New RSM Report Reveals Cybersecurity Threats Are Continuing to Grow in the Middle Market
Survey found that middle market organizations faced a record number of data breaches in 2020, in part due to the COVID-19 pandemic
Middle market companies possess a significant amount of valuable data but continue to lack appropriate levels of protective controls and staffing, according to the RSM US Middle Market Business Index (MMBI) Cybersecurity Special Report released today from RSM US LLP (RSM), in partnership with the U.S. Chamber of Commerce. This year’s results revealed that 28% of middle market leaders claimed that their company experienced a data breach in the last year, a sharp rise from 18% in last year’s survey and the highest level since RSM began tracking data in 2015. Many leaders attributed this increase to challenges created by COVID-19.
According to the survey, 33% of middle market executives said they experienced a ransomware attack or demand in 2020, the highest number since ransomware became a focus of the data four years ago, and a 10% increase from last year. Fifty-one percent said that outside parties attempted to manipulate employees by pretending to be trusted third parties or company executives, a 2% increase from 2019. Additionally, 45% of social engineering attacks were successful last year, a spike from 28% in the previous year. Attempts were much more successful at larger middle market companies, with 67% reporting that manipulation attempts worked and 43% reporting a ransomware attack, compared to 19% and 24% at smaller organizations, respectively. Of the organizations that experienced a ransomware or social engineering attack, 67% said their business experienced an attack as an indirect result of the COVID-19 pandemic, with the most common attack based on exploiting vulnerabilities from employees working remotely.
“The pandemic altered the threat landscape in the middle market due to the rapid large-scale shift to a remote work environment and more dependency was placed on the internet to remain productive. Many companies simply did not have experience managing such a transition, and security vulnerabilities—even for a short amount of time—were almost inevitable,” said Tauseef Ghazi, RSM national leader of security and privacy services. “The middle market is still under immense pressure from hackers and that is not likely to change any time soon, but the tide may be slightly turning, as executives make adjustments to staffing, controls and security policies, and begin to see the benefits of those investments. Middle market leaders generally understand that they are not too small for criminals to ignore, and that keeping pace with security and privacy advancements can go a long way to discouraging and deflecting breach attempts.”
With the growing frequency of breach attempts and the unknown road back to normal in the wake of the pandemic, 64% of respondents anticipate that unauthorized users will attempt to access data or systems in 2021, a significant increase from 55% for expectations in both 2019 and 2020. The highest number in survey history saw the social engineering threat growing this year, with 70% of respondents saying their organization is at risk of an attack by manipulating employees in the next 12 months, an increase of 7% from last year. However, while the cyber threat continues to grow in size and scale, the middle market is responding by increasing its investment in a variety of protective measures, with 71% of respondents having a dedicated function focused on data security and privacy, which is consistent with last year’s findings.
Ongoing Efforts to Limit Cybersecurity Risks
“While some patterns of cybercriminals are hard to predict, one is highly predictable: when economies and societies go through massive change, bad actors will try to exploit cyber vulnerabilities. Americans have enough to worry about with economic uncertainty, health precautions, job losses and so forth, and we want to ensure business owners have the right tools to increase the security of their virtual working environments,” said Vincent Voci, executive director of cyber policy and operations at the U.S. Chamber of Commerce. “This annual report provides key data points, recommendations and expert opinions that will help midsized businesses better understand their risk profile and inform their risk management processes.”
The majority (93%) of middle market executives claim that they are confident in their current measures to safeguard data. Companies are showing some indications that they may be moving toward better controlling risks in the future or at least lessening their impact, with 90% of middle market leaders taking specific actions due to publicized data security breaches. With cyber risks increasing, companies have made security one of the top technology investment priorities, and one of the most in-demand skill sets. Organizations took a wide variety of actions in response to publicized data security breaches in the past year and updated existing processes. Most notably, 33% of middle market executives reported they added data security staff, a record high for this survey
Training is recognized as one of the best defenses against hackers, and the majority of survey respondents (90%) said their organizations provide training to at least some employees on how to detect, identify and prevent attempts to gain unauthorized access, an 8% increase over last year’s data. Of the organizations that had unsuccessful social engineering attacks, 88% listed employees not acting on the fraudulent request as a reason for the failed breach. A consistent number of middle market executives are also using the cloud to increase data security. Forty percent detailed moving or migrating data to the cloud for security concerns in the past year, and 88% of executives who made the move believe the data stored there is more secure.
Cyber insurance has become a key pillar of an effective cybersecurity strategy and given the increased amount of attempted and successful breaches, it has never been more valuable to middle market companies. Sixty-five percent of respondents currently use a cyber insurance policy to protect against internet-based risks. And, in addition to the steady rise in coverage overall, more middle market executives know what their specific coverages are. Among middle market organizations that carry cyber insurance policies, 64% of executives reported that they are familiar with their cyber insurance policy coverage, a sharp increase from 48% last year.
Beyond the proactive measures companies are taking, data privacy and security continues to require an increasing amount of attention and focus from middle market leaders. Since the European Union’s General Data Protection Regulation (GDPR) was implemented in 2018, the U.S. has seen more than a dozen individual state data privacy laws go into effect, including the well-publicized California Consumer Privacy Act. Many middle market companies are subject to GDPR regulations, and awareness of the standard is growing. More than half (55%) of executives said they are familiar with the requirements of the law, a 16% increase from last year. With data privacy becoming more of a focus in the U.S., many middle market companies understand they will likely need to adhere to new laws in the near future, with 92% indicating their organizations will likely have to comply with privacy legislation similar to the GDPR at a state or federal level during the next two years, a 9% increase.
The Impact of an Increasingly Global Economy
With geographic boundaries less significant as the economy goes increasingly global, many U.S.-based companies already have business interests in the U.K, or may be considering future expansion to the region, prompting considerations regarding the future of cybersecurity in the U.K. This year’s report also explores comparisons to concerns and protective measures in the U.S. and the U.K. using new data from the RSM U.K. MMBI Cybersecurity Special Report. Key findings include, one and a half times as many middle market executives in the U.S. reported a ransomware attack than in the U.K. in 2020, 33% compared to 22%. Additionally, 64% of U.S. respondents expect unauthorized users to attempt to access data or systems in 2021 compared to 73% in the U.K.
“We know many businesses here in the U.K. are facing significant challenges around managing the impact the pandemic has had. With employees working remotely and not being fully safeguarded by corporate infrastructures, recognizing and mitigating against cyber threats is more important than ever,” said Sheila Pancholi, technology risk assurance and cyber security partner at RSM U.K. “With U.S. middle market firms engaged in advanced digital transformation to help prepare for the future of cyber-crime, analysts believe that the ‘digital maturity’ of U.S. businesses is a few years ahead of their U.K. counterparts. In general, we see the average U.K. business being two to five years behind their average U.S. counterpart in this, though there are of course many exceptions to the average. With the digital expansion of U.K. businesses there will also, inevitably, be more potential points of cyber vulnerability.”
The survey data that informs the index reading was gathered between January 11 to January 29, 2021. To learn more about the middle market and the MMBI, visit the RSM website.
About the RSM US Middle Market Business Index
RSM US LLP and the U.S. Chamber of Commerce have partnered to present the RSM US Middle Market Business Index (MMBI). It is based on research of middle market firms conducted by Harris Poll, which began in the first quarter of 2015. The survey is conducted four times a year, in the first month of each quarter: January, April, July and October. The survey panel consists of 700 middle market executives and is designed to accurately reflect conditions in the middle market.
Built in collaboration with Moody’s Analytics, the MMBI is borne out of the subset of questions in the survey that ask respondents to report the change in a variety of indicators. Respondents are asked a total of 20 questions patterned after those in other qualitative business surveys, such as those from the Institute of Supply Management and National Federation of Independent Businesses.
The 20 questions relate to changes in various measures of their business, such as revenues, profits, capital expenditures, hiring, employee compensation, prices paid, prices received and inventories. There are also questions that pertain to the economy and outlook, as well as to credit availability and borrowing. For 10 of the questions, respondents are asked to report the change from the previous quarter; for the other 10 they are asked to state the likely direction of these same indicators six months ahead.
The responses to each question are reported as diffusion indexes. The MMBI is a composite index computed as an equal weighted sum of the diffusion indexes for 10 survey questions plus 100 to keep the MMBI from becoming negative. A reading above 100 for the MMBI indicates that the middle market is generally expanding; below 100 indicates that it is generally contracting. The distance from 100 is indicative of the strength of the expansion or contraction.
About The U.S. Chamber of Commerce
The U.S. Chamber of Commerce is the world’s largest business federation representing the interests of more than 3 million businesses of all sizes, sectors, and regions, as well as state and local chambers and industry associations. For more information, visit uschamber.com and FreeEnterprise.com, like us on Facebook and follow us on Twitter.
About RSM US LLP
RSM’s purpose is to deliver the power of being understood to our clients, colleagues and communities through world-class audit, tax and consulting services focused on middle market businesses. The clients we serve are the engine of global commerce and economic growth, and we are focused on developing leading professionals and services to meet their evolving needs in today’s ever-changing business environment.
RSM US LLP is the U.S. member of RSM International, a global network of independent audit, tax and consulting firms with 51,000 people across 123 countries. For more information, visit rsmus.com, like us on Facebook, follow us on Twitter and/or connect with us on LinkedIn.