Here’s something perplexingly alarming. US data breaches in 2020 dropped to 1.001 billion cases from 1.473 billion in 2019. It is over 60 percent lower than the all-time high of 1.632 billion cases recorded in 2017. However, the number of records exposed is not proportionately reduced compared to the figures from the previous years. Even more confusing, the second all-time high of 222.5 million records exposed was recorded in 2009 when only 498 million data breaches were recorded.
The above numbers from Statista only show that cyberattacks targeting data are unpredictable. It is difficult to establish patterns and guess how bad actors will behave in the future. Cybersecurity experts have to be on their toes all the time to effectively counter the evolving tactics and strategies of cybercriminals.
The following cybersecurity statistics offer information and insights that should compel businesses or organizations to beef up their cyber defenses and improve their preparedness to deal with evolving forms of attacks.
Common data breach targets
What types of data are typically stolen, corrupted, or destroyed in cyber attacks? According to Verizon’s 2021 Data Breach Investigations Report (DBIR), a large majority of breaches, at least 61 percent, involved credential data or usernames, passwords, and other related information. The report says that 95 percent of organizations struck by credential stuffing attacks saw up to 3.3 billion anomalous attempts to log in to their systems.
Other data sought by cybercriminals include financial data such as bank details, tax forms, credit and debit card numbers, invoices, as well as financial statements. Hackers are also looking into medical or personal health information maintained by healthcare providers. Data breaches likewise attempt to steal trade secrets, patents, customer lists, blueprints, and contracts. Additionally, there are state-sponsored attacks that aim to retrieve sensitive political and military information.
Organizations need to be familiar with these data breach targets to make sure they know which information should be thoroughly secured. Many may not be aware of the critical nature of the data they are handling. For most, convenience trumps security–such as when one saves account credentials on their web browsers or phones for easy authentication.
The human element
DBIR examined over 29,000 security incidents and found an astounding 85 percent involved a human element. These breaches exploit the lack of knowledge or competence of some people in an organization to successfully penetrate security systems.
Phishing attacks reportedly rose by 11 percent while those that involved the use of ransomware increased by 6 percent. The public administration and retail trade sectors appear to be favorite targets of phishing attacks, while the financial and insurance industry saw notable increases in ransomware attacks.
Cost of data breaches
The DBIR study conducted simulations to estimate the financial impact of attacks. Accordingly, the median loss associated with a data breach is $21,659. The cost of attack for organizations ranges from $826 to $653,587 for 95 percent of the cases. The remaining 5 percent of cases are high-profile ones, which usually cost millions of dollars.
A separate study by IBM presents a considerably higher average cost of a data breach at $3.86 million, with healthcare as the most expensive industry shelling out $7.13 million on average for each data breach case. The same IBM study also notes that it takes around 280 days before a breach is identified and contained.
The pandemic’s lingering effects
COVID-19 continues to have an impact on the volume of cyberattacks experienced by companies worldwide. Verizon CEO Tami Erwin says that “the pandemic has had a profound impact on many of the security challenges organizations are currently facing.”
As the pandemic forces businesses to bring their operations online and use cloud services and platforms more, bad actors are finding more opportunities for their attacks. DBIR indicates that 39 percent of all security breaches targeted web applications. “As the number of companies switching business-critical functions to the cloud increases, the potential threat to their operations may become more pronounced, as malicious actors look to exploit human vulnerabilities and leverage an increased dependency on digital infrastructures,” Erwin adds.
Industries targeted
While there is a widely accepted presumption that cyber-attacks are generally indiscriminate, a number of industries appear to have been under the spotlight from 2020 through 2021. These industries are finance and insurance, healthcare, public administration, and retail trade.
While most data breaches are about businesses or organizations, most of the data being compromised tends to be personal. Notably, 83 percent of the data compromised in the finance and insurance industry are personal in nature. Around half of the data affected by cyber attacks in the professional, technical, and scientific service sectors are also personal.
Weak internal mechanisms for detection
Another crucial detail revealed by DBIR is the apparent lack of effective breach detection systems among organizations. More than 80 percent of the data compromises examined in the study were discovered by external parties, not by the internal IT or cybersecurity teams of companies.
In a way, these details show why it makes sense for many to rely on third-party solutions for their data protection. Most organizations still lack the expertise to competently identify let alone prevent, mitigate, and remediate data breach incidents.
Ransomware attacks
The number of businesses that fall prey to ransomware attacks has been increasing over the years. At least 68.5 percent of businesses have become victims of this cyber attack in 2021 to date. We are not even at the second half of 2021, but the increase is already significantly higher than the 62.4 percent in 2020 and 56.1 percent in 2019.
Ransomware is a major threat to data as demonstrated by one major incident in the United States. The ransomware attack that hit Colonial Pipeline, one of the biggest oil facilities in the United States, resulted in a shutdown that limited oil supply in the world’s biggest economy. While the perpetrators of the attack released a statement that they did not mean to create problems, the fact is that the ransomware led to a significant economic disruption even after Colonial decided to pay the $4.4 million ransom sought by the attackers.
According to a report by CIO, the remediation cost associated with ransomware attacks more than doubled from $761,106 in 2020 to $1.85 million in 2021 on average. The trend is unlikely to reverse in the succeeding years as the new normal entails more use of remote work arrangements and online correspondence.
One important piece of advice on dealing with ransomware, as shared by CIO, is to not pay the ransom. There is no guarantee that ransom payment will result in data recovery. Even if an organization’s data is restored, it may already be too late as other more serious damage may have already been incurred, just like what happened with the Colonial Pipeline attack.
Organizations are advised to focus on their preparedness in dealing with ransomware and other similar threats. It is essential to ascertain that all security controls are working as they are intended, ensure that all crucial data are backed up, and employ a layered protection strategy.
Towards better data breach protection
Unless everything becomes automated and people are taken out of the organization entirely, the problem of data breaches through social engineering will always remain a major challenge. The attacks are even evolving and their volumes can become overwhelming. Businesses that refuse to continuously improve their defenses are going to fall for more sophisticated tactics and suffer more losses.
Data breach trends may emerge but the way perpetrators attack is unlikely to be predictable. Organizations need to constantly upgrade their defenses and prepare sound mitigation and remediation strategies to avoid succumbing to the high costs of cyber attacks. If it is not possible to achieve a high level of internal cyberattack detection and prevention system, it is not a bad idea to turn to third-party security solution providers.