Cybersecurity Concerns Persists Despite Slight Decrease in Breaches

Nearly one in five (18%) middle market organizations experienced a data breach in the last year, though almost all (97%) surveyed executives reported feeling confident in their current security measures. The 10th annual RSM US Middle Market Business Index Special Report: Cybersecurity 2025 found that while reported breaches fell significantly after reaching a record-high of 28% in the 2024 survey, companies must remain diligent in their cybersecurity efforts amid an environment of constantly emerging and evolving threats. The survey of 402 middle market executives in the U.S. shows that firms are prioritizing cybersecurity, as underscored by the 91% of respondents who said they expect their organization’s cybersecurity budget to increase in the year ahead. The RSM report recommends that firms ensure their cybersecurity investment strategies are effective by not overlooking consultative resources that could help drive automation with better engineering to solve problems at a lower cost.

The survey data indicates that smaller middle market firms appear to lag their larger counterparts in cybersecurity budgets and staffing, as well as in identity and access management, and implementing advanced AI governance protocols.

• Smaller middle market firms are less likely to have a cyber insurance policy, with 51% of respondents reporting no coverage, compared to 42% of larger firms.
• Smaller middle market firms also have smaller cybersecurity teams, with 36% having 0-5 employees, compared to 11% of larger firms.
• Only 37% of smaller middle market firms reported collaborating with external partners such as suppliers and regulators for coordinated resilience planning.

Ransomware, Staffing and AI Governance Challenge the Middle Market

Ransomware continues to be a significant threat to the middle market, and 25% of surveyed executives reported experiencing at least one ransomware attack or demand in the previous 12 months. The data indicates that larger middle market companies are more at risk, with 35% of respondents in this segment reporting at least one attack or request, compared to 15% of smaller middle market organizations. Among companies that experienced at least one ransomware attack in the past year, 31% said existing security measures were unsuccessful, 28% said they were partially successful and 41% said they were completely successful. The survey data showed minimal differences in the effectiveness of ransomware defenses between smaller and larger middle market companies. Staffing represents another significant challenge that is projected to persist as qualified cybersecurity talent is difficult to attract and expensive to retain. Thirty-three percent of respondents indicated they have five or fewer data security and privacy employees. While most respondents from smaller companies cited having 0-5 internal personnel focused on data security and privacy, 36% of larger organizations reported having 6-10 employees and another 36% said they have 11-15 employees. To help fill the gap, some middle market organizations are outsourcing cybersecurity functions, with 51% stating they outsourced cybersecurity risk and compliance management. Other leading functions outsourced by respondents include cyber incident response and forensics (46%), the security operations center (46%), security awareness training (44%) and vulnerability management (44%).

1. Firms are prioritizing cybersecurity, with 91% of respondents saying they expect their organization’s cybersecurity budget to increase in the year ahead.
2. 82% of firms reported carrying a cyber insurance policy, a record-high in the history of the report.
3. 50% of firms said they are developing communications plans for crises or disruptions, and 51% said they are developing and maintaining a business continuity plan.
4. Half (50%) of firms are implementing disaster recovery plans for critical systems.

Award-Winning Report

The RSM report provides insights into cybersecurity trends, strategies and concerns shaping the marketplace for midsize businesses, noting differences between smaller and larger middle market organizations. Few differences were reported by Canadian middle market firms, with notable differences in cyber insurance coverage and AI governance steps. “We need to understand and incorporate advanced technologies to bolster our cyber posture,” said Christopher D. Roberti, Senior Vice President for Cyber, Space and National Security Policy at the U.S. Chamber of Commerce. “A collaborative approach to cybersecurity, emphasizing public-private partnerships and industry-led standards, is crucial to enhance our collective security and resilience.”
“While this year’s survey results are encouraging, the drop in reported breaches may be attributed to normalization following a spike in 2024 due to the sanctions and disruption in the financial network related to the Russia-Ukraine conflict,” said Tauseef Ghazi, national leader of security and privacy with RSM US LLP. “With the increasing complexity of attacks, it’s also possible that some companies may not have identified the presence of an attacker in their systems. This means continued vigilance is necessary, especially with the augmentation of AI to support malicious activities.”
“As the cyber landscape continues to evolve, it’s more important than ever for businesses to understand and incorporate advanced technologies to bolster their cyber posture,” said Christopher D. Roberti. “A collaborative approach to cybersecurity, emphasizing public-private partnerships and industry-led standards, is crucial to enhance our collective security and resilience.”
The survey data that informs this index reading was gathered between Jan. 6 and Jan. 27, 2025 in the U.S. and between Jan. 17 and Jan. 29 in Canada.

References

“We need to understand and incorporate advanced technologies to bolster our cyber posture,” said Christopher D.