It’s no surprise that the cybersecurity industry exceeded $145 billion in revenue in 2020. Global cybercrime is expected to cost businesses $6 trillion in 2021 and $10.5 trillion annually by 2025. Schemers, fraudsters and hackers are not going away any time soon, and continue to improve the sophistication of their attacks.
Businesses of all shapes and sizes need to acknowledge these threats and take action to protect their assets, employees, and customers.
In this report, we reveal the major cyber threats facing businesses in 2021 and beyond, including the latest figures that illustrate the scope of these issues. We also provide actionable steps that every business can take to help thwart the attempts of cybercriminals.
These are the main threats we’ll be covering:
- Data breaches
- Fraud and identity theft
- Denial of service attacks
- Supply chain attacks
- Cyber-physical attacks
Below, we put the spotlight on each of these threats to see what challenges we’re up against.
Phishing is one of the biggest cyber risks facing businesses of all sizes. Phishing schemes involve fraudsters posing as individuals or organizations and using social engineering to “phish” for information such as personal details or financial data.
Phishing is traditionally associated with email, but may also take place by phone, text message, or social media messaging. Cybercriminals might ask victims to send information directly or lead them to a phishing site (a fake website designed to steal information).
There are various sub-types of phishing and several related crimes, including:
- Spear phishing: This involves attacks targeted at specific individuals such as customers of a certain company or employees of a particular business.
- CEO fraud: CEO fraud involves an attacker posing as a senior-level employee.
- Whaling: This type of attack is a form of spear phishing that targets senior-level executives.
- Business Email Compromise (BEC): These schemes can vary but they essentially involve scammers hijacking an employee’s email account to trick companies out of information or money. CEO fraud, whaling, and other types of phishing often involve BEC.
- Tech support scams: Often carried out by phone, tech support scams involve fraudsters posing as personnel from a reputable firm such as Microsoft. They use social engineering to persuade the victim to hand over money or information or provide remote access to their device (enabling the scammer to hijack accounts or install malware).
- Pharming: Also called “phishing without a lure,” pharming is similar to phishing but uses redirection at the DNS level and is tougher to spot.
The broad scope of phishing attacks has resulted in some pretty alarming statistics:
- The number of phishing attacks doubled over the course of 2020. Webmail and SaaS users are the biggest targets.
- 80 percent of phishing sites use SSL. So looking out for “https” in URLs is no longer considered a sound tactic for spotting ominous sites.
- 90 percent of phishing attacks occur within an environment that uses a Secure Email Gateway (SEG), despite users believing an SEG will protect them from such attacks.
- One-third of those aged 39 or over and around half of those aged 18–39 don’t know what the term “phishing” means.
- The prevalence of spear phishing attacks in particular is expected to increase in 2021 as automation plays a larger role, lowering the investment barriers traditionally associated with these schemes.
How to protect your business against phishing attacks
Most phishing attacks can be avoided with a little know-how and preparation. These are the key steps you can take to keep your business safe:
- Educate employees: First and foremost, employees need to be trained to spot phishing attempts. Knowing the key signs to look out for in phishing emails and sites is the best way to avoid falling victim to attacks. Employees should also be instructed on how to report phishing attacks to help avoid future schemes.
- Run penetration testing: When considering employee training, it’s good to have a baseline that tells you how well your employees already perform when faced with phishing attacks. Lots of companies offer penetration testing, some that focus specifically on phishing. Others offer ongoing phishing simulations to gauge improvements over time.
- Employ anti-phishing software: While most email gateways will block many phishing attempts, you may want to consider additional software that does a better job at filtering attacks.
Malware is another serious concern for most businesses. “Malware” is an all-encompassing term for a variety of malicious software types, including:
- Viruses: When it’s executed, a computer virus will replicate itself by inserting its own code in other computer programs.
- Trojans: This type of malware poses as a harmless piece of software but can cause damage to your system.
- Ransomware: We’ll go into more detail about ransomware in the next section, but it generally involves files and folders being encrypted by attackers and held at ransom.
- Spyware: This term covers a range of malicious programs used to spy on victims including password stealers, keyloggers, and banking trojans.
- Cryptominers: Cryptominers are used in cryptojacking attacks that involve the unauthorized use of a computer to mine bitcoin and other cryptocurrencies.
Virtually any device can be impacted by malware and we are seeing a significant increase in malicious software affecting mobile devices. Malware can enter a system via various channels, including malicious email links or attachments, malvertisements (malicious advertisements), and infected hardware, for example, a thumb drive or disk.
Malware attacks range from large-scale assaults using crude methods to highly-sophisticated targeted attacks. We are seeing an increase in state-sponsored malware attacks that use remote access tools to carry out prolonged phishing and malware campaigns.
The following reports provide an idea of the problems businesses are facing:
- Almost 10 billion malware attacks took place in 2020. This included 81.9 million cryptojacking attacks and 56.9 million IoT attacks.
- Malware detections in Macs used for business increased 31% in 2020.
- More than half of all organizations were impacted by a business-disrupting malware attack within 12 months.
- There is concern that the impact of attacks stemming from Russia and China will be felt well into 2021 and beyond.
The pandemic is reported to be changing the way in which malware is distributed. More than 580,000 new malware variants were discovered in 2020. Microsoft Office files are the most common malicious file type, accounting for 24.87%, an increase of over two-thirds since 2019. It’s reported that this has a lot to do with the shift to remote work, resulting in the increased sharing of Office files. By spring 2020, the number of Office users exceeded 258 million, creating a ripe opportunity for attackers.
How to protect your business against malware
Thankfully, there are ways you can thwart many malware attacks and keep your network safe. Here are the core actions to take:
- Use a good firewall: This acts as a first line of defense by monitoring incoming and outgoing traffic. If you have a software or firewall hardware, it’s important to make sure it’s enabled. You may also want to consider third-party options for extra protection.
- Utilize a solid antivirus software: Reliable antivirus software is crucial for both individuals and businesses alike. It will detect known threats and block them from executing.
- Spot malicious emails: Malware often enters systems through a link or attachment in a scam email. It’s important employees know how to spot and report these types of emails as well as other common malware vehicles such as malvertisements.
- Keep software up to date: Cybercriminals often exploit known software vulnerabilities to get malware onto systems. Updates usually contain patches for these weaknesses so should be implemented as quickly as possible. 9 in 10 web applications are vulnerable to hacks, but 80% of attacks exploit vulnerabilities that are at least two years old, so applying updates can be a game-changer.
- Use a malware removal tool: If you discover that malware has made its way onto your system or website, there are lots of removal tools available to help.
Although it falls under malware, ransomware is an increasingly serious threat, so it’s worth discussing separately. Ransomware attacks typically involve the execution of software that encrypts files or folders, essentially holding them hostage. The victim will receive instructions, often in the form of a popup, explaining how to send payment in exchange for a decryption key.
Ransomware has become highly targeted in recent years and is costing businesses far more money than it did in the past:
- Over 300 million ransomware attacks were reported in 2020.
- The average ransomware attack costs over $760,000 to remediate.
- The average ransom payment in Q4 2020 was $154,108.
- 70% of Q4 2020 ransomware attacks included a threat to leak stolen data, prompting 60% of companies to pay the ransom.
- Email phishing has overtaken RDP compromise as the most common ransomware attack vector.
How to protect against ransomware
While you can follow the above malware prevention tips to protect against ransomware entering your system, here’s some additional advice to follow to prevent and mitigate the impact of attacks:
- Employ a ransomware protection tool: While an antivirus software can protect against some known ransomware, you’ll get additional peace of mind utilizing a dedicated ransomware protection tool.
- Attempt to remove ransomware: If you discover ransomware on your system and want to try to remove it yourself, there are tools available. However, these are becoming less effective as ransomware becomes more sophisticated. If it’s within your budget, a better option may be to hire a professional ransomware removal service.
- Resort to backups: The prevalence and severity of ransomware attacks illustrate the importance of backing up all important data. If you’re unable to recover files lost to ransomware, you’ll need to rely on the backups you’ve hopefully been maintaining.
There seems to be almost daily news about one massive data breach after another, and those are just the ones we hear about. In fact, data breaches are even more common than some may imagine. Data breaches can occur as a result of a variety of tactics, including hacking, social attacks, man-in-the-middle attacks, malware, errors, misuse by authorized users, and physical actions.
The impact on businesses can be devastating. Aside from having to spend resources on dealing with the initial aftermath of a breach, there are also long-term costs as a result of a damaged reputation and lost customers.
Here are some statistics that shed light on how data breaches occur and the effects they have:
- Almost half (49%) of US organizations have dealt with a data breach. 26% have experienced a breach in the past 12 months.
- 55% of breaches are attributed to organized crime groups. The top threat action varieties are phishing and the use of stolen credentials.
- It takes months to discover 60% of breaches.
- The average US data breach costs $8.64 million.
- Human error causes 23% of breaches.
- At least four 2020 breaches resulted in the leak of over a billion records.
- Companies that have dealt with a breach can expect to underperform the market by over 15% three years after the incident.
- 70% of cloud infrastructures experience a breach within a year.
How to avoid data breaches
As we can see from the massive breaches suffered by giant tech companies, no business is immune. Since phishing and malware are common vectors for data breaches, be sure to consider the action steps outlined in those sections above. Additional steps you can take to avoid data breaches include:
- Improve password health: Even with all the news of breaches and hacks, password habits still leave a lot to be desired. Ensuring that all employees use strong passwords is crucial to protecting against data breaches as well as other cyberattacks. Every account should be protected by a strong, unique password and there should be no password sharing among employees. Password managers can be extremely handy tools for securely storing and autofilling passwords.
- Use a VPN: A Virtual Private Network (VPN) encrypts all information flowing to and from a device that’s connected to it. This means that should any traffic be intercepted, it will be unreadable by the snooper. Most businesses use some type of VPN to boost security and allow employees remote access to the company network. This is especially important in the age of remote work when endpoint security is an increasing concern.
- Tighten access controls: Many businesses allow employees unnecessary access to information which can lead to preventable risks. One report found that almost two-thirds of companies have over 1,000 sensitive files open for anyone to view. In large organizations, the average number of files accessible to anyone is 20 million. To lower the risk, employers should consider implementing minimum access control strategies. Mobile Device Managemnet (MDM) software and Data Loss Prevention (DLP) software can help you implement such controls.
- Comply with regulations: Depending on where you’re located and the nature of the data you collect, it’s likely that you are required to comply with at least some regulations regarding the handling of employee or customer data. Be sure that you fully understand the rules surrounding how information may be collected and stored, and make the appropriate adjustments to your current systems.
- Employ an incident response team: If you have the budget, an incident response team might be worth the investment. According to IBM, it can save an average of $2 million per breach.
Fraud and identity theft
Fraud is a real threat to businesses and may involve internal or external actors. There are a huge number of different types of fraud that could impact a business, but here are some of the main ones:
- Accounts payable fraud
- Credit fraud
- Fake currency schemes
- Return scams
- Workers’ compensation
- Wire scams
- Debit and credit card skimming
- New account fraud
With so much business being conducted online, it is becoming easier for criminals to carry out many of these types of fraud. Here are some numbers that illustrate the challenges being faced:
- American companies lose billions of dollars to identity theft and fraud every year.
- Organizations lose around five percent of their revenue each year due to fraud.
- Occupational fraud schemes typically last around 14 months and cost $8,300 per month.
- 40% of account takeovers occur within 24 hours of a criminal gaining access to the victim’s account.
How to protect against fraud and identity theft
Many cases of fraud can be prevented by following some of the steps above related to protection against phishing, malware, and data exposure, but there are some more specific steps you can take:
- Implement a fraud prevention program: PwC found that companies with a fraud prevention program in place spend 42% less on response and 17% less on remediation than those without a program. The program you implement will depend on your business, but components can range from having multiple employees handle sensitive tasks to carrying out frequent unscheduled audits.
- Invest in fraud prevention tools: Almost half of businesses plan to increase spending on fraud prevention over the next two years. Tools such as automated fraud-detection technology can prove to be worthy considerations for investment.
- Put a fraud alert on your business credit report: Credit fraud, a form of identity theft, can be difficult to spot until it’s too late. Placing a fraud alert on your credit report can help you detect fraud early and minimize damage.
A Denial-of-Service (DoS) attack involves cybercriminals flooding an organization’s systems (servers or networks) with traffic. As a result, resources and bandwidth are drained, rendering the system unable to deal with legitimate requests. A Distributed Denial-of-Service (DDoS) attack is similar but involves the use of a botnet (comprising multiple compromised devices) to overwhelm the victim’s system.
These attacks can result in costly downtime and lost business, which are often the motivations behind such attacks. Many businesses of all sizes deal with these attacks on a regular basis:
- 91% percent of organizations say that DDoS attacks cost up to $50,000 per attack.
- 78% of businesses say that loss of customer trust and confidence is the most damaging effect of a DDoS attack.
- DDoS attacks rose 50% in Q3 2020 compared to the previous year.
- Large attacks (serving over 100Gbps of data) increased almost 10-fold in 2020.
- The average DDoS attack in 2020 used 1Gbps of data and lasted an average of 30 minutes to an hour.
How to prevent DoS and DDoS attacks
While you might not envisage a cybercriminal wanting to target your business with this type of attack, the numbers show that it really can happen to anyone. As such, it’s best to be prepared by employing some key strategies:
- Monitor your network: The best way to avoid DoS attacks altogether is to employ diligent network monitoring. This will enable you to spot common signs of a DoS attack and take action as soon as you see something unusual, such as high data traffic levels or unrecognized IP addresses. If this is too much to handle in-house, you can employ an edge service to monitor your network and intercept attacks before they take full effect.
- Run simulations: If you’ve never experienced a DoS attack before, it may be difficult to know what to look out for. Running simulated attacks against your own network can help reveal where your weaknesses lie.
- Create a post-attack response plan: Sometimes an attack is inevitable but you can still have a solid response plan to fall back on. This might involve designating specific roles to team members and designing customer support procedures to mitigate the resulting damage.
- Use a DDoS mitigation service: Preparing for and responding to a DDoS attack can be a lot of work, so you may want to outsource this to experts. DDoS mitigation services work on the application layer and defend against the most common DDoS attack types.
Supply chain attacks
Not only do companies have to be wary of their own security protocols, but they also need to be concerned about what third parties are doing. A supply-chain attack, also known as a third-party or value-chain attack, involves your system being infiltrated via an outside provider or partner.
Any supplier, contractor, or other partner can pose a cybersecurity risk, but of particular concern are third-party software providers. The recent SolarWinds attack and Microsoft Exchange Server hack highlight the potential reach of a supply-chain disruption.
These figures illustrate the problem further:
- 90% of applications use open source code, and 11% of the components in applications are known to be vulnerable.
- 2020 saw a 430% increase in cyber attacks that target the development of open source software.
- At least 30,000 US organizations were impacted as a result of the Microsoft Exchange Server hack.
- Third-party software vulnerabilities are the cause of 16% of all data breaches.
How to protect against third-party risks
As we have seen from the SolarWinds and Microsoft attacks, no company is immune to cyber risks. While it can be impossible to control how third parties secure their applications, there are steps you can take to protect your business:
- Carefully vet software vendors: While it can be expensive to audit software, it can pay off in the long run if you manage to avoid certain risks. Popular mechanisms for vetting third-party software include questionnaires, documentation reviews, remote assessments, and onsite security evaluations. Even if you can’t afford or arrange a full audit, at the least, you can demand that third-parties provide documentation outlining their security protocols and practices.
- Secure APIs: Even if a newly-adopted software is secure, it doesn’t mean its integration into your systems comes without risks. Application Programming Interfaces (APIs), the intermediaries where applications meet, pose their own sets of challenges and are subject to attack. It’s important to identify potential vulnerabilities and work with developers and third-parties to minimize the risk.
- Continue to apply updates: The SolarWinds attack actually used an update as its vehicle, which might be enough to put companies off applying future updates to this and other software. However, there is still a higher likelihood that cybercriminals will attack a known vulnerability than a software supply chain. Updates still play a crucial role in protecting you against those attacks.
As alarming as it is to consider that you or your employees may come face-to-face with cybercriminals, there is a very real threat of cyber-physical attacks. These could range from a brazen theft of an employee laptop in a public space to a carefully-planned robbery of a thumb drive from office headquarters.
And theft isn’t the only physical attack to be wary of. Digital property could be intentionally damaged, for example, by arson or deliberate flooding. Other physical attacks could involve the installation of malware on company devices such as via a disk inserted into a desktop or laptop or the installation of a malicious app on a company or employee-owned mobile device.
These statistics show that the prospect of cyber-physical attacks is not always taken as seriously as it should be:
- 10% of malicious breaches are caused by a physical security compromise.
- Lack of budget is the top barrier preventing businesses from investing in physical security technology.
- 27% of organizations fail to perform regular reviews of physical security and the accessibility of confidential information.
- More than half of users don’t password-protect their mobile device.
How to keep your digital property secure
While most organizations know how to physically secure digital assets, many fail to put this know-how into practice. Here are some good places to start:
- Enforce security policies: As with most defense tactics, it’s important that employees are fully on board. Aside from having stringent security protocols in place, you need to ensure they are followed. Entry log books, door-locking policies, and restricting access to certain areas or equipment can all go a long way to physically securing digital property.
- Ensure all important data is backed up: We mentioned online backups earlier but it’s worth reiterating how crucial it is to have at least two copies of all important data. Ideally, one set of backups should be in the cloud, but if all are on hardware devices, these should be stored separately from each other to limit the chance both copies are stolen or damaged.
- Use strong passwords and 2FA: You would think that password-protecting devices would be second nature by now, but judging by the statistics above, people still need a nudge. Be sure to have a policy in place that mandates employees password-protecting any device used for work purposes. It’s also highly advisable to use two-factor authentication where possible as an extra layer of protection.
- Use physical locks on devices: It’s inevitable that laptops and mobile devices will be left on desks or even in public spaces where they can be easily removed. Special locks provide a simple yet effective way to deter thieves.
Some of the statistics surrounding cybercrime are terrifying for businesses of all shapes and sizes. Many threats are increasing in prevalence and certainly in sophistication. While we can’t always stay one step ahead of malicious actors, we can do our best to avoid most attacks and mitigate the damage caused by those that are successful.
The above list is not exhaustive, but provides a look at some of the major threats facing businesses today and actions organizations can take to protect assets, employees, and customers.