RSM: Data breaches are on the decline, but organizations can't get complacent

    April 18, 2025
    Companies must remain diligent in their cybersecurity efforts amid an environment of constantly emerging and evolving threats.
    680287c3377835ab3f4612d9 Youngmanworkscomputernight 16901662523

    The 10th annual RSM US Middle Market Business Index Special Report: Cybersecurity 2025 found that nearly one in five (18%) middle market organizations experienced a data breach in the last year, though almost all (97%) surveyed executives reported feeling confident in their current security measures.

    The special report, presented by RSM US LLP (RSM) in partnership with the U.S. Chamber of Commerce, notes that while reported breaches fell significantly after reaching a record high of 28% in the 2024 survey, companies must remain diligent in their cybersecurity efforts amid an environment of constantly emerging and evolving threats.

    The RSM report provides insights into cybersecurity trends, strategies, and concerns shaping the marketplace for midsize businesses, noting differences between smaller ($10 million to less than $50 million in revenue) and larger ($50 million to $1 billion in revenue) middle market organizations.

    For instance, larger companies were twice as likely as smaller companies to suffer a breach in the past year, with 24% of respondents in this segment reporting a breach compared to 12% of respondents from smaller firms. The data also shows that smaller middle-market firms appear to lag their larger counterparts in cybersecurity budgets and staffing, as well as in identity and access management and implementing advanced AI governance protocols.

    “While this year’s survey results are encouraging, the drop in reported breaches may be attributed to normalization following a spike in 2024 due to the sanctions and disruption in the financial network related to the Russia-Ukraine conflict,” said Tauseef Ghazi, National Leader of Security and Privacy with RSM US LLP. “With the increasing complexity of attacks, it’s also possible that some companies may not have identified the presence of an attacker in their systems. This means continued vigilance is necessary, especially with the augmentation of AI to support malicious activities.”

    Firms Continue Investing in Business Continuity and Resiliency Strategies

    The survey of 402 middle-market executives in the U.S. shows that firms are prioritizing cybersecurity, as underscored by the 91% of respondents who said they expect their organization’s cybersecurity budget to increase in the year ahead. The RSM report recommends that firms ensure their cybersecurity investment strategies are effective by not overlooking consultative resources that could help drive automation with better engineering to solve problems at a lower cost.

    The number of firms that reported carrying a cyber insurance policy also reached a record high in the history of the report—up to 82% from 76% a year ago. Despite that increase, familiarity with their policy coverages dropped to 69% from 75% in the 2024 data. This decline is most pronounced among smaller firms, as positive responses for this segment decreased to 51% from 66% last year.

    In addition to cyber insurance, companies are implementing strategies to limit business disruptions. Fifty-two percent of respondents said they are developing communications plans for crises or disruptions, 51% said they are developing and maintaining a business continuity plan, and half (50%) are implementing disaster recovery plans for critical systems. When segmented by firm size, the top continuity strategy for larger firms is leveraging technology to hunt for threats and respond to cyber events (47%). Of note, only 46% of larger and 37% of smaller middle market companies reported collaborating with external partners such as suppliers and regulators for coordinated resilience planning.

    “As the cyber landscape continues to evolve, it’s more important than ever for businesses to understand and incorporate advanced technologies to bolster their cyber posture,” said Christopher D. Roberti, Senior Vice President for Cyber, Space and National Security Policy at the U.S. Chamber of Commerce. “As we enter this new era of risk and uncertainty, the U.S. Chamber is advocating for a collaborative approach to cybersecurity, emphasizing the importance of public-private partnerships and industry-led standards to enhance our collective security and resilience.”

    Ransomware, Staffing, and AI Governance Challenge the Middle Market

    Ransomware continues to be a significant threat to the middle market, and 25% of surveyed executives reported experiencing at least one ransomware attack or demand in the previous 12 months. The data indicates that larger middle-market companies are more at risk, with 35% of respondents in this segment reporting at least one attack or request, compared to 15% of smaller middle-market organizations.

    Among companies that experienced at least one ransomware attack in the past year, 31% said existing security measures were unsuccessful, 28% said they were partially successful, and 41% said they were completely successful. The survey data showed minimal differences in the effectiveness of ransomware defenses between smaller and larger middle-market companies.

    Staffing represents another significant challenge that is projected to persist as qualified cybersecurity talent is difficult to attract and expensive to retain. Thirty-three percent of respondents indicated they have five or fewer data security and privacy employees. While most respondents from smaller companies cited having 0-5 internal personnel focused on data security and privacy, 36% of larger organizations reported having 6-10 employees, and another 36% said they have 11-15 employees.

    To help fill the gap, some middle-market organizations are outsourcing cybersecurity functions, with 51% stating they outsourced cybersecurity risk and compliance management. Other leading functions outsourced by respondents include cyber incident response and forensics (46%), the security operations center (46%), security awareness training (44%), and vulnerability management (44%).

    The survey data also implies that AI governance could be a weak spot for middle-market firms, especially smaller organizations. Notably, 34% of smaller middle-market companies noted that AI governance steps are not yet in place, indicating they are either not yet using AI or that their data is likely at an elevated risk if they are using AI.

    Few Differences Reported by Canadian Middle Market Firms

    This year’s special report also includes segmented findings from 101 Canadian middle market executives who completed the MMBI survey. While many findings were similar to those in the U.S., a few notable differences were identified. Canadian firms are less likely to have cyber insurance coverage than U.S. companies (68% versus 82%). A smaller share of Canadian firms indicate they don’t have AI governance in place compared to U.S. respondents (5% versus 20%), likely due to Canada’s efforts to regulate AI at the federal level. On average, Canadian respondents have larger cybersecurity teams, with 39% saying they have 16 or more employees, compared to 11% in the U.S.

    Additional Insights and Industry Perspectives in Full Report

    The cybersecurity special report delves into firms’ digital identity strategies and other preventive measures and their cloud migration progress. It also explores cybersecurity dynamics in several industries, including consumer products, energy, financial services, health care, life sciences, manufacturing, private equity, real estate, retail, technology, and telecom. Industry insights can be found in the full report.

    The survey data that informs this index reading was gathered between Jan. 6 and Jan. 27, 2025, in the U.S. and between Jan. 17 and Jan. 29 in Canada.

    Credit: Olemedia
    Traditional EDR is evolving, and the next phase of endpoint security is here: Preemptive Endpoint Protection (PEP). Unlike its predecessor, PEP doesn’t just detect and respond to attacks; it actively prevents them.
    Credit: Andrii Dodonov
    It’s clear that CISOs today are at a critical crossroads: They must evolve and diversify their role, potentially sharing the decision-making and accountability among several officers, or risk being left behind.