The 10th annual RSM US Middle Market Business Index Special Report focused on Cybersecurity for 2025 has revealed concerning statistics regarding data breaches among middle market organizations in the U.S. According to the report, nearly 18% of these organizations reported having experienced a data breach in the past year. Despite this alarming figure, an overwhelming 97% of executives surveyed expressed confidence in the security measures currently in place at their firms.
Compiled by RSM US LLP in collaboration with the U.S. Chamber of Commerce, the report highlighted a significant drop in reported breaches from a record high of 28% in the previous year’s survey. Nevertheless, the evolving and complex nature of cyber threats necessitates that companies remain proactive in their cybersecurity initiatives. The data indicates varying levels of preparedness between smaller firms, which generate revenue between $10 million and $50 million, and larger organizations, with revenues ranging from $50 million to $1 billion.
The findings underscore a notable disparity in breach experiences; larger firms were found to be twice as likely to face a data breach compared to their smaller counterparts. Specifically, 24% of larger organizations reported a breach, whereas only 12% of smaller firms indicated similar experiences. The report also points to an alarming trend where smaller businesses have slower growth in cybersecurity budgets, staffing, and advanced implementations such as AI governance protocols, which are critical to modern threat mitigation.
Tauseef Ghazi, the National Leader for Security and Privacy at RSM US LLP, commented on the results, acknowledging the potential influence of external factors such as the Russia-Ukraine conflict. He suggested that while the decrease in reported breaches is promising, it is essential for companies to maintain vigilance, especially considering the rising complexity of cyberattacks. The integration of AI into malicious strategies presents an additional layer of challenge that firms must navigate.
The survey of 402 middle-market executives makes it clear that cybersecurity remains a high priority, as evidenced by the 91% of respondents anticipating an increase in their cybersecurity budgets in the coming year. The report advises companies to enhance their strategies by utilizing consultative resources to effectively drive automation and engineering solutions that reduce costs associated with cybersecurity challenges.
Another noteworthy trend is the rise in firms obtaining cyber insurance, which has reached a historic high of 82% of organizations surveyed. However, awareness of policy specifics has decreased, with only 69% of respondents feeling familiar with their coverage—down from 75% last year. This decline in understanding is particularly concerning among smaller businesses where awareness dropped significantly.
To further enhance their resilience, companies are implementing various strategies to mitigate business disruptions. These include crisis communication plans, business continuity strategies, and disaster recovery protocols crucial for maintaining operations. Despite these efforts, only a minority of firms—46% of larger businesses and 37% of smaller ones—reported collaborating with external partners to bolster coordinated resilience planning, which is a missed opportunity for shared defense against cyber threats.
Ransomware remains a significant concern, with 25% of middle-market executives reporting at least one ransomware incident in the prior year. The risk is heightened among larger companies, where 35% reported such events compared to 15% of smaller firms. Notably, 31% of those affected by ransomware stated their current security measures were ineffective against the attacks, underscoring the need for a thorough review of existing defenses.
Additionally, staffing challenges continue to plague the cybersecurity landscape, as organizations struggle to attract and retain qualified cybersecurity talent. The survey indicated that a significant proportion of companies operate with minimal dedicated data security staff, often necessitating the outsourcing of critical security functions. As more organizations seek to fill the talent gap, reliance on third-party services for areas such as cybersecurity risk management and incident response is growing.
The report’s findings reflect a broader landscape of cybersecurity challenges faced by middle-market businesses, notably in the U.S. As these firms confront evolving threats, an understanding of MITRE ATT&CK tactics—ranging from initial access to privilege escalation—may provide valuable insights into strengthening their security postures against sophisticated adversaries. By addressing these vulnerabilities, middle-market firms can better navigate the uncertain cybersecurity terrain ahead.
