Cybersecurity threats have always been dangerous but never so much as they are today, and organizations of all sizes are paying the price. Here are some recent stats showing increase in cyber attacks and data breaches and an explanation of why it is increasing.
- The average cost of a data breach has reached an all-time high, according to the latest Cost of a Data Breach Report published by IBM, climbing by 12.7 percent since 2020.
- The Identity Theft Resource Center’s 2021 Data Breach Report identified 68 percent more data breaches compared with the previous year.
- 43 percent of cyber attacks now target small businesses, many of which still believe their small size provides a sufficient level of protection by making them not worth targeting.
These and other gloomy statistics paint a clear picture of a cybersecurity landscape resembling a minefield, but they don’t tell us why the minefield is becoming increasingly difficult to navigate.
Download
DoD Contractor’s Guide to CMMC 2.0 Compliance
To answer this important question, we need to take a step back and look at the big picture.
Organizations Have Become Digitally Transformed
IT experts have been preaching the benefits of technology and innovation for decades, and many organizations have been listening and embracing digital transformation to improve business processes, culture, and customer experiences.
It’s estimated that 70 percent of organizations either have a digital transformation strategy or are currently working on one, and the global digital transformation market is projected to grow from $469.8 billion in 2020 to $1,009.8 billion by 2025.
The more organizations rely on digital technology, the broader their attack surfaces become, making it more difficult for cybersecurity teams to defend them and, at the same time, amplifying the consequences of a breach.
That doesn’t make digital transformation not worth it, but it does underscore the importance of doing it the right way—with a sharp focus on cybersecurity.
Growing Interdependencies of Systems
Both the complexity and interdependence of IT systems have skyrocketed since personal computers entered the market in the late seventies. Initially, IT systems were straightforward and isolated, often consisting of a single on-premises server and just a handful of computers, printers, and fax machines connected to it.
Now, even small organizations manage IT environments that span on-premises, multiple clouds, and even edge environments, and they rely on more Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS) vendors than ever before to provide them with necessary tools and resources.
The same vendors are exposed to the same cybersecurity threats as the organizations they serve, and their interdependence means that a single cybersecurity incident can set off an avalanche of data breaches.
That’s precisely what happened when Accellion, an American technology company that secures sensitive content communications, was too late to fix a critical vulnerability that eventually resulted in the breach of over 100 organizations, universities, and government agencies.
The potentially devastating impact of data breaches caused by third parties is the only reason organizations should need to implement a robust vendor vetting process to avoid external supply chain threats, partnering exclusively with vendors that meet their standards and industry regulations.
Threat Actors Are Using Increasingly Sophisticated Techniques
The first malware, the Morris worm (named after its author, Robert Morris) was created in 1988, and it used relatively primitive techniques to propagate without human interaction. Now, in 2022, the AV-TEST Institute registers over 450,000 new malicious programs and potentially unwanted applications every single day.
But the explosion of malware isn’t even the main issue because it’s inflated by algorithmically generated variations of the same strains, which are fairly easy for anti-malware software to detect. The main issue is the increasing sophistication of the techniques used by threat actors.
“Criminal groups are skilled and relentless. They have become adept at evolving their techniques to increase success rates, whether by experimenting with different phishing lures, adjusting the types of attacks they execute or finding new ways to hide their work,” explains Tom Burt, Corporate Vice President of Customer Security & Trust at Microsoft.
By combining targeted phishing techniques with fileless ransomware, for example, cybercriminals can overcome even fairly robust defenses to achieve their objectives.
Barriers to Cybercrime are Getting Lower and Lower
Another change from the past is the shifting nature of cybercriminals themselves. In the early days, cybercrime activity was performed almost exclusively by highly skilled hackers with a deep desire to push boundaries and discover the undiscovered.
Today’s cybercriminals are motivated mainly by the desire to make money, and they don’t really care who they attack or how. Instead of looking for new vulnerabilities to exploit and satisfy their curiosity, they use readily available tools and services that make it possible for virtually anyone to launch a large-scale attack with a simple click.
Such tools and services may not be enough to compromise a large enterprise with a dedicated cybersecurity team, but they can inflict a lot of damage to small organizations that have yet to give cybersecurity the priority it requires.
Data Protection Regulations Add to Data Breach Costs
The financial impact of a data breach can be severe because it includes everything from immediate remediation to revenue loss caused by operational disruption to the cost of long-term reputational harm.
It may also include non-compliance fines and legal fees because more and more organizations are subject to various international, government-imposed, and industry-specific data protection regulations.
For instance, any company that’s doing business in California or with its residents can be fined up to $2,500 for each violation and $7,500 for each intentional violation of the California Consumer Privacy Act (CCPA).
Likewise, organizations that collect or process personal data of EU residents must comply with the General Data Protection Regulation (GDPR) otherwise they can be fined up to €20 million, or up to 4 percent of the annual worldwide turnover of the preceding financial year, for especially severe violations.
“The difference between low and high regulatory environments showed up in a pronounced way two years or more after the data breach—the longtail costs,” states IBM in its report. “In highly regulated industries, an average of 24 percent of data breach costs were accrued more than two years after the breach occurred.”
Preparedness Is The Only Way to Combat Cybersecurity Threats
When cybersecurity threats are becoming more dangerous for reasons you can’t control, the best move is to focus on what you can control—your level of preparedness. And that’s something we at OSIbeyond can help you with.
Your organization may be too small to staff a dedicated IT department, but you can always hire our team of cybersecurity professionals to fully manage your technology for you. Schedule a free meeting with us now.