In 2021, the number and severity of cyber crime attacks increased as cyber criminals attempted to access a larger pool of data and infrastructure.
If you’ve been meaning to implement, update or review your organisational cyber security infrastructure, make 2022 the year you take action. To put the cost of inaction into perspective, we’ve detailed five key stats which all businesses should consider as we welcome 2022.
Data breaches can damage more than organisational reputation
- The average cost of a data breach in 2021 was the highest in 17 years, rising from $3.86m to $4.24m on an annual basis (IBM Cost of a data Breach report 2021)
The financial cost of data breaches is on the rise, and business success indicators like reputation may have had equally devastating impacts on them. Each breach seemingly gains more airtime and real estate in mainstream headline news, so the impact on customers – or potential customers – can be dramatic.
The public have a much better sense of the value and vulnerability of their data which resides within organisations. With this in mind, any exposure of customer data to cyber criminals is now a major factor in consumer decisions to move to competitors. Therefore, the cost of a data breach can impact far more than organisational reputation.
Business Email Compromise is a costly cyber threat organisations should be aware of
- The costliest cyber crime remains Business Email Compromise (BEC). The loss surpassed US $1.86 billion in 2020 according to the FBI (2020 Internet Crime Report)
BEC are costliest attacks because they are so targeted. Cyber criminals send convincing-looking emails to senior executives or budget holders that request unusual payments, or contain viruses disguised as harmless attachments, which are activated when opened.
This tactic is different to general phishing attacks, as the criminal will have crafted the email to appeal to a specific individual within the business. As the contents of the email won’t appear unusual to the individual, staff are more likely to follow the demands of the cyber criminals.
Phishing attacks are on the rise as businesses embrace remote working
- Phishing attacks increased by 11 percent to 36 percent of all breaches (Verizon 2021 Data Breach Investigations Report)
As workforces raced to replace the office environment with remote or hybrid working approaches, cyber criminals took full advantage of the uncertainty. Employees working outside of the corporate environment for the first time meant we saw a sharp rise in phishing threats. We are likely to see these types of attacks continue to increase in 2022.
Stolen user credentials pose a costly threat to data security
- The most common cause of data breaches in 2021 were stolen user credentials. They were responsible for 20 percent of breaches, with these breaches causing an average cost of US$4.37 million (IBM Cost of a Data Breach Report 2021)
2021 showed that, even if your defensive walls are high and have been well invested in, cyber criminals are finding ways to get over them. Increasingly, employee credentials are used to make it look like they are gaining ‘legitimate’ access to sensitive data. Even if activity looks like it’s coming from a trusted, authorised user – it may not be.
Ransomware attacks are increasingly leading to double extortion
- Ransomware attacks in particular have increased spectacularly over the course of the past year. However, it’s not just attack numbers that have risen, but also an element of double extortion; cyber criminals threaten to exfiltrate the breached data and release it to the public or sell it to other criminals. In 2020, the threat to leak data was at 8.7%, significantly rising to 81% in the second quarter of 2021 (ENSIA Threat Landscape 2021)
Too often cyber criminals are portrayed as individuals in basements carrying out the occasional attack. In reality, those carrying out cyberattacks are ruthless criminals. The increasing threat to release data, as well as demanding a ransom, highlights the true nature of the cyber criminal.
Over the last two years, we witnessed the attacks on organisations that were central in the fight to combat COVID-19, with laboratories, hospitals and Government departments all being targeted.
Making Cyber crime defence an organisational priority
These stats give a bleak view of cybercrime in 2021, and we can be sure that 2022 will see no let-up in the efforts of cyber criminals to gain access to key data. Undoubtedly, their methods will become more sophisticated, as companies, no matter their size or reputation, remain at risk of becoming a victim.
However, what 2021 did show was that cyber crime is now very much higher on the agenda of businesses than in the past. More emphasis is being placed on ensuring security, educating staff, having visibility across all potential vulnerabilities, and rapidly implementing solutions that close the gaps.
One of the key strategies for 2022 will be for companies to take a zero-trust approach to their cyber defences. This is not a negative or backward step, but a sensible one, in the face of an increasingly sophisticated approach from the cyber criminal.
A Zero-trust approach to cyber security
By taking a zero-trust approach, companies can be sure that some of the most sophisticated methods cyber criminals are now using can be successfully identified and dealt with, before it has a major impact on the business. Zero-trust is a security framework that requires all users to be continually authenticated, authorised and validated before they are allowed to gain access to data.
Zero-trust reduces the chances of unauthorised access, even when activity is most convincing. As we saw from the stats above, stolen user credentials are increasingly a route cyber criminals are taking; zero-trust helps to negate this threat. It also means that employees are constantly on the lookout for suspicious activity, ensuring a culture of good cyber security practice is implemented throughout the business.
This approach means that cyber criminals don’t only have to get through cyber defences; cyber criminals will have to evade both human and technological defences, which are simultaneously running a zero-trust policy.
By taking this holistic approach to cyber security, companies are able to apply layered security to every user, device, application, database and access point. It also provides a clear view of present and future risk, often using Artificial Intelligence (AI) to triage threats.
Interested in finding out how your organisation could gain maximum protection from cyber security threats? Northdoor are IT security specialists, with decades of experience and data security solutions. Give us a call on 020 7448 8500, or get in touch via our website with your details for a free initial consultation.