training to more employees, with 97% providing training to some or all employees, compared to 81% of smaller counterparts.
Additionally, confidence in cybersecurity strategies remains very high in the middle market. For the second-straight year, 96% of respondents were confident in their current measures to safeguard data, matching last year’s record high. RSM attributes some of the high confidence to the increase in cloud adoption as well as an apparent shift in strategy to invest in more cybersecurity resources. The number of executives who reported a dedicated function focused on security and privacy increased significantly to 77% this year, up from 60% in last year’s survey.
Many middle market companies also appear to have changed their reporting structure in the last year. In this year’s survey, 40% of executives reported that the person most responsible for data security and privacy reports directly to the CEO, an increase from 25% last year. That number fell slightly at smaller middle market companies (38% in 2022 to 33% in 2023), while it rose significantly at larger organizations (16% to 43%).
“According to a recent U.S. Chamber report, regulation, including cyber specific regulation, has dramatically increased over the last decade,” said Vincent Voci, vice president, cyber policy and operations at the U.S. Chamber of Commerce. “While the pace of government regulations has increased, so too have cyber threats against the public and private sectors. Despite a flurry of regulations, we have not, in fact, regulated our way to a safer, more secure cyberspace. Midsize businesses should monitor regulations along four categories of cyber public policy risk in particular, including sector specific cybersecurity regulations, incident reporting or public disclosure, common cybersecurity standards, and state-by-state approaches to cybersecurity regulations.”
Only 57% percent of executives in the survey said they are familiar with the requirements of the European Union’s General Data Protection Regulation (GDPR). This indicates a plateau from 58% in 2022, despite increased awareness and enforcement activity. Consistent with past years, respondents from larger organizations were more familiar with GDPR requirements than those at smaller organizations—84% versus 28%.
With the expansion of privacy laws and regulations across the United States, the majority of middle market businesses understand they will likely need to adhere to compliance obligations in the near future. Among RSM survey respondents familiar with GDPR requirements, 90% said their organizations would likely have to comply with privacy requirements similar to the GDPR at a federal or state-level in the United States during the next two years. Ninety-six percent of executives who are familiar with the GDPR said preparing for emerging privacy laws and regulations is a priority, identical to last year’s response.
The survey data that informs this index reading was gathered from 406 respondents between January 9 and January 30, 2023.
About the RSM US Middle Market Business Index
RSM US LLP and the U.S. Chamber of Commerce have partnered to present the RSM US Middle Market Business Index (MMBI). It is based on research of middle market firms conducted by Harris Poll, which began in the first quarter of 2015. The survey is conducted four times a year, in the first month of each quarter: January, April, July and October. The survey panel consists of approximately 1,500 middle market executives and is designed to accurately reflect conditions in the middle market.
Built in collaboration with Moody’s Analytics, the MMBI is borne out of the subset of questions in the survey that asks respondents to report the change in a variety of indicators. Respondents are asked a total of 20 questions patterned after those in other qualitative business surveys, such as those from the Institute of Supply Management and National Federation of Independent Businesses.
The 20 questions relate to changes in various measures of their business, such as revenues, profits, capital expenditures, hiring, employee compensation, prices paid, prices received and inventories. There are also questions that pertain to the economy and outlook, as well as to credit availability and borrowing. For 10 of the questions, respondents are asked to report the change from the previous quarter; for the other 10 they are asked to state the likely direction of these same indicators six months ahead.
The responses to each question are reported as diffusion indexes. The MMBI is a composite index computed as an equal weighted sum of the diffusion indexes for 10 survey questions plus 100 to keep the MMBI from becoming negative. A reading above 100 for the MMBI indicates that the middle market is generally expanding; below 100 indicates that it is generally contracting. The distance from 100 is indicative of the strength of the expansion or contraction.
About The U.S. Chamber of Commerce
The U.S. Chamber of Commerce is the world’s largest business organization representing companies of all sizes across every sector of the economy. Members range from the small businesses and local chambers of commerce that line the Main Streets of America to leading industry associations and large corporations.
They all share one thing: They count on the U.S. Chamber to be their voice in Washington, across the country, and around the world. For more than 100 years, we have advocated for pro-business policies that help businesses create jobs and grow our economy.
RSM is the leading provider of professional services to the middle market. The clients we serve are the engine of global commerce and economic growth, and we are focused on developing leading professionals and services to meet their evolving needs in today’s ever-changing business landscape. Our purpose is to instill confidence in a world of change, empowering our clients and people to realize their full potential.
RSM US LLP is the U.S. member of RSM International, a global network of independent assurance, tax and consulting firms with 64,000 people in 120 countries. For more information, visit rsmus.com, like us on Facebook, follow us on X and/or connect with us on LinkedIn.