Alarming Cyber Statistics For Mid-Year 2022 That You Need To Know – Forbes

admin on June 4, 2022 Leave a Comment

Global cyber futuristic financial network security concept. Fast speed internet connection. Block ... [+] chain network

A couple of times per year, I take a deep dive on writing about the newly reported cybersecurity statistics and trends that are impacting the digital landscape. Unfortunately, despite global efforts, every subsequent year the numbers get worse and show that we are far from being able to mitigate and contain the numerous cyber-threats targeting both industry and government.

Below is a synopsis with links on some of the recent cyber developments and threats that CISOs need to key a close watch on (and that you need to know) for the remaining part of 2022 and beyond.

While many of the statistics seem dire, there is some positive aspect on the trends side as the cybersecurity community has been taking several initiatives to create both cyber awareness and action. And for those attending the 2022 RSA Conference in San Francisco, hopefully the backdrop of the following statistics and trends from mid-year 2022 can also be useful to analyze and match with product and services roadmaps for cybersecurity.

"Caution cyber attacks ahead" road sign.

Despite another record year of breaches including Solar Winds, Colonial Pipeline and others, half of U.S. Business still have not put a cybersecurity risk plan in place. The list of the 50 Biggest Data Breaches 2004-2021 below is illustrative of the problem of protecting data in both industry and government.

The 50 Biggest Data Breaches (2004-2021) (visualcapitalist.com)

50-biggest-data-breaches-infographic

Cybercriminals can penetrate 93 percent of company networks

Link: Cybercriminals can penetrate 93 percent of company networks (betanews.com)

In 93 percent of cases, an external attacker can breach an organization's network perimeter and gain access to local network resources.

This is among the findings of a new study of pen testing projects from Positive Technologies, conducted among financial organizations, fuel and energy organizations, government bodies, industrial businesses, IT companies and other sectors.

An attacker's path from external networks to target systems begins with breaching the network perimeter. According to the research, on average, it takes two days to penetrate a company's internal network. Credential compromise is the main route in (71 percent of companies), primarily because of simple passwords being used, including for accounts used for system administration.

Many security executives say theyre unprepared for the threats that lie ahead

Link: Many security executives say theyre unprepared for the threats that lie ahead | TechRepublic

As cyberattacks grow in both number and sophistication, organizations are increasingly under the gun to protect themselves from compromise. Though companies have responded by upping their security budgets and adopting more advanced defenses, keeping up with the threats that will surface over the next few years will be a challenge.

For its report titled Cybersecurity Solutions for a Riskier World, ThoughtLab studied the security practices and performance of 1,200 companies in 13 industries and the public sector across 16 countries.

In 2021, the average number of cyberattacks and data breaches increased by 15.1% from the previous year. Over the next two years, the security executives polled by ThoughtLab see a rise in attacks from social engineering and ransomware as nation-states and cybercriminals grow more sophisticated. The main causes of these attacks will come from misconfigurations, human error, poor maintenance, and unknown assets.

Despite the increased efforts to combat security threats, many of those interviewed by ThoughtLab see several reasons for alarm. A full 44% of the executives surveyed said that their growing use of partners and suppliers exposes them to significant security risks. Some 30% said their budgets arent sufficient to ensure proper cybersecurity, while several pointed out that the criminals are better funded. A quarter of all the respondents said the convergence of digital and physical systems, such as Internet of Things devices, has increased their security risks.

Further, 41% of the executives dont think their security initiatives have kept up with digital transformation. More than a quarter said that new technologies are their biggest security concern. And just under a quarter cited a shortage of skilled workers as their largest cybersecurity challenge

2022 Study: 50% Of SMBs Have A Cybersecurity Plan In Place

Link: 2022 Study: 50% of SMBs Have a Cybersecurity Plan in Place | UpCity

UpCity, a small business intelligence firm that has matched over 2 million businesses to providers they can trust since its inception in 2009, surveyed 600 business owners and IT professionals on their 2022 cybersecurity plans, priorities, and budgets. Findings include:

Only 50% on U.S. businesses have a cybersecurity plan in place

Of those, 32% havent changed their cybersecurity plan since the pandemic forced remote and hybrid operations

The most common causes of cyber-attacks are malware (22%) and phishing (20%)

Cybercrime cost U.S. businesses more than $6.9 billion in 2021, and only 43% of businesses feel financially prepared to face a cyber-attack in 2022

Software supply chain attacks hit three out of five companies in 2021

Link: Software supply chain attacks hit three out of five companies in 2021 | CSO Online

Survey finds significant jump in software supply chain attacks after Log4j exposed.

More than three in five companies were targeted by software supply chain attacks in 2021, according to a recent survey by Anchore. The survey of 428 executives, directors, and managers in IT, security, development, and DevOps found that the organizations of nearly a third of the respondents (30%) were either significantly or moderately impacted by a software supply chain attack in 2021. Only 6% said the attacks had a minor impact on their software supply chain.

82 percent of CIOs believe their software supply chains are vulnerable

Link: 82 percent of CIOs believe their software supply chains are vulnerable (betanews.com)

A new global study of 1,000 CIOs finds that 82 percent say their organizations are vulnerable to cyberattacks targeting software supply chains.

The research from machine identity specialist Venafi suggests the shift to cloud native development, along with the increased speed brought about by the adoption of DevOps processes, has made the challenges connected with securing software supply chains infinitely more complex.

The increase in the number and sophistication of supply chain attacks, like SolarWinds and Kaseya, over the last 12 months has brought this issue into sharp focus, gaining the attention of CEOs and boards.

Report: Increase in socially engineered, sophisticated cybersecurity attacks plagues organizations

A new report that showed a sharp increase in cybersecurity attacks in 2021 urged organizations to consider when, not if, they too will be under attack. Attacks are becoming more sophisticated and socially engineered making them harder to detect.

Link: Report: Increase in socially engineered, sophisticated cybersecurity attacks plagues organizations - MedCity News

A new cybersecurity report from San Francisco-based Abnormal Security found that medical industries and insurance companies had a 45-60% chance of being the target of a phone fraud attack via email: a sophisticated scam where the scammer sends an email to the target, asking the target to call them. In the second half of 2021, those attacks increased by 10 percent.

Additionally, healthcare systems are seeing a rise in more legitimate-looking yet problematic business email compromise (BEC) attacks. This occurs when the scammer accesses the targets business email and impersonates the target, and then uses that identity to create rapport with victims and get them to pay money.

Businesses Suffered 50% More Cyberattack Attempts per Week in 2021

Link: Businesses Suffered 50% More Cyberattack Attempts per Week in 2021 (darkreading.com)

Check Point Research on Monday reported that it found 50% more attack attempts per week on corporate networks globally in calendar year 2021 compared with 2020.

The researchers define a cyberattack attempt as a single isolated cyber occurrence that could be at any point in the attack chain scanning/exploiting vulnerabilities, sending phishing emails, malicious website access, malicious file downloads (from Web/email), second-stage downloads, and command-and-control communications. All of the attack attempts Check Point cites in the research were detected and stopped by its team.

Cyber-attacks per organization by Industry in 2021

The education/research sector sustained the most attacks in 2021, followed by government/military and communications.

Social engineering and phishing are easy means to corporate jewels that can include sensitive and proprietary emails and business E-Mail compromise is a favorite target of hackers.

Social engineering and phishing are easy means to corporate jewels that can include sensitive and proprietary emails.

$43 billion stolen through Business Email Compromise since 2016, reports FBI

Link: $43 billion stolen through Business Email Compromise since 2016 (tripwire.com)

Over US $43 billion has been lost through Business Email Compromise attacks since 2016, according to data released this week by the FBI.

The FBIs Internet Crime Complaint Center (IC3) issued a public service announcement on May 4 2022, sharing updated statistics on Business Email Compromise (BEC) attacks which use a variety of social engineering and phishing techniques to break into accounts and trick companies into transferring large amounts of money into the hands of criminals.

The report looked at 241,206 incidents reported to law enforcement and banking institutions between June 2016 and December 2021 and says that the combined domestic and international losses incurred amounted to US $43.31 billion.

Worryingly, there has been a 65% increase recorded in identified global losses between July 2019 and December 2021

And how to better protect:

The FBI offers a number of tips to companies wishing to better protect themselves from Business Email Compromise attacks:

$43 billion stolen through Business Email Compromise since 2016, reports FBI

Link: $43 billion stolen through Business Email Compromise since 2016 (tripwire.com)

Over US $43 billion has been lost through Business Email Compromise attacks since 2016, according to data released this week by the FBI.

The FBIs Internet Crime Complaint Center (IC3) issued a public service announcement on May 4 2022, sharing updated statistics on Business Email Compromise (BEC) attacks which use a variety of social engineering and phishing techniques to break into accounts and trick companies into transferring large amounts of money into the hands of criminals.

The report looked at 241,206 incidents reported to law enforcement and banking institutions between June 2016 and December 2021 and says that the combined domestic and international losses incurred amounted to US $43.31 billion.

Worryingly, there has been a 65% increase recorded in identified global losses between July 2019 and December 2021

What Should Business do to Mitigate Cyber-threats?!

Group of people. Human Resources. Global network. Diversity.

The forementioned links highlight many serious vulnerabilities that industry experts have attested. But the C-Suite does not have to remain idle in response to those threats and stats. My suggestion for all businesses, especially small and medium ones who are often at risk of being put out of business by a cyber-attack, is to seriously look at cyber-risk and plan accordingly as part of a corporate operational strategy. NIST and MITRE offer great resources for cyber-risk management planning and are continually updated. Also, some potential actions to take are excerpted from my recent article in Homeland Security Today, A Cybersecurity Risk Management Strategy for the C-Suite.

Risk Management and Assessment for Business Investment Concept. Modern graphic interface showing ... [+] symbols of strategy in risky plan analysis to control unpredictable loss and build financial safety.

A Cybersecurity Risk Management Strategy for the C-Suite.

Link: A Cybersecurity Risk Management Strategy for the C-Suite - HS Today

Create a corporate risk management strategy and vulnerability framework that identifies digital assets and data to be protected. A risk assessment can quickly identify and prioritize cyber vulnerabilities so that you can immediately deploy solutions to protect critical assets from malicious cyber actors while immediately improving overall operational cybersecurity.

Risk management strategies should include people, processes, and technologies. This includes protecting and backing up business enterprise systems such as financial systems, email exchange servers, HR, and procurement systems with new security tools (encryption, threat intel and detection, firewalls, etc.) and policies. That risk management approach must include knowing your inventory and gaps, integrating cybersecurity hygiene practices, procuring, and orchestrating an appropriate cyber-tool stack. It should also include having an incident response plan in place if you do get breached.

Also see my recent article from the Donald Allen Cybersecurity blog (his blog is a great resource and I suggest you subscribe for free!):

The Risk Management Imperative For Cybersecurity

Link: Cybersecurity Risk Management An Imperative for The Digital Age The Donald Allen Cybersecurity Blog (dacybersecurity.com)

Because of the new digital cyber risk environment, a security strategy for risk management is imperative.

A security strategy of risk management to meet these growing cyber-threat challenges needs to be both comprehensive and adaptive. It involves people, processes, and technologies.

Securing your data is key.

Because of digital transformation and a pandemic that transferred many from working at the office to home, data is at greater risk for a breach.

Securing data necessitates a hyper-security focus. At its core, the practice of vigilant and encompasses, identifying gaps, assessing vulnerabilities, and mitigating threats. Data security and cyber risk management are an integral part of the overall enterprise risk management (ERM) framework to stay ahead of the threats.

Defined by the most basic elements in informed risk management, cybersecurity is composed of:

Successful cybersecurity will also require the integration of emerging technologies for identity management, authentication, horizon monitoring, malware mitigation, resilience, and forensics. Automation and artificial intelligence are already impacting the capabilities in those areas.

Cybersecurity capabilities in information sharing, hardware, software, encryption, analytics, training, and protocols, must keep pace to protect and preempt the increasingly sophisticated threats in both the public and private sectors.

The Infographic I created below provides a pathway for exploring risk management frameworks:

cyber risk management infographic

Infographic: Strategic Paths to Cybersecurity, by Chuck Brooks

The Three Pillars of Cybersecurity Strategy

The growth and sophistication of cyber-attacks over the last couple of years, many of them state actor sponsored has caused both government and industry to reevaluate and bolster their risk management strategy approaches to cyber-defense.

There are three strong pillars of risk management that can be integrated into a successful cybersecurity strategy: Security by Design, Defense in Depth, and Zero Trust.

For more details, please see my article in FORBES, Combining Three Pillars Of Cybersecurity.

Link: Combining Three Pillars Of Cybersecurity (forbes.com)

I mentioned that there are some positive cybersecurity trends earlier. One such initiative is a new government focus on a Zero Trust Management strategy. That topic is subject matter for another article.

Please see GovCon Expert Chuck Brooks Authors New Zero Trust White Paper; Anacomp CEO Tom Cunningham Quoted for a quick overview of the benefits and need for Zero Trust in cybersecurity.

Link: GovCon Expert Chuck Brooks Authors New Zero Trust White Paper; Anacomp CEO Tom Cunningham Quoted (executivegov.com)

Ransomware, the Scourge Continues and is still trending a preferred method of cyber-attack in 2022

3D rendering Glowing text Ransomware attack on Computer Chipset. spyware, malware, virus Trojan, ... [+] hacker attack Concept

The Colonial Pipeline attack showed how a ransomware attack against an industrial target can have very real consequences for people, as gasoline supplies to much of the north-eastern United States were limited because of the attack.

Ransomware attacks, and ransom payments, are rampant among critical infrastructure organizations

Link: Ransomware attacks, and ransom payments, are rampant among critical infrastructure organizations - Help Net Security

80% of critical infrastructure organizations experienced a ransomware attack in the last year, with an equal number reporting that their security budgets have risen since 2020, a Claroty report reveals.

Ransomware Trends, Statistics and Facts in 2022

Read the original:
Alarming Cyber Statistics For Mid-Year 2022 That You Need To Know - Forbes

Related Posts
Posted in Internet Security

Comments are closed.