Nearly one-third (28%) of middle market business executives said their companies were hit by a data breach last year, up from 20% of respondents in the year earlier, according to the RSM U.S. Middle Market Business Index Special Report: Cybersecurity 2024.  

Fresh threats from criminals who have added artificial intelligence to their tools, corporate fatigue from constant cyber warnings and the ongoing shift of bad actors to focus more of their attention on mid-sized firms that are often more vulnerable drove the increase, RSM’s Tauseef Ghazi, national leader of security and privacy, said in a news release. The latest attack-level findings from the report, which has been done annually for nine years, tied the previous record reported in 2021. 

“While AI is available to the good guys it’s also available to the bad guys and AI is being used in various ways to create and deploy exploits faster so things that used to take 10 minutes, an hour to do are taking seconds with AI,” Ghazi said. “It’s speeding up the process of code-writing.”  

The report comes as alarm bells are increasingly being sounded about potential abuses of AI technology. Last month the National Security Agency warned in a report that the rapid adoption of AI tools is potentially making them “highly valuable targets” for malicious cyber actors.  

At the same time, defenses may also be down. The RSM report details increasing complacency on the part of middle market companies around cybersecurity. Part of that comes from many companies moving from on-premises tech systems to the cloud, where companies wrongly assume they’ll be fully protected, according to Ghazi. In addition, companies spent a lot of time moving to the cloud since the pandemic and many are short-staffed.  

“In working with clients and customers, there has been a fatigue with cybersecurity,” Ghazi said in a statement contained in the report, which noted the behavior harks back to the two-year period after the pandemic began. “We are not quite at that point, but we are dangerously close to it.” 

Separate from the rising use of AI tools and fatigue is a broader trend: over the past seven or so years many threat actors have refocused their attacks away from big companies to smaller firms, he said. 

“It went from very large organizations and complex breaches to very simple breaches,” Ghazi said, noting that more recently there’s been a shift to simple phishing attacks on smaller firms. “You send an email to someone in accounting, and they click a link, and now you’ve got access.” 

The findings are based on responses from 430 middle market executives, including CFOs and chief information officers, and was conducted online Jan. 8 to Feb. 16. The middle market firms ranged from companies with revenue from $10 million to $1 billion.