Board Responsibility & Liability
Given new governmental regulations, many Boards of Directors now take a very active interest in cybersecurity. They want to know about current and evolving risks, as well as the organization’s security preparedness and response plans. The financial impact of a cyberattack can be significant and can include costly class-action lawsuits, which may reflect on Boards’ fiduciary responsibility to preserve corporate financial value.
- 95
percent of cybersecurity breaches are caused by human error. (World
Economic Forum)
- The
worldwide information security market is forecast to reach $366.1 billion
in 2028. (Fortune
Business Insights)
- The
U.S. was the target of 46 percent of cyberattacks in 2020, more than
double any other country. (Microsoft)
- 68
percent of business leaders feel their cybersecurity risks are increasing.
(Accenture)
- On
average, only five percent of companies’ folders are properly protected. (Varonis)
- 54
percent of companies say their IT departments are not sophisticated enough
to handle advanced cyberattacks. (Sophos)
- Cyber
fatigue, or apathy to proactively defending against cyberattacks, affects
as much as 42 percent of companies. (Cisco)
- 43
percent of all breaches are insider threats, either intentional or
unintentional. (Check
Point)
- Data
breaches exposed 22 billion records in 2021. (RiskBased
Security)
- Approximately
70 percent of breaches in 2021 were financially motivated, while less than
five percent were motivated by espionage. (Verizon)
- In
2021, nearly 40 percent of breaches featured phishing, around 11 percent
involved malware, and about 22 percent involved hacking. (Verizon)
- There
were 1,862 recorded data breaches in 2021, surpassing the 2017 record of
1,506 breaches. (CNET)
- The
top malicious email attachment types are .doc and .dot which make up 37
percent; the next highest is .exe at 19.5 percent. (Symantec)
- An
estimated 300 billion passwords are used by humans and machines worldwide.
(Cybersecurity
Media)
- Around
40 percent of the world’s population is offline, making them vulnerable
targets for cyberattacks if and when they do connect. (Data
Reportal)
Employees may be a company’s biggest cybersecurity risk
People are part of the problem when it comes to information security, so they need to be part of the solution. According to Deloitte, over 70% of companies surveyed in a recent study rated lack of employee security awareness as a vulnerability.
- The
average cost of a data breach was $4.24 million in 2021, the highest
average on record. IBM)
- The
average time to identify a breach in 2021 was 212 days. (IBM)
- The
average lifecycle of a breach in 2021 was 286 days from identification to
containment. (IBM)
- The
likelihood that a cybercrime entity is detected and prosecuted in the U.S.
is estimated at around 0.05 percent. (World
Economic Forum)
- Personal
data was involved in 45 percent of breaches in 2021. (Verizon)
- Identity
theft rose 42 percent in 2020 compared to the year before. (Insurance
Information Institute)
- Security
breaches have increased by 11 percent since 2018 and 67 percent since
2014. (Accenture)
- 64
percent of Americans have never checked to see if they were affected by a
data breach. (Varonis)
- 56
percent of Americans don’t know what steps to take in the event of a data
breach. (Varonis)
Cybersecurity Training
People are part of the problem when it comes to information security, so they need to be part of the solution. According to Deloitte, over 70% of companies surveyed in a recent study rated lack of employee security awareness as a vulnerability.
- A
2021 LinkedIn data breach exposed the personal information of 700 million
users or about 93 percent of all LinkedIn members. (RestorePrivacy)
- An
attack on Microsoft in March 2021 affected more than 30,000 organizations
in the U.S., including businesses and government agencies. (Microsoft)
- In
April 2021, a two-year-old vulnerability was discovered that exposed the
personal information of more than 533 million users. (Auth0)
- Using
a single password, hackers infiltrated the Colonial Pipeline Company in
2021 with a ransomware attack that caused fuel shortages across the U.S. (Bloomberg)
- Meat
processing company JBS was the victim of a ransomware attack that shut
down beef and poultry processing plants on four different continents. (Wall
Street Journal)
- Nearly
48 million people had their personal information stolen in a 2021 T-Mobile
data breach. (T-Mobile)
- In
September 2021, Neiman Marcus found an 18-month-old data breach that
exposed payment data and other information for 4.6 million shoppers. (Neiman
Marcus)
- Personal
data belonging to more than 100 million Android users was exposed in a
2021 data leak due to misconfigured cloud services. (Check
Point)
- In
November 2021, Panasonic announced that business partner data, job
candidate information, and information about interns were accessed in a
breach. (Tech
Crunch)
- Trading
app Robinhood was victim to a social engineering attack that compromised
the personal data of 5 million users. (Robinhood)
- A
2020 Twitter breach targeted 130 accounts including those of past U.S.
presidents and Tesla CEO Elon Musk, resulting in attackers swindling
$121,000 in Bitcoin through nearly 300 transactions. (CNBC)
- In
2020, Marriott disclosed a security breach that impacted the data of more
than 5.2 million hotel guests. (Marriott)
- 500
million consumers, dating back to 2014, had their information compromised
in the Marriott-Starwood data breach made public in 2018. (CSO
Online)
- The
2019 MGM data breach resulted in hackers leaking records of 142 million
hotel guests. (CPO
Magazine)
- In
2018, Under Armour reported that its “My Fitness Pal” app was hacked,
affecting 150 million users. (Under
Armour)
- In
2017, 147.9 million consumers were affected by the Equifax Breach. (Equifax)
- The
Equifax breach cost the company more than $4 billion in total. (Time
Magazine)
- In
2017, 412 million user accounts were stolen from Friendfinder’s sites. (Wall
Street Journal)
- 100,000
groups and more than 400,000 servers in at least 150 countries were
infected by the Wannacry virus in 2017, at a total cost of around $4
billion. (Technology
Inquirer)
- In
2016, Uber reported that hackers stole the information of over 57 million
riders and drivers. (Uber)
- Uber
tried to pay off hackers to delete the stolen data of 57 million users and
keep the breach quiet. (Bloomberg)
- In
one of the biggest breaches of all time, three billion Yahoo accounts were
hacked in 2013. (New
York Times)
- In
2020, cybercriminals cloned the voice of a U.A.E. company director to
initiate a $35 million bank transfer. (Forbes)
Consumer Awareness
There are a number of ways cybercriminals can infiltrate an enterprise, but new research suggests that the biggest weakness to most companies may be the employees themselves. Malicious actors are increasingly utilizing a technique known as social engineering. In an interview with SecurityWeek, vice president and principal analyst for Forrester Research noted that educating workers about the risks associated with online communication can reduce the likelihood of experiencing a breach.
- The
average ransomware payment skyrocketed 518 percent in 2021 to $570,000. (GRC
World Forums)
- Malware
increased by 358 percent in 2020. (Help Net
Security)
- Ransomware
attacks rose by 435 percent in 2020 compared to 2019. (Help Net
Security)
- More
than 300,000 Android users have downloaded banking trojan apps via the
Google Play Store. (Threat
Fabric)
- In
2018, an average of 10,573 malicious mobile apps were blocked per day. (Symantec)
- Around
26 percent of all web traffic is bad bot traffic. (Imperva)
- Microsoft
Office documents are the most manipulated target, with attacks rising by
112 percent. (Help Net
Security)
- 94
percent of malware is delivered by email. (Verizon)
- The
average cost of a ransomware recovery is nearly $2 million. (Sophos)
- Only
eight percent of businesses that pay ransom to hackers receive all of
their data in return. (Sophos)
- 48
percent of malicious email attachments are Microsoft Office files. (Symantec)
- About
60 percent of malicious domains are associated with spam campaigns. (Cisco)
- On
average, a company falls victim to a ransomware attack every 11 seconds. (Cybersecurity
Ventures)
- About
20 percent of malicious domains are new and used around one week after
they are registered. (Cisco)
It's one of the many unpleasant realities of the constant battle to protect the enterprise. The more you invest in the physical and technology perimeters, the more vulnerable the human perimeter becomes. The more effective you are at keeping intruders out of your networks, the more likely they are to focus on your employees instead.
And... by the end of this decade, untrained employees will continue to be the sleeping sentries that turn corporate security into Swiss cheese. If you don't back up your investment in security technology with an equal (and relentless) commitment to training, your employees will do more harm to your reputation than a horde of hackers. As famed hacker Kevin Mitnik observed recently, "You can have the best technology, firewalls, intrusion-detection systems, biometric devices. All it takes is a call to an unsuspecting employee, and that's all she wrote, baby. They got everything."
Turning employees into sentries requires a fresh approach to training that does not rely on endless lists of security rules, or sporadic warnings from IT. Employees must be shown how their behavior can contribute to the vulnerability of their workplace, and that for security to be effective, it must become as second nature as being polite to customers.
Cybercrime just got personal – and it's time employees were educated
The threat that employees bring to a company’s information security is a scary prospect to an IT director or CIO, whether it be deliberate or inadvertent. By and large, this threat is one of the hardest to mitigate with few solutions beyond cyber education for employees and monitoring online behaviour for signals of malicious activity.
- 57
percent of organizations see weekly or daily phishing attempts. (GreatHorn)
- After
declining in 2019, phishing increased in 2020 to account for one in every
4,200 emails. (Symantec)
- 65
percent of cybercriminal groups used spear-phishing as the primary
infection vector. (Symantec)
- Phishing
attacks account for more than 80 percent of reported security incidents. (CSO
Online)
- $17,700
is lost every minute due to a phishing attack. (CSO
Online)
Most software piracy cases are brought to the courts by the BSA, a leading advocate for the global software industry. Statutory damages can be as much as $150,000 for each program copied. In addition, the government can criminally prosecute you for copyright infringement. If convicted, you can be fined up to $250,000, sentenced to jail for up to five years, or both..
- By
2023, the total number of DDoS attacks worldwide will be 15.4 million. (Cisco)
- Attacks
on IoT devices tripled in the first half of 2019. (CSO
Online)
- Malicious
PowerShell scripts blocked in 2018 on the endpoint increased 1,000
percent. (Symantec)
- The
Mirai-distributed DDoS worm was the third most common IoT threat in 2018.
(Symantec)
- 30
percent of data breaches involve internal actors. (Verizon)
- IoT
devices experience an average of 5,200 attacks per month. (Symantec)
- 90
percent of remote code execution attacks are associated with cryptomining.
(Purplesec)
- 69
percent of organizations believe their antivirus software is useless
against current cyber threats. (Ponemon
Institute)
- One
in 36 mobile devices has high-risk apps installed. (Symantec)
An estimated 16.6 million people, representing 7 percent of all persons age 16 or older in the United States, experienced at least one incident of identity theft.
Department’s Bureau of Justice Statistics
- 66
percent of companies say that compliance mandates are driving spending. (CSO
Online)
- 78
percent of companies expect annual increases in regulatory compliance
requirements. (Thomson
Reuters)
- For
large firms, the cost of compliance can approach $10,000 per employee. (Competitive
Enterprise Institute)
- In
2018, businesses spent an average of $1.3 million to meet compliance
requirements and were expected to spend an additional $1.8 million. (IAAP)
- On
average, every employee has access to 11 million files. (Varonis)
- 15
percent of companies found 1,000,000+ files open to every employee. (Varonis)
- 17
percent of all sensitive files are accessible to all employees. (Varonis)
- About
60 percent of companies have more than 500 accounts with non-expiring
passwords. (Varonis)
- More
than 77 percent of organizations do not have an incident response plan. (Cybint)
Computer related injury (CRI) is a cluster of work-related symptoms in computer users such as Repetitive Strain Injury (RSI), Work Related Upper Limb Disorder (WRULD), Musculoskeletal Disorder (MSD), fatigue, migraine headaches and eye strain. These ailments have increased significantly and special precautions need to be taken.
- Spain
issued 212 GDPR fines in 2021 and has issued 3x more fines than any other
country. (Lexology)
- GDPR
fines totaled $1.2 billion in 2021. (CNBC)
- Companies
reportedly spent $9 billion on preparing for the GDPR and, in 2018, legal
advice and teams cost UK FTSE 350 companies about 40 percent of their GDPR
budget, or $2.4 million. (Forbes)
- 88
percent of companies spent more than $1 million preparing for the GDPR. (IT
Governance)
- In
the GDPR’s first year, there were 144,000 complaints filed with various
GDPR enforcement agencies and 89,000 data breaches recorded. (EDPB)
- 1,000
news sources blocked EU readers to avoid the GDPR compliance rules. (Nieman
Lab)
- GDPR
fines totaled $63 million in the first year. (GDPR.eu)
- Google
was fined $57 billion for GDPR violations by CNIL, a French data
protection agency. (TechCrunch)
- Since
the GDPR was enacted, 31 percent of consumers feel their overall
experience with companies has improved. (Marketing
Week)
- By
2019, only 59 percent of companies believed they were GDPR compliant. (ZDNet)
- 70
percent of companies agree that the systems they put in place will not
scale as new GDPR regulations emerge. (DataGrail)
- Cybercrime’s
total damages make its economic impact larger than the GDP of all but two
countries: the U.S. and China. (Cybersecurity
Ventures)
- Cyber
insurance prices rose 96 percent in Q3 2021, marking a 204 percent
year-over-year increase. (Marsh)
- When
remote work is a factor in causing a data breach, the average cost per
breach is $1.07 million higher. (IBM)
- Artificial
intelligence provides the most concrete cost mitigation in data breaches,
saving organizations up to $3.81 million per breach. (IBM)
- Organizations
with a zero-trust approach saw average breach costs $1.76 million less
than organizations without.
- Security
services accounted for an estimated 50 percent of cybersecurity budgets in
2020. (Gartner)
- The
average cost of a malware attack on a company is $2.6 million. (Accenture)
- A
data breach can cost a company an average of $1.59 million in lost
business. (IBM)
- The
healthcare industry incurs the highest average data breach costs at $7.13
million. (IBM)
- The
total cost of cybercrime for each company increased by 12 percent from
$11.7 million in 2017 to $13.0 million in 2018. (Accenture)
- The
average annual security spending per employee increased from $2,337 in
2019 to $2,691 in 2020. (Deloitte)
- The
most expensive component of a cyberattack is information loss, averaging
$5.9 million. (Accenture)
- The
average cost per lost or stolen record for an individual is $146. (IBM)
- The
average total cost of a data breach in smaller companies (500 employees or
less) decreased from $2.74 million in 2019 to $2.35 million in 2020. (IBM)
- The
average total cost of a breach in very large companies (more than 25,000
employees) decreased from $5.11 million in 2019 to $4.25 million in 2020.
(IBM)
- Half
of large enterprises (with over 10,000 employees) are spending $1 million
or more annually on security, with 43 percent spending $250,000 to
$999,999 and just 7 percent spending under $250,000. (Cisco)
- From
2019 to 2020, Scandinavia saw the largest increase in total cost of data
breaches at 12 percent, while South Africa saw the largest decrease at 7.4
percent. (IBM)
- The
United States has the highest data breach costs in the world, at $8.64
million on average, followed by the Middle East at $6.52 million. (IBM)
- In
2019, spending in the cybersecurity industry reached around $40.8 billion
USD. (Statista)
- Worldwide
cybercrime costs will hit $10.5 trillion annually by 2025. (Cybersecurity
Ventures)
- More
than 70 percent of security executives believe that their fiscal budgets
will decrease in the aftermath of COVID-19. (Mckinsey)
- There
are 1,053,468 employees working in cybersecurity in the U.S. as of
February 2022. (Cyber
Seek)
- Also
as of February 2022, there are nearly 600,000 job openings in the
cybersecurity industry, meaning only 68 percent of open jobs are filled. (Cyber Seek)
- Washington,
D.C. has the highest concentration of cybersecurity professionals at more
than 8x the national average. (Cyber Seek)
- More
open roles exist for systems security analysts than any other
cybersecurity profession. (Cyber
Seek)
- 59
percent of cybersecurity professionals feel the demands of their job limit
them from keeping up with cybersecurity skills. (ISSA
& ESG)
- More
than half of cybersecurity professionals believe that a minimum of three
years in the industry is required for proficiency. (ISSA
& ESG)
- More
than two-thirds of cybersecurity professionals struggle to define their
career paths. (ISSA
& ESG)
- 76
percent of cybersecurity professionals consider recruiting and hiring new
employees difficult. (ISSA
& ESG)
- 70
percent of cybersecurity professionals claim their organization is
impacted by the cybersecurity skills shortage. (ISSA
& ESG)
- Six
in 10 security operations center professionals think only half their
cybersecurity applicants are qualified. (Cyberbit)
- Since
2016, the demand for data protection officers has skyrocketed more than
700 percent because of the GDPR. (Reuters)
- There
was a 350 percent growth in open cybersecurity positions from 2013 to
2021. (Cybercrime
Magazine)
- 40
percent of IT leaders say cybersecurity jobs are the most difficult to
fill. (CSO
Online)
- Cybersecurity
engineers are some of the highest-paid positions in the industry,
starting at $140K annually on average. (Cybint)
- The
cybersecurity unemployment rate is near zero percent and is projected to
remain there for the foreseeable future. (Cybersecurity Ventures)
- By
2025, there will be 3.5 million unfilled cybersecurity jobs globally —
approximately the same as in 2021. (Cybersecurity Ventures)
- Information
security analyst job positions in the U.S. are expected to grow 31 percent
between 2019 and 2029. (Bureau
of Labor Statistics)
- Computer
network architect job positions in the U.S. are expected to grow five
percent between 2019 and 2029. (Bureau
of Labor Statistics)
- Computer
programmer job positions in the U.S. are expected to decline nine percent
between 2019 and 2029. (Bureau
of Labor Statistics)
- The
WannaCry ransomware attack cost the U.K.’s National Health Service (NHS)
more than $100 million. (Datto)
- The
healthcare industry lost an estimated $21 billion to ransomware attacks in
2020. (Comparitech)
- More
than 93 percent of healthcare organizations experienced a data breach from
2017 to 2020. (Herjavec
Group)
- There
were 712 healthcare data breaches in 2021, exceeding 2020 by 11 percent. (HIPAA
Journal)
- The
total value of cryptocurrency ransoms increased almost 80,000 percent from
2013 to 2020. (World
Economic Forum)
- Financial
services have 449,855 exposed sensitive files, 36,004 of which are open to
everyone in the organization. This is the highest when comparing
industries. (Varonis)
- On
average, 70 percent of sensitive files in the financial services industry
are stale. (Varonis)
- On
average, a financial services employee has access to nearly 11 million
files the day they walk in the door. For large organizations, employees
have access to 20 million files. (Varonis)
- Financial
services businesses take an average of 233 days to detect and contain a
data breach. (Varonis)
- The
average cost of a financial services data breach is $5.85 million. (IBM)
- Financial
breaches account for 10 percent of all attacks. (Verizon)
- The
financial services industry incurred the most cybercrime costs in 2018 at
$18.3 million. (Accenture)
- Trojan
horse virus Ramnit largely affected the financial sector in 2017,
accounting for 53 percent of attacks. (Cisco)
- Manufacturing
companies account for nearly a quarter of all ransomware attacks, followed
by professional services with 17 percent of attacks and government
organizations with 13 percent of attacks. (Security
Intelligence)
- 58
percent of nation-state cyberattacks originate from Russia. (Microsoft)
- 79
percent of nation-state attackers target government agencies,
non-government organizations (NGOs), and think tanks. (Microsoft)
- Smaller
organizations (one to 250 employees) have the highest targeted malicious
email rate at one in 323. (Symantec)
- Lifestyle
(15 percent) and entertainment (seven percent) are the most frequently-seen
categories of malicious apps. (Symantec)
- Supply
chain attacks were up more than 100 percent year-over-year in 2021. (Symantec)
- Remote
work and lockdowns are driving a 50 percent increase in worldwide internet
traffic, leading to new cybercrime opportunities. (World Bank)
- There
were nearly 800,000 complaints of cybercrime in 2020, up 300,000 from
2019. (FBI)
- 27
percent of COVID-19 cyberattacks target banks or healthcare organizations
and COVID-19 is credited for a 238 percent rise in cyberattacks on banks
in 2020. (Carbon
Black)
- Confirmed
data breaches in the healthcare industry increased by 58 percent during
the pandemic. (Verizon)
- 33,000
unemployment applicants were exposed to a data security breach from the
Pandemic Unemployment Assistance program in May. (NBC)
- Americans
lost more than $97.39 million to COVID-19 and stimulus check scams. (Atlas
VPN)
- In
the first month of the pandemic, Google blocked 18 million daily malware
and phishing emails related to the coronavirus. (Google)
- 52
percent of legal and compliance leaders are concerned about third-party
cyber risks due to remote work since COVID-19. (Gartner)
- 47
percent of employees cited distraction as the reason for falling for a
phishing scam while working from home. (Tessian)
- 81
percent of cybersecurity professionals report that their job function
changed during the pandemic. (ISC)
- Half
a million Zoom user accounts were compromised and sold on a dark web forum
during the first month of the pandemic. (CPO
Magazine)
- Remote
workers have caused a security breach in 20 percent of organizations
during the pandemic. (Malwarebytes)
List compiled by Rob Sorbers who is a software engineer specializing in web security and is the co-author of the book Learn Ruby the Hard Way. Inside Out Security.