D1091903_Cybersecurity MM Article_1400x720_Visual 2.jpg

Cybersecurity and Building Resilience for Midsize Businesses

CyberArticleOctober 16, 2025

Midsize businesses face major cyber risks. Building resilience with NIST CSF and cyber insurance is essential for protection and rapid recovery.
Share this

Cyberattacks are now among the top risks facing midsize businesses in today’s digital world. While cyberattacks against large corporations dominate headlines, midsize organizations are just as vulnerable—sometimes even more so, due to limited cybersecurity resources and underestimation of risk. In fact, 60% of small businesses close within six months of a successful cyberattack.1

The Expanding Threat Landscape

Midsize businesses face wide ranging threats including data theft, ransomware, Business Email Compromise (BEC), and vulnerabilities introduced by third party vendors. The shift to digital tools and increased connectivity (including IoT devices and networked equipment) has expanded the “attack surface” that cybercriminals can exploit.

Common vulnerabilities include:

  • Phishing and social engineering attacks
  • Supply chain and third-party vulnerabilities
  • Cloud environment misconfigurations
  • Legacy systems including outdated or unpatched software
  • Insider Threats including both malicious insiders and negligent employees
  • Mobile devices, laptops and BYOD policies introduce risks if not properly secured 

Ransomware and Business Email Compromise (BEC) attacks are especially damaging, preventing access to critical data via encryption or deceiving employees into divulging sensitive information, passwords, or authorizing fraudulent funds transfers. In today’s environment, maintaining a proactive, 24/7 security posture approach is no longer optional – it’s essential.

Strengthening Resilience: The NIST Cybersecurity Framework (NIST CSF)

To combat these evolving threats, IT security and risk management professionals should adopt risk-based cybersecurity practices and controls to mitigate financial loss and strengthen operational resilience.

The National Institute of Standards and Technology (NIST) guidelines provide a comprehensive Cybersecurity Framework.2 The most recent NIST Cybersecurity Framework (NIST CSF 2.0), released in February 2024, introduces key updates that underscores the importance of strategic oversight, leadership engagement and organization-wide governance for an effective cybersecurity strategy.

The NIST framework focuses on six core functions that form a continuous cycle of cybersecurity risk management:

Identify

Conduct a comprehensive assessment of all potential cyber risks and network entry points across the organization. This includes identifying critical assets, modeling threats, analyzing vulnerabilities, and evaluating the likelihood and impact of various scenarios. Risk assessments should be structured, iterative, and aligned with the organization’s risk appetite. If in-house expertise is limited, engaging external cyber risk professionals can ensure a thorough and effective evaluation.

Protect

Deploy layered safeguards such as firewalls, access controls, employee training and up-to-date malware defenses to prevent cyber intrusions. A “defense-in-depth” strategy should span technical, administrative and physical domains, tailored to protect critical assets and business processes. Use risk assessment outcomes to prioritize mitigation efforts. Managing user access and monitoring communication flows for ransomware signatures can help block malicious traffic. For midsize businesses, reliable cybersecurity solutions are available to counter increasingly sophisticated threats. Importantly, employee training is essential, as many attacks begin with phishing emails or infected attachments inadvertently opened by employees.

Detect

Implement continuous monitoring to identify suspicious activity and potential cyber intrusions in real time. This involves deploying tools that can detect anomalies as they occur, enabling swift investigation and response. A range of vendors offer network monitoring solutions tailored to different business needs. When an event is detected, organizations must act quickly to assess its scope, determine its impact and communicate effectively with relevant stakeholders.

Respond

Develop and routinely test a robust incident response plan, including secure, isolated backups. Even with strong monitoring and well-trained staff, cyber incidents, such as ransomware attacks, can occur. An effective response plan should enable speedy action, minimize damage, and ensure business continuity. Isolated backups are critical to prevent reinfection and support rapid recovery. Regular testing and updates to the plan help ensure readiness when it matters most.

Recover

Following an attack, activate your response plan and restore clean, isolated backups to resume operations. Engage third-party technical experts as needed to fully remove malicious software and verify system integrity. Once restoration is complete, ensure all security protocols are reinforced. A thorough post-incident review is essential to understand the root cause and strengthen defenses against future threats.

Govern                                                                                            

In addition to the five security functions, the updated NIST CSF 2.0 emphasizes governance as a foundational element. This involves developing a clear understanding of your organization’s unique cybersecurity needs and establishing defined roles and responsibilities and authorities across the enterprise. Effective governance ensures that cyber assets are formally managed through structured processes that span technology, processes and people. It also integrates cybersecurity into broader risk management and business oversight, with particular attention to policy, accountability, and supply chain inclusion. Regular evaluation of cyber governance practices helps align cybersecurity efforts with strategic objectives and regulatory expectations.


The Role of Cyber Insurance in Risk Management

While NIST CSF 2.0 is just one of many available tools, its structured approach offers organizations a practical way to prioritize and manage cyber risks. By systematically identifying vulnerabilities, implementing proactive measures, and preparing for response and recovery, companies can build resilience in an increasingly complex threat landscape. Establishing a proactive posture also strengthens the foundation for effective risk transfer strategies.  

Cyber insurance, when aligned with risk mitigation practices, can serve as a critical financial safeguard, helping organizations recover from incidents while limiting operational disruption.  Zurich’s Cyber Insurance Policy – Concierge Suite is designed with small and midsize entities’ coverage needs in mind. Zurich insureds have access to a breach coach and a 24/7 cybersecurity hotline, making it a turnkey solution that simplifies resource engagement and provides access to advisory services through Zurich Resilience Solutions to this growing and vital segment of the economy. Middle market businesses are particularly vulnerable to cyber threats, and Zurich’s solution aims to bridge the cyber resource gap by providing cost-effective protection and essential loss mitigation services.


With Zurich Cyber Insurance Policy – Concierge Suite, Zurich not only addresses a crucial need but also helps safeguard the future of middle market companies navigating an increasingly digital world.  

Middle market companies looking to learn more about Zurich’s cyber policy can reach out to their broker or visit the Zurich Cyber webpage

To explore Zurich’s tools and resources for building cyber resilience, visit our Zurich’s Cyber Resource page

 

References

1. Morgan, Steve. “60 percent of Small Companies Close Within 6 Months of Being Hacked.” Cybercrime Magazine. 17 October 2022. 

2. The Five Functions. NIST Cybersecurity Framework. 26 February 2024.

 

Related Industries

Related products and solutions

Related topics

The information in this publication was compiled from sources believed to be reliable for informational purposes only. All sample policies and procedures herein should serve as a guideline, which you can use to create your own policies and procedures. We trust that you will customize these samples to reflect your own operations and believe that these samples may serve as a helpful platform for this endeavor. Any and all information contained herein is not intended to constitute advice (particularly not legal advice). Accordingly, persons requiring advice should consult independent advisors when developing programs and policies. We do not guarantee the accuracy of this information or any results and further assume no liability in connection with this publication and sample policies and procedures, including any information, methods or safety suggestions contained herein. We undertake no obligation to publicly update or revise any of this information, whether to reflect new information, future developments, events or circumstances or otherwise. Moreover, Zurich reminds you that this cannot be assumed to contain every acceptable safety and compliance procedure or that additional procedures might not be appropriate under the circumstances. The subject matter of this publication is not tied to any specific insurance product nor will adopting these policies and procedures ensure coverage under any insurance policy. Insurance coverages underwritten by individual member companies of Zurich in North America, including Zurich American Insurance Company. Certain coverages not available in all states. Some coverages may be written on a nonadmitted basis through licensed surplus lines brokers. Risk engineering services are provided by The Zurich Services Corporation. This article was developed with the assistance of generative AI technology. While every effort has been made to ensure the accuracy, timeliness, and relevance of the information presented, AI-generated content may occasionally include errors, inconsistencies, or outdated material. This content is intended for general informational purposes only and should not be considered a substitute for professional, legal, or expert advice. Readers are encouraged to use their own judgment and consult qualified professionals when making decisions based on this information.