Costly Oversights

Board Responsibility & Liability

Given new governmental regulations, many Boards of Directors now take a very active interest in cybersecurity. They want to know about current and evolving risks, as well as the organization’s security preparedness and response plans. The financial impact of a cyberattack can be significant and can include costly class-action lawsuits, which may reflect on Boards’ fiduciary responsibility to preserve corporate financial value.

  1. 95 percent of cybersecurity breaches are caused by human error. (World Economic Forum)
  2. The worldwide information security market is forecast to reach $366.1 billion in 2028. (Fortune Business Insights)
  3. The U.S. was the target of 46 percent of cyberattacks in 2020, more than double any other country. (Microsoft)
  4. 68 percent of business leaders feel their cybersecurity risks are increasing. (Accenture)
  5. On average, only five percent of companies’ folders are properly protected. (Varonis)
  6. 54 percent of companies say their IT departments are not sophisticated enough to handle advanced cyberattacks. (Sophos)
  7. Cyber fatigue, or apathy to proactively defending against cyberattacks, affects as much as 42 percent of companies. (Cisco)
  8. 43 percent of all breaches are insider threats, either intentional or unintentional. (Check Point)
  9. Data breaches exposed 22 billion records in 2021. (RiskBased Security)
  10. Approximately 70 percent of breaches in 2021 were financially motivated, while less than five percent were motivated by espionage. (Verizon)
  11. In 2021, nearly 40 percent of breaches featured phishing, around 11 percent involved malware, and about 22 percent involved hacking. (Verizon)
  12. There were 1,862 recorded data breaches in 2021, surpassing the 2017 record of 1,506 breaches. (CNET)
  13. The top malicious email attachment types are .doc and .dot which make up 37 percent; the next highest is .exe at 19.5 percent. (Symantec)
  14. An estimated 300 billion passwords are used by humans and machines worldwide. (Cybersecurity Media)
  15. Around 40 percent of the world’s population is offline, making them vulnerable targets for cyberattacks if and when they do connect. (Data Reportal)

Employees may be a company’s biggest cybersecurity risk

People are part of the problem when it comes to information security, so they need to be part of the solution. According to Deloitte, over 70% of companies surveyed in a recent study rated lack of employee security awareness as a vulnerability.

  1. The average cost of a data breach was $4.24 million in 2021, the highest average on record. IBM)
  2. The average time to identify a breach in 2021 was 212 days. (IBM)
  3. The average lifecycle of a breach in 2021 was 286 days from identification to containment. (IBM)
  4. The likelihood that a cybercrime entity is detected and prosecuted in the U.S. is estimated at around 0.05 percent. (World Economic Forum)
  5. Personal data was involved in 45 percent of breaches in 2021. (Verizon)
  6. Identity theft rose 42 percent in 2020 compared to the year before. (Insurance Information Institute)
  7. Security breaches have increased by 11 percent since 2018 and 67 percent since 2014. (Accenture)
  8. 64 percent of Americans have never checked to see if they were affected by a data breach. (Varonis)
  9. 56 percent of Americans don’t know what steps to take in the event of a data breach. (Varonis)

Cybersecurity Training

People are part of the problem when it comes to information security, so they need to be part of the solution. According to Deloitte, over 70% of companies surveyed in a recent study rated lack of employee security awareness as a vulnerability.

  1. A 2021 LinkedIn data breach exposed the personal information of 700 million users or about 93 percent of all LinkedIn members. (RestorePrivacy)
  2. An attack on Microsoft in March 2021 affected more than 30,000 organizations in the U.S., including businesses and government agencies. (Microsoft)
  3. In April 2021, a two-year-old vulnerability was discovered that exposed the personal information of more than 533 million users. (Auth0)
  4. Using a single password, hackers infiltrated the Colonial Pipeline Company in 2021 with a ransomware attack that caused fuel shortages across the U.S. (Bloomberg)
  5. Meat processing company JBS was the victim of a ransomware attack that shut down beef and poultry processing plants on four different continents. (Wall Street Journal)
  6. Nearly 48 million people had their personal information stolen in a 2021 T-Mobile data breach. (T-Mobile)
  7. In September 2021, Neiman Marcus found an 18-month-old data breach that exposed payment data and other information for 4.6 million shoppers. (Neiman Marcus)
  8. Personal data belonging to more than 100 million Android users was exposed in a 2021 data leak due to misconfigured cloud services. (Check Point)
  9. In November 2021, Panasonic announced that business partner data, job candidate information, and information about interns were accessed in a breach. (Tech Crunch)
  10. Trading app Robinhood was victim to a social engineering attack that compromised the personal data of 5 million users. (Robinhood)
  11. A 2020 Twitter breach targeted 130 accounts including those of past U.S. presidents and Tesla CEO Elon Musk, resulting in attackers swindling $121,000 in Bitcoin through nearly 300 transactions. (CNBC)
  12. In 2020, Marriott disclosed a security breach that impacted the data of more than 5.2 million hotel guests. (Marriott)
  13. 500 million consumers, dating back to 2014, had their information compromised in the Marriott-Starwood data breach made public in 2018. (CSO Online
  14. The 2019 MGM data breach resulted in hackers leaking records of 142 million hotel guests. (CPO Magazine)
  15. In 2018, Under Armour reported that its “My Fitness Pal” app was hacked, affecting 150 million users. (Under Armour)
  16. In 2017, 147.9 million consumers were affected by the Equifax Breach. (Equifax)
  17. The Equifax breach cost the company more than $4 billion in total. (Time Magazine)
  18. In 2017, 412 million user accounts were stolen from Friendfinder’s sites. (Wall Street Journal)  
  19. 100,000 groups and more than 400,000 servers in at least 150 countries were infected by the Wannacry virus in 2017, at a total cost of around $4 billion. (Technology Inquirer
  20. In 2016, Uber reported that hackers stole the information of over 57 million riders and drivers. (Uber)
  21. Uber tried to pay off hackers to delete the stolen data of 57 million users and keep the breach quiet. (Bloomberg)
  22. In one of the biggest breaches of all time, three billion Yahoo accounts were hacked in 2013. (New York Times
  23. In 2020, cybercriminals cloned the voice of a U.A.E. company director to initiate a $35 million bank transfer. (Forbes)

Consumer Awareness

There are a number of ways cybercriminals can infiltrate an enterprise, but new research suggests that the biggest weakness to most companies may be the employees themselves. Malicious actors are increasingly utilizing a technique known as social engineering. In an interview with SecurityWeek, vice president and principal analyst for Forrester Research noted that educating workers about the risks associated with online communication can reduce the likelihood of experiencing a breach.

  1. The average ransomware payment skyrocketed 518 percent in 2021 to $570,000. (GRC World Forums)
  2. Malware increased by 358 percent in 2020. (Help Net Security)
  3. Ransomware attacks rose by 435 percent in 2020 compared to 2019. (Help Net Security)
  4. More than 300,000 Android users have downloaded banking trojan apps via the Google Play Store. (Threat Fabric)
  5. In 2018, an average of 10,573 malicious mobile apps were blocked per day. (Symantec)
  6. Around 26 percent of all web traffic is bad bot traffic. (Imperva)
  7. Microsoft Office documents are the most manipulated target, with attacks rising by 112 percent. (Help Net Security)
  8.  94 percent of malware is delivered by email. (Verizon)
  9. The average cost of a ransomware recovery is nearly $2 million. (Sophos)
  10. Only eight percent of businesses that pay ransom to hackers receive all of their data in return. (Sophos)
  11. 48 percent of malicious email attachments are Microsoft Office files. (Symantec)
  12. About 60 percent of malicious domains are associated with spam campaigns. (Cisco
  13. On average, a company falls victim to a ransomware attack every 11 seconds. (Cybersecurity Ventures)
  14. About 20 percent of malicious domains are new and used around one week after they are registered. (Cisco)

Employees: Your best defense, or your greatest vulnerability

It's one of the many unpleasant realities of the constant battle to protect the enterprise. The more you invest in the physical and technology perimeters, the more vulnerable the human perimeter becomes. The more effective you are at keeping intruders out of your networks, the more likely they are to focus on your employees instead. And... by the end of this decade, untrained employees will continue to be the sleeping sentries that turn corporate security into Swiss cheese. If you don't back up your investment in security technology with an equal (and relentless) commitment to training, your employees will do more harm to your reputation than a horde of hackers. As famed hacker Kevin Mitnik observed recently, "You can have the best technology, firewalls, intrusion-detection systems, biometric devices. All it takes is a call to an unsuspecting employee, and that's all she wrote, baby. They got everything." Turning employees into sentries requires a fresh approach to training that does not rely on endless lists of security rules, or sporadic warnings from IT. Employees must be shown how their behavior can contribute to the vulnerability of their workplace, and that for security to be effective, it must become as second nature as being polite to customers.

Cybercrime just got personal – and it's time employees were educated

The threat that employees bring to a company’s information security is a scary prospect to an IT director or CIO, whether it be deliberate or inadvertent. By and large, this threat is one of the hardest to mitigate with few solutions beyond cyber education for employees and monitoring online behaviour for signals of malicious activity.

  1. 57 percent of organizations see weekly or daily phishing attempts. (GreatHorn)
  2. After declining in 2019, phishing increased in 2020 to account for one in every 4,200 emails. (Symantec
  3. 65 percent of cybercriminal groups used spear-phishing as the primary infection vector. (Symantec)
  4. Phishing attacks account for more than 80 percent of reported security incidents. (CSO Online)
  5. $17,700 is lost every minute due to a phishing attack. (CSO Online)

Software Piracy Convictions on the Rise

Most software piracy cases are brought to the courts by the BSA, a leading advocate for the global software industry. Statutory damages can be as much as $150,000 for each program copied. In addition, the government can criminally prosecute you for copyright infringement. If convicted, you can be fined up to $250,000, sentenced to jail for up to five years, or both..

  1. By 2023, the total number of DDoS attacks worldwide will be 15.4 million. (Cisco)
  2. Attacks on IoT devices tripled in the first half of 2019. (CSO Online)
  3. Malicious PowerShell scripts blocked in 2018 on the endpoint increased 1,000 percent. (Symantec
  4. The Mirai-distributed DDoS worm was the third most common IoT threat in 2018. (Symantec
  5. 30 percent of data breaches involve internal actors. (Verizon
  6. IoT devices experience an average of 5,200 attacks per month. (Symantec
  7. 90 percent of remote code execution attacks are associated with cryptomining. (Purplesec)
  8. 69 percent of organizations believe their antivirus software is useless against current cyber threats. (Ponemon Institute)
  9. One in 36 mobile devices has high-risk apps installed. (Symantec

An estimated 16.6 million people, representing 7 percent of all persons age 16 or older in the United States, experienced at least one incident of identity theft.

Department’s Bureau of Justice Statistics

Vulnerability of Private Personal Information

  1. 66 percent of companies say that compliance mandates are driving spending. (CSO Online)
  2. 78 percent of companies expect annual increases in regulatory compliance requirements. (Thomson Reuters)
  3. For large firms, the cost of compliance can approach $10,000 per employee. (Competitive Enterprise Institute)
  4. In 2018, businesses spent an average of $1.3 million to meet compliance requirements and were expected to spend an additional $1.8 million. (IAAP)
  5. On average, every employee has access to 11 million files. (Varonis)
  6. 15 percent of companies found 1,000,000+ files open to every employee. (Varonis)
  7. 17 percent of all sensitive files are accessible to all employees. (Varonis)
  8. About 60 percent of companies have more than 500 accounts with non-expiring passwords. (Varonis)
  9. More than 77 percent of organizations do not have an incident response plan. (Cybint)

Medical Issues Arising from Computer Usages

Computer related injury (CRI) is a cluster of work-related symptoms in computer users such as Repetitive Strain Injury (RSI), Work Related Upper Limb Disorder (WRULD), Musculoskeletal Disorder (MSD), fatigue, migraine headaches and eye strain. These ailments have increased significantly and special precautions need to be taken.

  1. Spain issued 212 GDPR fines in 2021 and has issued 3x more fines than any other country. (Lexology)
  2. GDPR fines totaled $1.2 billion in 2021. (CNBC)
  3. Companies reportedly spent $9 billion on preparing for the GDPR and, in 2018, legal advice and teams cost UK FTSE 350 companies about 40 percent of their GDPR budget, or $2.4 million. (Forbes)
  4. 88 percent of companies spent more than $1 million preparing for the GDPR. (IT Governance)
  5. In the GDPR’s first year, there were 144,000 complaints filed with various GDPR enforcement agencies and 89,000 data breaches recorded. (EDPB
  6. 1,000 news sources blocked EU readers to avoid the GDPR compliance rules. (Nieman Lab
  7. GDPR fines totaled $63 million in the first year. (GDPR.eu
  8. Google was fined $57 billion for GDPR violations by CNIL, a French data protection agency. (TechCrunch)
  9. Since the GDPR was enacted, 31 percent of consumers feel their overall experience with companies has improved. (Marketing Week
  10. By 2019, only 59 percent of companies believed they were GDPR compliant. (ZDNet)
  11. 70 percent of companies agree that the systems they put in place will not scale as new GDPR regulations emerge. (DataGrail)
  12. Cybercrime’s total damages make its economic impact larger than the GDP of all but two countries: the U.S. and China. (Cybersecurity Ventures)
  13. Cyber insurance prices rose 96 percent in Q3 2021, marking a 204 percent year-over-year increase. (Marsh)
  14. When remote work is a factor in causing a data breach, the average cost per breach is $1.07 million higher. (IBM)
  15. Artificial intelligence provides the most concrete cost mitigation in data breaches, saving organizations up to $3.81 million per breach. (IBM)
  16. Organizations with a zero-trust approach saw average breach costs $1.76 million less than organizations without.
  17. Security services accounted for an estimated 50 percent of cybersecurity budgets in 2020. (Gartner)
  18. The average cost of a malware attack on a company is $2.6 million. (Accenture)
  19. A data breach can cost a company an average of $1.59 million in lost business. (IBM)
  20. The healthcare industry incurs the highest average data breach costs at $7.13 million. (IBM)
  21. The total cost of cybercrime for each company increased by 12 percent from $11.7 million in 2017 to $13.0 million in 2018. (Accenture)
  22. The average annual security spending per employee increased from $2,337 in 2019 to $2,691 in 2020. (Deloitte)
  23. The most expensive component of a cyberattack is information loss, averaging $5.9 million. (Accenture)
  24. The average cost per lost or stolen record for an individual is $146. (IBM)
  25. The average total cost of a data breach in smaller companies (500 employees or less) decreased from $2.74 million in 2019 to $2.35 million in 2020. (IBM)
  26. The average total cost of a breach in very large companies (more than 25,000 employees) decreased from $5.11 million in 2019 to $4.25 million in 2020. (IBM)
  27. Half of large enterprises (with over 10,000 employees) are spending $1 million or more annually on security, with 43 percent spending $250,000 to $999,999 and just 7 percent spending under $250,000. (Cisco)
  28. From 2019 to 2020, Scandinavia saw the largest increase in total cost of data breaches at 12 percent, while South Africa saw the largest decrease at 7.4 percent. (IBM)
  29. The United States has the highest data breach costs in the world, at $8.64 million on average, followed by the Middle East at $6.52 million. (IBM)
  30. In 2019, spending in the cybersecurity industry reached around $40.8 billion USD. (Statista)
  31. Worldwide cybercrime costs will hit $10.5 trillion annually by 2025. (Cybersecurity Ventures)
  32. More than 70 percent of security executives believe that their fiscal budgets will decrease in the aftermath of COVID-19. (Mckinsey
  33. There are 1,053,468 employees working in cybersecurity in the U.S. as of February 2022. (Cyber Seek)
  34. Also as of February 2022, there are nearly 600,000 job openings in the cybersecurity industry, meaning only 68 percent of open jobs are filled. (Cyber Seek)
  35. Washington, D.C. has the highest concentration of cybersecurity professionals at more than 8x the national average. (Cyber Seek)
  36. More open roles exist for systems security analysts than any other cybersecurity profession. (Cyber Seek)
  37. 59 percent of cybersecurity professionals feel the demands of their job limit them from keeping up with cybersecurity skills. (ISSA & ESG)
  38. More than half of cybersecurity professionals believe that a minimum of three years in the industry is required for proficiency. (ISSA & ESG)
  39. More than two-thirds of cybersecurity professionals struggle to define their career paths. (ISSA & ESG)
  40. 76 percent of cybersecurity professionals consider recruiting and hiring new employees difficult. (ISSA & ESG)
  41. 70 percent of cybersecurity professionals claim their organization is impacted by the cybersecurity skills shortage. (ISSA & ESG)
  42. Six in 10 security operations center professionals think only half their cybersecurity applicants are qualified. (Cyberbit
  43. Since 2016, the demand for data protection officers has skyrocketed more than 700 percent because of the GDPR. (Reuters)
  44. There was a 350 percent growth in open cybersecurity positions from 2013 to 2021. (Cybercrime Magazine)
  45. 40 percent of IT leaders say cybersecurity jobs are the most difficult to fill. (CSO Online)
  46. Cybersecurity engineers are some of the highest-paid positions in the industry, starting at $140K annually on average. (Cybint)
  47. The cybersecurity unemployment rate is near zero percent and is projected to remain there for the foreseeable future. (Cybersecurity Ventures)
  48. By 2025, there will be 3.5 million unfilled cybersecurity jobs globally — approximately the same as in 2021. (Cybersecurity Ventures)
  49. Information security analyst job positions in the U.S. are expected to grow 31 percent between 2019 and 2029. (Bureau of Labor Statistics)
  50. Computer network architect job positions in the U.S. are expected to grow five percent between 2019 and 2029. (Bureau of Labor Statistics)
  51. Computer programmer job positions in the U.S. are expected to decline nine percent between 2019 and 2029. (Bureau of Labor Statistics)
  52. The WannaCry ransomware attack cost the U.K.’s National Health Service (NHS) more than $100 million. (Datto)
  53. The healthcare industry lost an estimated $21 billion to ransomware attacks in 2020. (Comparitech)
  54. More than 93 percent of healthcare organizations experienced a data breach from 2017 to 2020. (Herjavec Group)
  55. There were 712 healthcare data breaches in 2021, exceeding 2020 by 11 percent. (HIPAA Journal)
  56. The total value of cryptocurrency ransoms increased almost 80,000 percent from 2013 to 2020. (World Economic Forum)
  57. Financial services have 449,855 exposed sensitive files, 36,004 of which are open to everyone in the organization. This is the highest when comparing industries. (Varonis)
  58. On average, 70 percent of sensitive files in the financial services industry are stale. (Varonis)
  59. On average, a financial services employee has access to nearly 11 million files the day they walk in the door. For large organizations, employees have access to 20 million files. (Varonis)
  60. Financial services businesses take an average of 233 days to detect and contain a data breach. (Varonis)
  61. The average cost of a financial services data breach is $5.85 million. (IBM)
  62. Financial breaches account for 10 percent of all attacks. (Verizon)
  63. The financial services industry incurred the most cybercrime costs in 2018 at $18.3 million. (Accenture)
  64. Trojan horse virus Ramnit largely affected the financial sector in 2017, accounting for 53 percent of attacks. (Cisco)
  65. Manufacturing companies account for nearly a quarter of all ransomware attacks, followed by professional services with 17 percent of attacks and government organizations with 13 percent of attacks. (Security Intelligence)
  66. 58 percent of nation-state cyberattacks originate from Russia. (Microsoft)
  67. 79 percent of nation-state attackers target government agencies, non-government organizations (NGOs), and think tanks. (Microsoft)
  68. Smaller organizations (one to 250 employees) have the highest targeted malicious email rate at one in 323. (Symantec)
  69. Lifestyle (15 percent) and entertainment (seven percent) are the most frequently-seen categories of malicious apps. (Symantec
  70. Supply chain attacks were up more than 100 percent year-over-year in 2021. (Symantec)
  71. Remote work and lockdowns are driving a 50 percent increase in worldwide internet traffic, leading to new cybercrime opportunities. (World Bank)
  72. There were nearly 800,000 complaints of cybercrime in 2020, up 300,000 from 2019. (FBI)
  73. 27 percent of COVID-19 cyberattacks target banks or healthcare organizations and COVID-19 is credited for a 238 percent rise in cyberattacks on banks in 2020. (Carbon Black)
  74. Confirmed data breaches in the healthcare industry increased by 58 percent during the pandemic. (Verizon)
  75. 33,000 unemployment applicants were exposed to a data security breach from the Pandemic Unemployment Assistance program in May. (NBC)
  76. Americans lost more than $97.39 million to COVID-19 and stimulus check scams. (Atlas VPN)
  77. In the first month of the pandemic, Google blocked 18 million daily malware and phishing emails related to the coronavirus. (Google)
  78. 52 percent of legal and compliance leaders are concerned about third-party cyber risks due to remote work since COVID-19. (Gartner)
  79. 47 percent of employees cited distraction as the reason for falling for a phishing scam while working from home. (Tessian)
  80. 81 percent of cybersecurity professionals report that their job function changed during the pandemic. (ISC)
  81. Half a million Zoom user accounts were compromised and sold on a dark web forum during the first month of the pandemic. (CPO Magazine)
  82. Remote workers have caused a security breach in 20 percent of organizations during the pandemic. (Malwarebytes)

List compiled by Rob Sorbers who is a software engineer specializing in web security and is the co-author of the book Learn Ruby the Hard Way. Inside Out Security.