United States

New RSM Research Explores Cybersecurity Concerns and Vulnerabilities for Middle Market Businesses

The survey revealed that the middle market is confident in cybersecurity protections yet remains among the most vulnerable to attacks.



Middle market leaders increasingly recognize the heightened risk of cyber threats and data breaches that are continuing to capture headlines, but fail to realize they are prime targets for cyber attacks. That’s according to results from the RSM US Middle Market Business Index (MMBI) Cybersecurity Special Report released today from RSM US LLP (“RSM”), in partnership with the U.S. Chamber of Commerce.

The report found that 15 percent of middle market executives indicated that their companies experienced a data breach in the last year, up from 13 percent in 2018 and a significant jump from 5 percent just four years ago. Additionally, more than half (55 percent) of respondents believe that an attempt to illegally access their company’s data or systems is likely in 2019, an increase from 47 percent in 2018. Larger middle market organizations continue to be most at risk for cybercrime, as many have high volumes of valuable data but don’t have the robust security resources of their large-cap peers, making them exceedingly attractive to cybercriminals.

In terms of the types of attacks, ransomware has become the most popular breach method for cyber criminals – evolving from a nuisance to a major threat because of its highly targeted nature. RSM found that over one-third of middle market executives (35 percent) know someone that has suffered a ransomware attack, compared to 31 percent in 2018, while 20 percent have suffered an attack themselves, a two percentage point increase from last year. Social engineering has also become prevalent, with 42 percent of executives reporting social engineering attempts on their organizations from outside parties.

However, while executives are taking notice of looming cyberthreats, and the number of reported breaches has tripled over the last five years, the majority (93 percent) are confident in their organization’s security measures, which is likely due to increased investments in cybersecurity tools and initiatives. This growing confidence of middle market leaders conflicts with rising concerns, and research shows that companies need to remain diligent.

“One of the most apparent trends from the report is the confidence middle market leaders have in the effectiveness of their security controls,” said Daimon Geopfert, principal and national leader of security & privacy services with RSM US LLP. “While the headlines may focus on the breaches experienced by large corporations, the glaring reality is that the often-overlooked middle market is a prime target. The jeopardy to this sector is growing, and firms must ensure that security investments, controls and communication align with rising threats.”

Responding to a Rapidly Evolving Regulatory Environment
A growing number of countries and states are beginning to enact cybersecurity legislation to mitigate risk and strengthen data protection. Many middle market companies are required to comply with the European Union’s General Data Protection Regulation (GDPR), and legislation is already emerging in the U.S., led by the California Consumer Protection Act, which is scheduled to take effect in 2020.

These regulations are expected to impact the middle market, yet companies have been slow to develop GDPR-compliant privacy processes. In fact, only 40 percent of respondents are familiar with the requirements of the GDPR law or other privacy regulations.

It is imperative for middle market companies to start building familiarity with existing regulations now, so these policies can serve as a helpful foundation to prepare for what is certain to be an active future for data privacy.

Cyber Insurance: Future-Proofing Security
To combat the repercussions that cybercrime threats like ransomware can have on organizations’ financials and operations, cyber insurance has become an effective and critical solution.

More than half (57 percent) of middle market executives surveyed carry cyber insurance to mitigate risk, a five percentage point increase from 2018. While the usage of cyber insurance is gaining momentum and popularity, many executives do not have a full understanding of their policies and coverage. In fact, the survey reveals that 41 percent of the companies that carry policies are somewhat familiar or not at all familiar with their coverage levels.

“Executing a cyber insurance policy is important to limit exposure, and it’s encouraging that there has been an uptick in implementation among middle market firms,” said Ken Stasiak, consulting principal with RSM US LLP.  “But companies must also remember to periodically evaluate any existing insurance policies to account for evolving and emerging risks.”

As cyber attacks continue to grow in severity, scope and scale, executives must stay aware of potential vulnerabilities and understand the most effective methods to alleviate the risk. The most effective cybersecurity strategies will protect data, identify and address threats, and scale to encompass emerging technology, business expansion and other challenges.

The survey data that informs the index reading was gathered between January 14 and February 1, 2019. To learn more about the middle market and the MMBI, visit the RSM website.

About the RSM US Middle Market Business Index

RSM US LLP and the U.S. Chamber of Commerce have partnered to present the RSM US Middle Market Business Index (MMBI). It is based on research of middle market firms conducted by Harris Poll, which began in the first quarter of 2015. The survey is conducted four times a year, in the first month of each quarter: January, April, July and October. The survey panel consists of 700 middle market executives and is designed to accurately reflect conditions in the middle market.

Built in collaboration with Moody’s Analytics, the MMBI is borne out of the subset of questions in the survey that ask respondents to report the change in a variety of indicators. Respondents are asked a total of 20 questions patterned after those in other qualitative business surveys, such as those from the Institute of Supply Management and National Federation of Independent Businesses.

The 20 questions relate to changes in various measures of their business, such as revenues, profits, capital expenditures, hiring, employee compensation, prices paid, prices received and inventories. There are also questions that pertain to the economy and outlook, as well as to credit availability and borrowing. For 10 of the questions, respondents are asked to report the change from the previous quarter; for the other 10 they are asked to state the likely direction of these same indicators six months ahead.

The responses to each question are reported as diffusion indexes. The MMBI is a composite index computed as an equal weighted sum of the diffusion indexes for 10 survey questions plus 100 to keep the MMBI from becoming negative. A reading above 100 for the MMBI indicates that the middle market is generally expanding; below 100 indicates that it is generally contracting. The distance from 100 is indicative of the strength of the expansion or contraction. The MMBI Cybersecurity Special Report also includes data from the NetDiligence® 2018 Cyber Claims Study. 

RSM’s purpose is to deliver the power of being understood to our clients, colleagues and communities through world-class audit, tax and consulting services focused on middle market businesses. The clients we serve are the engine of global commerce and economic growth, and we are focused on developing leading professionals and services to meet their evolving needs in today’s ever-changing business environment.

RSM US LLP is the U.S. member of RSM International, a global network of independent audit, tax and consulting firms with 48,000 people across 120 countries. For more information, visit rsmus.com, like us on Facebook, follow us on Twitter and/or connect with us on LinkedIn.