While cybersecurity breaches at large corporations and government entities tend to grab headlines, the middle market has become the prime target for hackers and cybercriminals. Unfortunately, many companies often exhibit a false sense of security and overestimate their internal controls, creating vulnerabilities at a time when threats from external and internal parties are evolving and increasing.
The recent RSM US Middle Market Business Index: Cybersecurity Special Report outlines the severity of threats to middle-market businesses, what sectors are most susceptible and how to respond to emerging risks. While the study finds that companies are fundamentally confident in the effectiveness of internal security measures, 13 percent of respondents claim to have suffered a data breach in the last year—up from just 5 percent three years ago.
There is no denying that the middle market is a focus for cybercrimes, but larger midmarket companies are specifically in the crosshairs of hackers. The survey finds that 19 percent of larger middle-market organizations ($50 million-$1 billion in revenue) suffered more than double the number of breaches than smaller ($10 million-$50 million) counterparts.
For many middle-market companies, cyber insurance is the main reason they were able to stay in business following an incident.
The upper middle market represents the intersection of opportunity and vulnerability, as hackers generally believe that information at smaller organizations may not hold significant value, and larger companies have likely heavily invested in security.
In addition to the shift in targets, cybercrime tactics have also evolved, with hackers realizing that stealing data is not the most efficient strategy. Data theft certainly still occurs, but hackers now see more direct gain from ransomware attacks that hold key systems hostage and demand large sums to unlock them. Forty-one percent of middle-market executives consider themselves likely targets for a ransomware attack; those at larger middle-market companies (15 percent) were more than twice as likely to view the threat as very likely than those at smaller companies (7 percent).
Cyber liability insurance policies are a key—although potentially underutilized—strategy to lessen the blow of a potential cybersecurity incident. When coupled with a comprehensive security program, cyber insurance can be very effective, protecting servers and technology systems, and offsetting the financial, operational and reputational implications of an incident.
For many middle-market companies, cyber insurance is the main reason they were able to stay in business following an incident. Unfortunately, only 52 percent of the respondents in the survey carry a cyber insurance policy, and only 53 percent of those companies understand their level of coverage.
Companies are generally confident that a breach won’t happen to them, either because they think they are too small, or that their data and operations are secure. But in many cases, it’s not a matter of if a breach occurs, but when. Organizations must realistically evaluate their security posture and implement protective measures, because breach response costs can be excessive and damaging for unprepared organizations.