Cybersecurity professionals are painfully aware that cybersecurity risks are a plague on businesses of all sizes, as well as the average online consumer.
Hackers and data miners continue to become more sophisticated, malicious and just plain greedy. Even the general public has become aware of security threats and incidents that splash across news headlines.
In other words, you don't have to be an enterprise IT pro to understand the latest security risks. That's the easy part.
The hard part is understanding who is at risk, why and when you may fall prey to attack, how pervasive attacks are, and what types of threats are most likely to occur. Also important is understanding the costs and consequences associated with attacks, technologies that prevent a cybersecurity attack, and the fallout once an attack or data breach has occurred. The following statistics should help you to understand the risks, ensure network security, and -- just in case -- create an incident response plan.
Cybersecurity and Cyber Crime Statistics
Before diving into the specific types of cyber attacks, you need to understand how much data is involved in attacks. By 2025, humanity's collective data will reach 175 zettabytes (that's 175 followed by 21 zeros), according to this video from Seagate Technology. This data includes everything from streaming video and dating apps to heath care databases. Securing all this data is vital.
This article is part of
The main goal for cyber criminals is to acquire information -- name, passwords, financial records, etc. that is then sold on the dark web. Attacks can happen at any time and both individuals and organizations are victims of these crimes.
- Security experts and threat hunters found an Elasticsearch database in October that contained the passwords of more than 1.2 billion social media accounts. That data was accessible by anyone, without a password. Yahoo still holds the record for the largest data breach by number of records hacked with 3 billion in 2014, but there were plenty of big data breaches in 2019.
- Security breaches increased 11% from 2018 to 2019. According to Accenture's Ninth Annual Cost of Cybercrime Study, the number of incidents increased from 130 to 145 year over year. In the same study, 80% of organizations said they are introducing innovations faster than they can secure it against attackers
- Cyberattacks and data fraud or theft are two of the top five risks CEOs are most likely to face according to the 2019 World Economic Forum report on global risks.
- Cisco blocked 7 trillion security threats -- 20 billion security threats a day -- in 2018, according to the Cisco/Cybersecurity Ventures 2019 Cybersecurity Almanac.
- 4 million Americans were victims of fraud in 2018, down slightly from 16.7 in 2017 according to the 2019 Identity Fraud Study from Javelin Strategy & Research, but the cost increased from $3 billion to $3.4 billion year over year. While businesses try to protect their own sensitive files from attack, customer information is stored in vulnerable databases all over the world.
- It takes an average of 279 days for security teams to identify a data breach, according to the "Cost of a Data Breach" report released by IBM and Ponemon Institute.
- Cryptojacking is incredibly prevalent. The Institute for Application Security in Germany found that one out of every 500 Alexa sites hosts mining script.
- The same study noted that most hackers don't earn very much. The average data miner earns less than $6/day. But high earners can make more than $166,000 on a single hack.
- The average data breach includes more than 25,000 records according to the same report.
- Finally, only 10% to 12% of cyber crime is reported each year in the U.S. The head of the FBI's Internet Crime Complaint Center (IC3) told The New York Times that victims are unlikely to report incidents because they are embarrassed, fear damage to their reputations, or they believe that law enforcement can't help (among other reasons).
Cybersecurity Issues and Threats
Many types of security threats are out there. Unlike a breach, a security incident doesn't necessarily mean information has been compromised, only that the information was threatened. Here are statistics about the four biggest types of security threats: malware, ransomware, social engineering and DDoS, or distributed-denial-of service, attacks.
- 94% of malware is still delivered by email, documented in Verizon's 2019 Data Breach Investigations report. Malware, or malicious software, is any program or file that is harmful to a computer or user. Types of malware can include computer viruses, worms, adware and spyware. Most of these types of malware can be sent by malicious emails.
- Speaking of malware, mobile malware infections are also on the rise. In 2018, the number of ransomware infections on mobile devices increased by one-third compared to 2017, according to Symantec's 2019 Internet Security Threat Report. Mobile ransomware infections affected the U.S. the most, accounting for 63% of infections, followed by China (13%) and Germany (10%).
- Ransomware attacks are a constant threat. Cybersecurity Ventures and Herjavec Group's 2019 Official Annual Cybercrime Report predicted that a business would fall victim to a ransomware attack every 11 seconds by 2021. That equals 7,854.54 successful attacks in a day. Those predicted attacks would cost businesses up to $20 billion.
- More than 90% of cyber attacks begin as spear phishing emails, according to Trend Micro researchers. Spear phishing is a type of social engineering in which attackers target a specific individual (or individuals) within a company through months of research through their social media presence and then create a phishing email campaign tailored specifically to that person. It's a major issue that security professionals should be wary of in 2020. "Most firms still do not know where all of the sensitive information is nor what the criticality is, and we continue to see breaches because of it," said Adrian Lane, CTO and Security Analyst for Securosis.
- The frequency of DDoS attacks grew 39% in the first half of 2019 compared with the first half of 2018, from 2.8 million attacks to 3.8 million, according to NetScout's 2019 Threat Intelligence Report. Across the world, attacks increased 1,900% in attacks in the Asia-Pacific region, while Europe, Middle East and Africa region saw a 431% year-over-year increase. Comparatively, North American DDoS attacks increased a mere 99%.
- DDoS attacks don't have to be large to be effective. The same report found that the number of attacks between 400 and 500 Gbps shrank by 40% and attacks of more than 500 Gbps decreased 32%. However, attacks in the 100-400 Gbps range increased 766%.
- Cisco predicts the global number of DDoS attacks will reach 14.5 million by 2022.
The Cost of Cyber Crime
Cyber crime can affect a business for years after the initial attack occurs. The costs associated with cyber attacks include lawsuits, insurance rate hikes, criminal investigations and bad press. They can put a company out of business quickly.
- Part of maintaining a high level of security is making sure non-security employees know how security affects their day-to-day activities. Building a security awareness training program is a necessary part of any company's security program. Employees from associates to CEOs are constantly inundated with phishing emails. When you have mobile and IoT devices in your environment, creating a mobile incident response plan is a must. The cost of data breaches will rise from $3 trillion each year to over $5 trillion in 2024, according to the Accenture Cost of Cybercrime study.
- The average attack -- be it a data breach, malware, ransomware, or DDoS attack -- cost companies of all sizes $200,000, and many affected companies go out of business within six months of the attack, according to insurance company Hiscox.
- The average cost of a data breach is $3.9 million, according to the IBM/Ponemon Institute report. Breaches in the healthcare industry are the costliest ($6.5 million on average), and the U.S. is the most expensive country at $8.19 million. The Middle East is second on the list at $5.9 million. Middle Eastern businesses report the highest average number of breached records with more than 38,000 per incident, according to the same report.
- 43% of attacks are aimed at small- and medium-sized businesses, but only 14% are prepared to defend themselves, according to Accenture.
- The U.S. government spent $15 billion on cybersecurity in 2019. The Department of Defense received the most funding with nearly $8.5 billion in the budget. Homeland Security got roughly $1.7 billion.
- More than 33 billion records will be stolen by cyber criminals by 2023, an increase of 175% from 2018.
- By 2027, global spending on cybersecurity training will reach $10 billion, according to Cybersecurity Ventures. As the number of online users increases (an estimated 4 billion by 2020), insider threats are as equally significant as threats from outside the enterprise. Training employees recognize security threats and recognize them can bolster your cyber defense strategy.
Headlines From the Cyber Security Industry
Plenty of security news broke in 2019. Hackers and cybercriminals ruthlessly attached businesses and individuals alike. In addition to cyber crimes, important news also included major industry trends related to incident response and testing. But cyber crimes weren't the only news that security experts should consider from 2019. Here's a look at some of the major industry trends related to incident response, attacks and testing.
- A former AWS employee stole the personal data of more than 100 million individuals. Paige A. Thompson allegedly accessed Capital One's network and stole personal data for more than 100 million Americans and 6 million Canadians who applied for Capital One credit cards.
- The FBI's Cyber's Most Wanted list features more than 70 individuals and groups that have conspired to commit the most damaging crimes against the U.S. These crimes include, but are not limited to, computer intrusions, wire fraud, identity theft, espionage, theft of trade secrets, and many other offences reported by the FBI.
- China has quietly cornered the VPN market, says security research firm VPNpro, which didn't want this news kept private. Six Chinese companies own 30% of VPNs, and 97 top VPNs are run by 23 parent companies, many of which are based in countries with lax privacy laws. That's not a great way to keep the private in virtual private network.
- Before launching a product, 23% tech firms do not perform security testing. In a survey of 212 security pros at the 2019 RSA Conference, this was one of the biggest findings. ComputerWeekly has compiled a list of some of the biggest security news in Europe from 2019.
- Managing mobile device security is another challenge for organizations. One in 36 devices used in organizations were classified as high risk, according to Symantec. This included devices that were rooted or jailbroken, along with devices that likely had malware installed.
The Skills Shortage
The cybersecurity industry has an employee and skills shortage. But don't lose heart, faithful security pros! Joseph Blankenship, a senior analyst for security and risk at Forrester Research, suggested that organizations look inward for current employees who might be well suited for security careers -- then recruit and train them for those new roles. There may be plenty of individuals out there with the chops needed for the job, such as networking admins, developers, systems engineers and even security analysts.
The U.S. government is also working to improve the recruitment process. The CIA is working with the industry to recruit more security pros by promoting diversity through the hiring of more women and minorities.
- The CIA estimates a security workforce gap of 1.8 million by 2022.
- The ISACA's State of Cybersecurity 2019 survey states that 62% of organizations take three months or longer to fill open positions, while 59% of respondents said that fewer than half of the applications they receive are sufficiently qualified for security positions.
- According to the same survey, 25% of organizational security budgets are expected to be allocated towards skilled staff, followed by tools and technology (23%) and infrastructure and equipment (22%) in the next 12 months.
- According to Symantec, two-thirds of cybersecurity decision-makers feel like quitting. Part of the reason for a skills gap is that security experts leave their jobs at an alarming rate. The Symantec study also found that four in five security professionals say they are burned out. Survey respondents said they feel "set up for failure," in a profession where the everyday role is reaching "a state of chronic overload."
- Cyber security is a high-salary field to work in and the incident response field specifically is booming. ZipRecruiter estimates the average salary nationwide for an incident response analyst is $93,295 as of January 2020. Other high paying positions include chief information security officer and senior security consultant.
If the previous statistics have you lying awake in the middle of the night, here are a few final stats to help you sleep. Organizations are making security a priority. More than 60% of organizations are increasing cybersecurity budgets in 2020, according to ESG. Security budgets increased an average of $8.9 million in 2018 to $18.9 million in 2019, according to Kaspersky and SANS 2020 Cybersecurity Spending Survey found that more than half of C-level security experts expect their budgets to increase in 2020, with spending increases on cloud tools, staff training, and authentication.