Cyber resilience in the age of AI: Lessons from mid-market leaders

When it comes to cybersecurity strategies for mid-market leaders, the biggest threat isn’t just the next data breach — it’s complacency. During Wipfli’s recent Cyber and Enterprise Risk Strategies for Mid-Market Leaders webinar, executives from banking, healthcare, higher education and construction shared how they’re adapting to a landscape reshaped by AI, data privacy expectations and growing regulatory pressure.

Their message was clear: In 2025, cybersecurity is everyone’s job — not just IT’s.

It must become a firmwide priority embedded in every business function. As Laurie Panella, chief information officer at Marquette University, put it, “Cybersecurity is everyone’s job — awareness must become action.”

The evolving threat landscape

From phishing and ransomware to credential stuffing, human error remains one of the most common vulnerabilities. Panelists agreed that even the best technology can be undone by a single click, and that awareness training for employees and customers is just as vital as investing in new firewalls or endpoint protection.

Amy Jay, risk administration officer at Adams Bank, explained that her organization focuses heavily on “training, both on the customer and on the employee side,” because “security is a shared responsibility.”

That theme of shared accountability resonated throughout the conversation. As organizations adopt generative AI and chatbots, a new layer of exposure is emerging.

Dr. Michael Bodner, president and chief information officer of AWC Technology, encouraged firms to think proactively before they start deploying automation. “First prepare for what is coming,” he advised. “Organize all of your information in a safe infrastructure before inviting AI agents and chatbots to visit.”

AI is revolutionizing efficiency — but also reshaping risk. Panelists noted that the same technologies improving operations can also enable deep fakes, automated attacks and insider data leaks. Mid-market leaders must now treat AI governance and data security as inseparable elements of their enterprise risk strategy.

Shared challenges across industries

While the panel represented very different industries, from banking to healthcare to higher education, the discussion revealed more similarities than differences. Regardless of sector, panelists described the same fundamental goal: protecting trust.

In healthcare, that means protecting patients’ most sensitive information. Megan Peck, director of the Health Center Controlled Network at the Community Health Center Association of Connecticut, emphasized that cybersecurity goes far beyond compliance for providers. “Protecting their systems means protecting the data, privacy and trust of some of the most vulnerable patients in our communities,” she said.

For banks, the focus often extends to vendors and other third parties. Jay explained that many institutions underestimate the number of external partners who have access to their data. “We adopted a cybersecurity monitoring service to oversee third parties with access to our systems,” she said, noting that continuous oversight has become nonnegotiable in today’s interconnected environment.

Universities are likewise rethinking their models, balancing open access to research and collaboration with stronger controls over personal and institutional data. Panella described how higher education institutions are now investing in governance frameworks and ethical AI policies to guide responsible innovation. “Education and governance,” she said, “are our first lines of defense.”

Compliance is catching up — but risk is moving faster

Another topic that generated robust discussion was the growing role of cyber insurance and compliance. While regulatory frameworks like HIPAA, GLBA and GDPR have long shaped data governance, panelists warned that regulation alone can’t keep pace with the speed of emerging threats.

At the same time, insurers are becoming more prescriptive, requiring specific security controls before offering coverage. This trend is pushing mid-market firms to raise their baseline security standards — and in many cases, those requirements are driving overdue upgrades. One panelist observed that “cyber insurance policies are forcing organizations to improve their security posture.”

Yet the panel agreed that compliance should be seen as a starting point, not a finish line. True resilience, they said, comes from taking a proactive approach — using threat intelligence, risk-based monitoring and scenario planning to anticipate where the next vulnerability might emerge.

From compliance to culture

Perhaps the strongest consensus from the discussion was that technology and compliance are only half the equation. Culture matters just as much.

Peck described how smaller healthcare organizations often operate with limited IT staff and budgets, leaving them particularly exposed. “Resource limitations make us more vulnerable,” she explained, “but that’s exactly why we have to build security awareness into our culture.”

For leaders, that means moving beyond one-time training sessions to create a workplace where cybersecurity is an ongoing conversation. Employees must know what suspicious activity looks like and feel empowered to speak up. Jay noted that when people see cybersecurity as part of their role — not an IT problem — organizations are far less likely to fall victim to human error.

Building that culture requires commitment from the top. Executives should regularly communicate the importance of security, celebrate teams who identify and prevent potential threats and model accountability in their own behavior.

The AI factor

As more organizations embed AI into their workflows, governance has become an urgent priority. Bodner cautioned that without clear policies, companies risk unintentionally leaking proprietary or sensitive data into large language models. “Prepare for what is coming,” he reiterated. “AI can be transformative — but only if you secure your information first.”

Forward-looking organizations are now drafting internal AI policies that define acceptable data sources, employee use of generative tools, vendor verification processes, and documentation for AI-driven decisions. Panelists noted that integrating AI governance within the same enterprise risk management framework as cybersecurity ensures consistency and accountability, especially as AI increasingly influences business and financial outcomes.

Collaboration as a defense strategy

Another takeaway was the power of collaboration. As cybercriminals share information and tactics at lightning speed, organizations must match that pace by sharing intelligence with peers and advisors.

Panelists agreed that mid-market firms can no longer afford to operate in isolation. Regular information sharing, peer learning groups, and partnerships with cybersecurity advisors like Wipfli help firms stay ahead of evolving threats. “Peer learning and collaboration are vital,” one panelist observed. “Sharing best practices and experiences helps organizations stay ahead.”

Five practical actions for mid-market leaders

To close the session, Wipfli advisors summarized five practical steps every mid-market leader can take to strengthen their cyber resilience:

1. Make cybersecurity a business strategy, not an IT function: Align it with enterprise risk management and leadership accountability.
2. Invest in continuous training: Build awareness from the boardroom to the front line.
3. Vet your vendors: Regularly evaluate third-party partners with access to your systems or data.
4. Establish AI governance early: Create policies before scaling automation across your business.
5. Review and test your incident response plan annually: Update it for AI-driven threats, supply chain risks, and ransomware scenarios.

These foundational steps are critical for any organization seeking to maintain resilience, retain customer trust, and meet rising insurance and regulatory standards.

Building a stronger defense with Wipfli

Wipfli helps mid-market leaders strengthen their cybersecurity and enterprise risk strategies with services that go beyond compliance to create long-term resilience. Our specialists assist clients with risk assessments, AI and data governance, compliance readiness, cyber insurance preparedness, vendor management and employee awareness programs.

Cybersecurity may start with technology, but it succeeds through strategy, culture and collaboration. The time to act is before an incident — not after. Learn more about Wipfli’s cybersecurity services.

Watch the full discussion

To hear more insights from these industry leaders and explore practical steps to strengthen your own security posture, watch the on-demand webinar.