Almost a year ago, the world turned upside down and seemingly everything changed due to the COVID-19 pandemic. In that time, entire workforces went – and stayed – home, cloud adoption skyrocketed and digital transformation has become a business imperative at scale. This confluence of events has also spelled “opportunity” for attackers – a fact that is widely reflected in cyber crime data.
As we approach the one-year mark, here’s a look back at some of the most eye-opening industry cybersecurity statistics from this period of unprecedented change.
An Attack Explosion
In the six weeks following lockdown, the World Health Organization (WHO) cautioned that scammers were preying on pandemic fear and uncertainty by impersonating the WHO, in addition to targeting WHO systems and employees directly, at a rate five times greater than in the same period in 2019.
While attackers mostly stuck to their favorite tried-and-true tactics to launch their attacks – phishing and identity compromise – the sheer volume of attacks was truly staggering, and caught many people distracted, unaware and unprepared. TechRepublic reported a 667% rise in spear-phishing attacks in March 2020 alone, and by April, the FBI had seen a 400% increase in cyber attacks.
Ransomware attacks also surged by 800% amid the rapidly evolving global crisis, prompting INTERPOL to issue a warning to healthcare institutions on the front lines about the growing threat. And Microsoft researchers warned of criminal groups using popular strains like Robbinhood, Maze and REvil to carry out “long-tail” attacks, waiting weeks or even months to deploy the ransomware, decrypt massive swaths of high-value data and demand crippling, multi-million dollar ransoms.
Meanwhile, as organizations accelerated cloud adoption to meet customer needs and support distributed workforces, a 630% increase in cloud-based attacks was recorded between January and April, mostly targeting services like Microsoft 365, and mostly involving the use of stolen credentials.
And the attacks kept coming: 70% of organizations hosting data or workloads in the public cloud experienced a security incident within the last year, with multi-cloud organizations reporting up to twice as many incidents’ versus single platform adopters.
Ponemon Institute estimated that new risks and challenges related to remote work would tack an additional $137K onto the 2020 global average total cost of a data breach, for a grand total of roughly $4M per incident.
Breaking that down, healthcare has the highest industry average cost at $7.13M per breach, and the United States has the highest country average cost at $8.64M.
Personally Identifiable Information (PII) has the highest cost per record at $150 each. Meanwhile, according to Deloitte, basic PII such as name and credit card information can be sold on the dark web in bulk for $0.10 or less.
Cracks in the Digital Armor
No one was prepared for the drastic shift foist upon the world by the global pandemic. In an instant, organizations had to scramble to connect home offices, support new devices and bring new collaboration tools online as quickly as possible. Too often, security became an afterthought. At the same time, remote workers were trying to figure out how to do their jobs from the confines of their homes. It wasn’t long until security workarounds in the name of productivity became dangerous, persistent habits.
According to Malwarebytes, 20% of companies said they faced a security breach specifically as a result of a remote worker, and 24% spent unbudgeted dollars on cybersecurity breaches or malware attacks after the world went into quarantine.
So where is it all falling apart? As it turns out – pretty much everywhere. Let’s examine one of many “cracks” in the digital armor.
The Q4 2020 CyberArk State of Remote Work Survey found that 69% of remote workers use corporate devices for personal use. Even worse, 57% admitted to letting other members of their household use their work devices for non-work activities like shopping, gaming, or schoolwork. This risky device-sharing activity almost doubled since CyberArk conducted a similar survey in spring 2020.
It’s estimated that one in 36 mobile devices have high-risk applications installed. When employees mix work and leisure on their device, these vulnerabilities provide potential openings for attackers to steal credentials and gain a foothold into an organization. And attackers are targeting these web-based applications in earnest: the 2020 Verizon Data Breach Investigation report highlights a year-over-year two-fold increase in web application breaches to 43%. Stolen credentials were used in over 80% of these cases.
In short, the more employees use personal devices for work purposes (or use work devices for personal activities), the more organizational risk they create. And it’s happening. A lot.
But even if remote workers adhere to security best practices and follow corporate protocols by the book, spotting a spoof within a pile of legitimate work emails is hard to do. CSO reports that 94% of malware is delivered via email, and it’s often cleverly disguised.
So, What Can We Do?
Yet despite rising awareness, the average time to identify a breach in 2020 was still a whopping 207 days, according to the Ponemon Institute. Then it was another 280 days, on average, between identification and containment – more than enough time for an attacker to cause disruption or damage.
Murphy’s law states that anything that can go wrong, will go wrong. That’s why it’s so important to assume you’ve already been breached and focus on breaking the attack chain. This means identifying, isolating and stopping attackers from compromising identities and gaining privilege, before they can do harm.
In the digital realm of good vs. evil, much more needs to be done, yet there are not enough cybersecurity professionals to do it. Cybersecurity Ventures estimates there will be 3.5 million unfilled cybersecurity jobs by 2021. Globally, the workforce would need to grow by 145% to meet rising demand and eliminate the cybersecurity labor shortage.
This shortage is only getting worse, according to a recent study by ESG and the Information Systems Security Association. The study shows that 70% of cybersecurity professionals say their organization had felt the impact of the skills shortage through symptoms such as growing workloads, unfilled job openings and the inability for professionals to learn or use cybersecurity technologies to their full potential.. Moreover, 18% of cybersecurity professionals from this study have been in the field for three years or less, and most started as IT professionals.
ESG concludes that a holistic approach can begin to close this gap – calling for ongoing cybersecurity education that begins at the public school level as well as career mapping, planning and development for both new and established professionals as cyber threats continue to evolve.
That won’t happen overnight, much as the world may need it to.
Since there is no caped crusader ready to swoop in and save the day, organizations must learn to think like an attacker and treat their systems as though they’ve already been breached, rather than assuming (or hoping) that they will be spared. That doesn’t have to be as grim as it sounds: A mindset shift and proactive stance are critical first steps toward a stronger security posture.