Cybercrime has become a reality for the middle market. While major cyber incidents and data breaches at large corporations such as Marriott and Facebook continue to capture global headlines, middle market companies are starting to recognize that they are often the prime target for cybercriminals. In the past, midsized companies often held the perception that they were too small to be a target for hackers. However, with rising concern across the board about several types of cybersecurity attacks uncovered in the RSM US Middle Market Business Index survey, these companies are starting to take notice.
According to first quarter 2019 MMBI data, 15 percent of middle market C-suite executives said their companies experienced a data breach in the last year, up from 13 percent in 2018 and a significant jump from 5 percent just four years ago. Larger middle market organizations continue to be most at risk, with high volumes of valuable data to attract cybercriminals, but lacking the robust security resources of their large-cap peers. However, the focus on data breaches can be misleading, as the term data breach typically entails a cyber incident resulting in stolen sensitive data. A wide variety of cyber incidents does not result in theft of data, such as ransomware, which interrupts business operations or types of social engineering that could cause the direct theft of funds from bank accounts.
Over half of middle market executives surveyed indicated it is likely that unauthorized users will attempt to access their organization’s data or systems in 2019. In an effort to protect their firms and individual users against cybersecurity threats, more than half of midsized companies report carrying cyber insurance. However, among those organizations with coverage, only 43 percent of executives claim familiarity with policy details. In addition to cybersecurity challenges, emerging data privacy regulations are requiring organizations to make a significant shift in how they collect and store data. The European Union’s General Data Privacy Regulation, known as GDPR, took effect in May 2018. Similar legislation is emerging in the United States, led by the California Consumer Protection Act, and congressional hearings have discussed regulation at the federal level. The new laws do not focus on how companies protect data, but rather why they have it in the first place, and these regulations create an array of new business challenges for organizations highly reliant on customer data.
Cybersecurity threats to the middle market are very broad and evolving. RSM’s survey shows that criminals show no signs of backing down in the middle market, but they are slowly shifting from attacks meant to steal data to those meant to extract payment directly from the victim. Attacks come by several means: forcing the victim to pay a ransom, stealing funds by compromising corporate bank accounts or tricking the victim into making fraudulent payments. With generally limited resources, middle market organizations must place a premium on awareness and benchmarking to help mitigate the threat of cybersecurity attacks and to comply with data privacy regulations.
Despite more middle market companies experiencing a data breach or other cyber incident in the last year, and rising levels of concern over future attacks, almost all of the executives polled in RSM’s research are confident in their current security measures. RSM’s survey found that 93 percent of middle market executives are confident in their organization’s measures to safeguard sensitive customer data or their own environments for the second consecutive year. While the number of reported breaches has tripled over the last five years, the level of confidence expressed by executives has actually grown by 18 points. This creates a potentially dangerous situation where executives have a false sense of security, seeing their peers falling victim to attacks but fully believing that “it can’t happen to us.”
Increased spending on information security is one potential reason for a high level of confidence. We have found that middle market companies are indeed making larger cybersecurity investments, but many need to implement more defined plans to ensure the right products and services are chosen and appropriate changes are made to their environment and business processes.
In addition, many middle market companies have aligned their processes to an established information technology security framework, whether due to regulatory compliance obligations or in an effort to improve their security posture. However, while mapping controls and functions to one of these frameworks is an effective first step, it does not mean that an organization is fully secure. These standards are meant to provide a strong foundation for information security, but companies must also consider several additional elements based on their specific industry and business objectives. Adopting a security framework can provide a sense of security, but not further adjusting it to the business can create security gaps.
Finally, communication breakdowns can occur among executives, the board and the people on the ground who are implementing security processes and controls. Sometimes what is communicated to the board is a vastly different view than the perception of security inside the data center. Organizations must ensure their stakeholders are on the same page from top to bottom to properly understand and address potential security issues.
RSM has developed this report to provide insights into relevant middle market cybersecurity and data privacy trends, and to highlight steps companies can take to enhance security and privacy efforts. Our research shows that the threat to the middle market is growing, but the organizations have only become more confident in current protections. Generally, companies have taken steps to improve cybersecurity, but criminals are becoming more sophisticated and determined. Cyberthreats are going to continue to evolve and attackers will continue to get smarter. Middle market businesses must ensure that security investments, controls and communications align with rising threats, and that current actions do not create a false sense of security.
Information for this article was provided by RSM US LLP. If you are interested in reading more about the top cyber threats facing the middle market, download the full report today at RSMUS.com.