The first year of the COVID-19 pandemic was unprecedented not only in terms of healthcare and economy but also when it comes to cybersecurity. Not even the pandemic could stop or slow down cybercriminal activity.
Several studies have reported significant increases in cyber threats in 2020. Even the World Health Organization took notice of the alarming situation, highlighting the fivefold increase in cyber-attacks while the pandemic had been raging.
The year 2021 is not expected to become a massive improvement over the past year. There will still be a lot of large, unwanted numbers related to cyber attacks. Major attacks similar to the one that hit SolarWinds are expected to continue threatening organizations worldwide.
Here’s a rundown of some of the most alarming cybersecurity statistics that should put security teams on their toes in 2021. On a positive note, though, these dreadful numbers are not impossible to address.
8 out of 10 organizations are unprepared to face cyber attacks
An IDG survey commissioned by Insight reveals that almost 78 percent of senior IT and IT security heads think that their organizations are not adequately protected from cyber attacks. The number is notably high despite the increased spending on IT security by most organizations.
The same survey says that 91 percent of businesses have decided to boost their security budgets, but only 57 percent conducted data security risk assessments. The main reason for the relatively low-security risk assessment efforts is the limitation in IT manpower and resources of organizations, especially as they struggle to survive amid the economy-disrupting pandemic.
The increased spending on security was directed to various approaches with 73 percent saying that they allocated more resources for enhanced threat identification, 70 percent for incident response, 68 percent for network security, 67 percent for endpoint security, another 67 percent for application security, 64 percent for malware protection, and 55 percent for identity and access management.
“This survey shows that organizations made strides to address gaps and integrate cybersecurity into business, operational and IT infrastructure decisions, but there is still an enormous amount of work to be done. Bolstering security postures is a complex and continual effort. This is the work we do every day for organizations across all industries.”
Arguably, organizations can establish a more reliable security posture by investing in continuous security validation. A white paper authored by Silicon Valley Bank Senior Director (Global Services Governance) and CISA Berk Algan explains the significant benefits of continuous security validation as compared to traditional cyber defense strategies. It provides a massive contribution to cyber-attack preparedness and even binds existing security controls to get the most out of them.
Cybercrime to cost $10.5 trillion by 2025
Cyber attacks can cost some amount to prevent and are even costlier to remedy or recover from. A cybercrime study projects that damages from cyber attacks globally can reach up to $6 trillion in 2021 and further increase to $10.5 trillion in 2025. The security firm suggests that a cyber attack has the potential to disable the economy of a city, state, or the entire country.
Similar research reports show an equally dire forecast for cybercrimes. RiskIQ, in its “The Evil Internet Minute 2019” report, says that $2.9 million is lost to cybercrimes per minute and companies spend $25 per minute on average to address security breaches. Also, an IBM and Ponemon Institute study estimates that the average cost of a data breach is around $3.86 million.
All of these could be easily minimized and even possibly avoided with proper security validation. It is not enough to have security controls in place. Installing the defenses is only half the job. Organizations must ascertain that their security posture works as expected through proper security validation. They need to undertake meticulous security testing.
Going back to the security validation white paper cited earlier, it bears pointing out that traditional procedures no longer work. “While testing security controls in a traditional way could serve its intended purposes, the company should not feel secure solely based on traditional point-in-time control testing. The reality is that threats and an organization’s systems change on a daily basis, and a traditional control test that was effective yesterday may no longer be effective in mitigating a threat today,” the white paper writes.
Cybercrime has become a global concern. Even the International Monetary Fund now regards cyber risk as a new threat to financial stability. The good news is that security experts across different fields have collaborated to address the growing volume and sophistication of cyber attacks more efficiently. The MITRE ATT&CK framework in particular, which was also cited in the Algan-authored white paper, helps organizations in stress testing security systems efficiently to ensure optimum protection.
420 percent growth in supply chain attacks
Sonatype’s State of the Software Supply Chain 2020 Report suggests that cybercriminals have become swifter in finding their way around strengthened “next-generation” security defenses, noting that software supply chain attacks more than quintupled.
This is a crucial detail in the evolution of cyber assaults. Bad actors are not only relentless. They have also become highly resourceful, creative, and opportunistic. Even the pandemic has become an opportunity for them to deploy more attacks and try out new strategies to breach security controls. As IBM Security noted, “cyberattacks evolved in 2020 as threat actors sought to profit from the unprecedented socioeconomic, business and political challenges brought on by the COVID-19 pandemic.”
All of these provide more compelling reasons for organizations to undertake thorough security validation. Vulnerabilities and weaknesses in cyber defenses remain because many organizations still refuse to test their cybersecurity solutions. Those that do tend to not do it right or just settle for a one-time or occasional testing procedure.
Considering how hackers and cybercriminals refuse to be suppressed and only become more aggressive, it would be unwise for security teams to remain static when dealing with dynamic adversaries. It makes no sense to be passive while cybercriminals think and act proactively.
By now, almost all organizations are aware of the importance of implementing cybersecurity solutions. However, as mentioned, only 57 percent bother going through the process of security testing. Not an overwhelming majority realize the importance of penetration testing and other security validation measures.
No security solution is perfect and even the most competent and experienced security teams can commit mistakes along the way. Hackers will always find new vulnerabilities or opportunities to penetrate cyber defenses especially through points where there is human involvement. The logical solution is to anticipate all attacks by continuously and meticulously testing security controls.