With global cybercrime damages predicted to cost up to $6 trillion annually by 2021, not getting caught in the landslide is a matter of taking in the right information and acting on it quickly.
We collected and organized over 300 up-to-date cybercrime statistics that highlight:
- The magnitude of cybercrime operations and impact
- The attack tactics bad actors used most frequently in the past year
- How user behavior is changing and how it… isn’t
- What cybersecurity professionals are doing to counteract these threats
- How different countries fare in terms of fighting off blackhat hackers and other nation states
- What can be done to keep data and assets safe from scams and attacks.
Dig into these surprising (and sometimes mind-boggling) internet security statistics to understand what’s going on globally and discover how several countries fare in protecting themselves.
The article includes plenty of visual representations of the most important facts and figures in information security today.
- Headline cybercrime statistics for 2019-2020
- Ransomware statistics 2020
- Other common cyber attack tactics
- GDPR statistics
- Cost of cybercrime stats
- Cybersecurity spending trends
- Cybersecurity jobs growth
- Cybersecurity threats, preparedness and programs by country
- Top cybersecurity threats 2020
- 7 easy ways to improve your privacy and security online
- How to report cybercrime
Headline cybercrime statistics for 2019-2020
With the threat landscape always changing, it’s important to understand how cyber attacks are evolving and which security controls and types of training work.
- There were 144.91 million new malware samples in 2019 (AV-Test) and we’re already at 113.10 million new samples in 2020 (as of midway through November 2020)
- In 2019, 93.6% of malware observed was polymorphic, meaning it has the ability to constantly change its code to evade detection (2020 Webroot Threat Report)
- Almost 50% of business PCs and 53% of consumer PCs that got infected once were re-infected within the same year (2020 Webroot Threat Report)
There were 144.91 million new malware samples in 2019 (AV-Test) and we’re already at 113.10 million new samples in 2020.
CyberEdge Group 2020 Cyberthreat Defense Report
More than two-thirds of IT security professionals believe a successful cyber attack is imminent in 2020.
CyberEdge 2020 Cyberthreat Defense Report
- Mexico was the hardest-hit country by cyberattacks in 2019, with 93.9% of all surveyed companies being compromised at least once last year (CyberEdge 2020 Cyberthreat Defense Report)
CyberEdge Group 2020 Cyberthreat Defense Report
Naturally, these facts and figures are just the tip of the iceberg. The deeper we dive into the wealth of information cybersecurity reports now offer, the clearer and more unnerving the picture becomes.
Ransomware statistics 2020
Ransomware infection rates are dropping but almost half of the victims pay the ransom.
Ransomware has been the core concern for cybersecurity professionals for years but in 2018 it finally started to decline in volume. However, it doesn’t serve us to get excited about progress just yet, as more and more companies are paying the ransom when they do get hit.
- US ransomware attacks cost an estimated $7.5 billion in 2019. (Emsisoft)
- Almost 200 million ransomware attacks occurred in the first nine months of 2020 representing a large increase over the previous year. (SonicWall)
- A ransomware attack in early 2020 on the New Orleans city government cost the city upwards of $7 million. (SC Magazine)
- In February 2020, a ransomware attack cost Denmark-based company ISS upwards of $50 million. (GlobeNewswire)
- Since 2016, a total of 172 ransomware attacks have cost US healthcare organizations $172 million. (Comparitech)
- One out of five Americans has dealt with a ransomware attack. (The Harris Poll)
- Ransomware is involved in 27 percent of malware security incidents, up from 24% in 2019. (Verizon 2020 Data Breach Investigations Report)
- Ransomware payments continued their steep incline in Q3 2020. The average sits at $233,817 which is up 31% over the previous quarter and a whopping 468% over Q3 2019. (Coveware’s Q3 2020 Ransomware Marketplace report)
- The average downtime due to a ransomware attack was 19 days in Q3 of 2020 compared to 12.1 days in Q3 2019. (Coveware’s Q3 2020 Ransomware Marketplace report)
Coveware’s Q3 2020 Ransomware Marketplace report
Downtime is still the most dangerous aspect of a ransomware attack, and one of the reasons data exfiltration should not present as much of a challenge to victims as business interruption.
Coveware’s Q3 2020 Ransomware Marketplace report
- Ransomware attacks can be extremely costly. For example, an attack involving the NotPetya ransomware cost shipping firm Maersk more than $200 million.
- In 2019-2020, the average global cost to remediate a ransomware attack was $761,106. (Sophos The State of Ransomware 2020)
- Organizations in India, Brazil, Turkey, Belgium, Sweden, and the US are most likely to be hit by ransomware attacks. In India, the prevalence is especially high with 82% of organizations dealing with ransomware. Brazil has the next highest rate at 65%. (Sophos The State of Ransomware 2020)
- The number of mobile ransomware Trojans decreased over the course of 2019 and the first half of 2020. Kaspersky saw 23,294 in Q2 2019 and just 3,805 in Q2 2020. (Kaspersky Labs)
- The Kazakhstan, Malaysia, and the US top the list of countries attacked by mobile ransomware in terms of share of users. (Kaspersky Labs)
What makes the ransomware problem worse is that nation-states are involved. Investigations proved that the WannaCry and NotPetya ransomware attack campaigns were orchestrated by nation-state actors. They may have started in 2017, but their effect continued into 2020. The objective was to destroy information or cause distractions rather than to derive financial benefits.
Datto’s Global State of the Channel Ransomware Report 2020 shows that ransomware is still a huge cause for concern for any type of organization, particularly SMBs. Datto surveyed more than 200 Managed Service Providers (MSPs), partners, and clients across the globe. Here are some of the key findings:
- 89 percent of MSPs state that ransomware is the most common threat to SMBs.
- 64 percent reported attacks against clients in the first half of 2019, representing an 8% increase year-on-year. However, only 5% report multiple attacks in one day, down from 15% in 2018.
- Two out of five SMBs have fallen victim to a ransomware attack.
One somewhat alarming disconnect was revealed in the report:
90% of MSPs are “very concerned” about the ransomware threat and 24% report their SMB clients feel the same.
Datto’s Global State of the Channel Ransomware Report 2020
Datto’s Global State of the Channel Ransomware Report 2020
- Phishing emails, lack of training, and weak passwords are some of the top causes of ransomware attacks.
- Downtime costs increased by 75 percent year-over-year.
- The average cost of downtime is 24 times higher than the average ransom amount.
- On the bright side, having Business Continuity and Disaster Recovery (BCDR) solutions in place is a huge plus. Three out of four MSPs said that clients with BCDR solutions recovered from an attack within 24 hours.
- The vast majority of MSPs (75%) admitted that they too are increasingly targeted in cyberattacks involving ransomware.
Individual users weren’t spared either. According to Kaspersky, 121,579 unique users defeated ransomware attacks on their computers in Q2 2020. This was down slightly from 154,720 in Q2 2020.
Kaspersky also reported that the most common ransomware family in Q3 2020 was WannaCry (18.77 percent).
While ransomware infection rates are declining, increasingly more companies choose to pay the ransom. Almost half of organizations hit by ransomware pay to get their data unlocked, further fueling cyber criminal activities.
The percentage of victimized organizations that paid associated ransoms rose considerably this year, from 45% to 57.5%” mentions Imperva in their 2020 Cyberthreat Defense Report.
Imperva 2020 Cyberthreat Defense Report
In terms of geographical distribution, ransomware hit Mexico, Spain, and Italy the hardest in 2019, according to the Imperva 2020 Cyberthreat Defense Report.
Because cybersecurity is a discipline with widespread implications and interdependencies, we’re going to dive into the most prominent attack tactics next. Recent reports overflow with data that both concerns companies across industries and addresses particular issues.
Other common cyber attack tactics
Ransomware is not the only concern. Over the next sections, we’ll take a look at other common attack vectors.
Favored cyber attack tactics include cryptojacking and encrypted communication
Cryptojacking attacks made a comeback in the first half of 2020 after seeing huge declines in the latter half of 2019. Most significantly, in North America, there was a 252% increase in attacks. (Mid-Year Update: 2020 SonicWall Cyber Threat Report)
Cybercriminals now spread malware that infects victims’ computers and unlawfully uses their processing power to mine cryptocurrency, such as Bitcoin or Monero.
The dropping value of cryptocurrencies may have weakened interest in ransomware but mining for virtual currencies is still hugely relevant. That said, the landscape is shifting:
An ongoing shift has been observed, however, from Coinhive to XMRig, another Monero cryptocurrency miner. An opensource code that is readily available, iterations of XMRig malware accounted for nearly 30 million of the 32.3 million total cryptojacking hits SonicWall observed in 2020.
Mid-Year Update: 2020 SonicWall Cyber Threat Report
In the ENISA Threat Landscape Report 2020: Cryptojacking, ENISA notes that there were 64.1 million cryptojacking hits in 2019. 39.3% of these targeted Japan.
But cryptojacking is not the only attack giving CISOs, CIOs, and IT managers more trouble than they can handle. Statistics show that several threat vectors are cause for concern.
- Cybercriminals are quick to find ways to get around strengthened security; „next gen“ supply chain attacks grew 420% in just 12 months. (2020 State of the Software Supply Chain)
- Cybercriminal tactics often leverage available information: 63 percent of network intrusions are the result of compromised user passwords and usernames. (Microsoft)
- Malicious documents are also a well-known infection vector that hasn’t lost its popularity: in its 2018 Annual Cybersecurity Report, Cisco found that, globally, 38% percent of malicious email attachments were Microsoft Office formats such as Word, PowerPoint, and Excel. (Cisco)
- Archive files, the likes of .zip and .jar, represent around 37% of all malicious file extensions Cisco observed, with malicious PDF files accounting for 14% of the total. (Cisco)
Besides the already classic attack vectors, cybercriminals are also looking to piggyback on the boom in ecommerce and online shopping:
While attacks on household names make headlines, Symantec’s telemetry shows that it is often small and medium sized retailers, selling goods ranging from clothing to gardening equipment to medical supplies, that have had formjacking code injected onto their websites. This is a global problem with the potential to affect any business that accepts payments from customers online.
The increasing adoption of cloud-based platforms is still leaving cybersecurity professionals playing catch-up:
- 93% of companies deal with rogue cloud apps usage (Imperva 2019 Cyberthreat Defense Report)
- 82% of cloud users have experienced security events caused by confusion over who is responsible to secure the implementations (Oracle and KPMG Cloud Threat Report 2019)
Imperva 2019 Cyberthreat Defense Report
Here are some key statistics that highlight the diversity in malicious tactics and strategies:
- 35 percent of companies in a global survey were targeted by an SSL or TLS-based attack (Gartner)
- Fileless attacks are increasingly effective at evading detection; as a consequence, the trend is bound to increase. Indeed, fileless attacks were used in 77% of successful compromises in 2018 and increased in prevalence by a huge 265% in Q1 2019. (ENISA Threat Landscape 2020 – Malware)
- Financial trojans may have steadily declined in volume but they’re still one of the biggest threats against consumers; the most prevalent financial trojans of 2019 was Emotet (ENISA Threat Landscape 2020 – Malware)
- In 2019, polymorphic malware accounted for almost 94% of all malicious executables (2020 Webroot Threat Report)
2020 Webroot Threat Report
Physical attacks are also on the rise, as cybercrime statistics show:
- 20% of cybersecurity incidents in 2019 started or finished with a physical action (ENISA Threat Landscape 2020 – Physical Threats)
- Physical attacks on ATMs was the fifth most implemented malicious action on assets (ENISA Threat Landscape 2020 – Physical Threats)
- A physical attack was the main method in 54% of all data breaches (ENISA Threat Landscape 2020 – Physical Threats)
- None of this is helped by the fact that 65% of employees said they behaved in ways or adopted practices that may risk physical security (ENISA Threat Landscape 2020 – Physical Threats)
- In Europe, Black box ATM attacks increased by 269% in the first half of 2020 compared to H1. Related losses increased from €1,000 to over €1 million compared to the previous year. (European Association for Secure Transactions (EAST) European Payment Terminal Crime Report)
The numbers are climbing when it comes to internal threats too: 88% of organizations recognize that insider threats are a cause for concern, although it’s noted that harm caused by insiders may be unintentional (ENISA Threat Landscape 2020 – Insider Threat)
ENISA Threat Landscape 2020 – Insider Threat
Motivations are also changing, moving from making money through nefarious tactics to collecting data that can be used to cash out on multiple subsequent attacks:
The most likely reason for an organization to experience a targeted attack was intelligence gathering, which is the motive for 96 percent of groups.
DDos attacks grow in both duration and frequency
With more unsecured devices connecting to the internet than ever, cybercriminals are taking full advantage of their processing power. Once recruited into botnets, they harness their collective power to launch powerful DDoS attacks that companies can barely survive.
Here are some statistics that illustrate this growing issue:
Netscout Threat Intelligence saw 4.83 million DDoS attacks in 1H 2020. This is roughly 26,000 attacks a day or 18 attacks per minute.
- The same report found that the number of multi-vector attacks (those using 15+ vectors) increased 2,851% from 2017 to 2020 (NETSCOUT Threat Intelligence Report Findings from 1H 2020)
- The EMEA region saw the largest increase in DDoS attacks, while the number of attacks in the APAC region actually decreased (NETSCOUT Threat Intelligence Report Findings from 1H 2020)
NETSCOUT Threat Intelligence Report Findings from 1H 2020
- The duration of attacks decreased by around 51% in 1H 2020, with Netscout noting that this year saw attacks of shorter duration but increased complexity. (NETSCOUT Threat Intelligence Report Findings from 1H 2020)
- The distribution of attacks by country sees China having the lion’s share (71% in Q3 2020) of attacks and the US experiencing 15% of attacks in Q3 2020. (Kaspersky Labs)
Phishing attacks reach their highest level in 3 years
Malicious hackers and scammers are getting craftier at creating and sending phishing emails that trick even the most cautious users. The data shows that this is a constant cause for concern with no sign of slowing down in terms of effectiveness.
- In Q3 of 2020, APWG detected almost 572,000 unique phishing websites and observed more than 367,000 unique phishing email subjects. (APWG’s Phishing Activity Trends Report for Q3 2020)
- More than 60% of phishing attacks involve keyloggers. (Cofense’s Phishing Threat and Malware Review Q3 2020)
- The most frequent targeted attack vector is spear phishing. (Symanetc’s Internet Security Threat Report 2019)
Symantec’s Internet Security Threat Report 2019
- Small organizations receive malicious emails at a higher rate. (Symantec’s Internet Security Threat Report 2019)
- Mining companies are most likely to receive malicious emails. (Symantec’s Internet Security Threat Report 2019)
- Webmail and SaaS users are the biggest targets of phishing attacks. (APWG’s Phishing Activity Trends Report for Q3 2020)
APWG’s Phishing Activity Trends Report for Q3 2020
- Phishing is the number one type of threat action involved in data breaches. (Verizon’s 2020 Data Breach Investigation Report)
- Verizon reports that 30 percent of phishing emails in the U.S. are opened, with 12 percent of those targeted by these emails clicking on infected links or attachments (Verizon)
- 74% of phishing sites used HTTPS in the last quarter of 2019, compared to just 32% two years earlier. (ENISA Threat Landscape 2020 – Phishing)
- Almost 43% of malicious attachments in 2019 were Microsoft Office documents. (ENISA Threat Landscape 2020 – Phishing)
- More than 95% of malware-distributing emails require human action such as following links or accepting security warnings. (ENISA Threat Landscape 2020 – Phishing)
The 10 most frequently-used subject lines in attacks are:
- Follow up
- Are you available?/Are you at your desk?
- Payment Status
- Invoice Due
- Direct Deposit
- However, according to ENISA, the word „payment“ is used in 32.5% of all attack email subjects. (ENISA Threat Landscape 2020 – Phishing)
- Monday is the most popular day to send out phishing messages with 30% of emails being delivered on that day. (ENISA Threat Landscape 2020 – Phishing)
Phishing and other types of email fraud rely heavily on impersonation to make their attacks more effective. Displaying fake display names to deceive victims is preferred by bad actors over typosquatting or domain spoofing.
During December 2019 through June 2020, Agari data indicates 68% of all identity-deception based attacks leveraged display name deception aimed at impersonating a trusted individual or brand—typically an outside vendor, supplier or partner.
- The most frequently impersonated brands are Microsoft (19% of the time) and DHL (9% of the time). (Checkpoint Research Q3 2020 Brand Phishing Report)
- Others in the top 10 included Google, PayPal, Netflix, Facebook, Apple, WhatsApp, Amazon, and Instagram. (Checkpoint Research Q3 2020 Brand Phishing Report)
- When it comes to fooling executives, scammers, spammers, and other bad actors leverage the popularity or brands with Zoom, Amazon, and DHL being the most impersonted in Q2 2020 (Abnormal Security Quarterly BEC Report for Q2 2020)
Spam continues to be a dominant force in email-based cybercrime
Channels may change, but spam is one of those attack tactics that’s bound to stick with us for the foreseeable future and quite possibly beyond it. Some of the allures of spam for cybercriminals are its ease of execution and potential to reach a huge number of victims. One common scheme doing the rounds in 2020 involved spam emails from large companies requesting that recipients call a support number. Upon calling, they would be asked by the fake support team to hand over details including their full name and banking information.
Scammers like such schemes, because sending spam is much cheaper and easier than calling potential victims.
- In Q3 2020, the average portion of spam in mail traffic was 48.91%. This was down slightly over the previous reporting period. (Kaspersky Spam and Phishing in 2020)
- The countries most likely to be targeted with malicious emails are Spain (7.76%), Germany (7.05%), and Russia (5.87%). (Kaspersky Spam and Phishing in 2020)
- Russia and Germany are the top spam-source countries, generating 23.52% and 11.01% of spam respectively. (Kaspersky Spam and Phishing in Q3 2020)
Kaspersky Spam and Phishing in Q3 2020
Cybercriminals are not content with just using the billions of email addresses leaked through data breaches. They’re also validating their lists of potential victims and bypassing spam filters in ever clever ways:
Spammers manipulated feedback forms on the websites of large companies used to ask questions, express wishes or subscribe to newsletters. However, in this reporting year, instead of spamming the company’s linked mailboxes, the spammers exploited low levels of website security, bypassed any reCAPTCHA tests and registered multiple accounts with valid e-mail information. As a result, victims received a legitimate reply from the company, including the spammer’s message. In this way, even Google Forms was manipulated to retrieve user data and send commercial spam.
- Spam was the most popular type of threat leveraging COVID-19. (ENISA Threat Landscape Report 2020 – Spam)
- 65.7% of COVID-19 related threats were spam email while 26.8% were malware. (ENISA Threat Landscape Report 2020 – Spam)
ENISA Threat Landscape Report 2020 – Spam
Most cybercrime now leverages mobile channels
More devices, more problems. From BYOD to malicious apps with millions of downloads, cybercriminals have plenty of opportunities to exploit, scam, and extort victims in both corporate and private environments.
- Most cybercrime is now mobile. 70% of online fraud is accomplished through mobile platforms. (RSA 2019 Current State of Cybercrime Report)
- Additionally, there has been a 680% increase in the number of fraud transactions originating from mobile apps. (RSA 2019 Current State of Cybercrime Report)
- On average, 82 rogue apps are identified each day. (RSA 2019 Current State of Cybercrime Report)
- The top categories for malicious apps are Tools/Personalization/Productivity (22.32%), Games (18.97%), Entertainment/Lifestyle/Shopping (15.76%), Communication/Social/News & Magazines (9.72%), Music & Audio/Video Players & Editors/Media & Video (9.23%). (Upstream Secure-D Mobile Ad Fraud 2019 Report)
Upstream Secure-D Mobile Ad Fraud 2019 Report
- Secure-D identified almost 98,000 malicious apps, a 55% increase over 2018. (Upstream Secure-D Mobile Ad Fraud 2019 Report)
- Secure-D had to block 1.6 billion transactions (a shocking 93% of total transactions) as fraudulent. This represented $2.1 billion worth of transactions. (Upstream Secure-D Mobile Ad Fraud 2019 Report)
- IT detected more than 43 million infected devices in 2019, compared to 30 million in 2018. (Upstream Secure-D Mobile Ad Fraud 2019 Report)
Upstream Secure-D Mobile Ad Fraud 2019 Report
- In corporate contexts, decision-makers are aware of the issue: 83% of them said that their organization was at risk from mobile threats and 86% agreed that mobile threats are growing faster than others (Verizon Mobile Security Index 2019)
- What amplifies the issue is the lack of preparedness: 67% of organizations confessed they are less confident about the security of their mobile assets than other devices in their network (Verizon Mobile Security Index 2019)
- In spite of these realizations, 43% of companies said they sacrificed mobile security to “get the job done” in 2020. That said, this was lower than the 48% in 2019. (Verizon Mobile Security Index 2020)
- Consequences are inevitable: 39% of surveyed organizations suffered a compromise involving a mobile device in 2019 whose impact was significant (Verizon Mobile Security Index 2019)
- 66% of compromised companies described the incident as “major” (Verizon Mobile Security Index 2020)
Verizon Mobile Security Index 2020
- Mobile banking malware saw a surge in the first half of 2019, increasing by 50%. (ENISA Threat Landscape Report 2020 – Malware)
- „The most popular banking malware during 2019 was Asacub
(44.4%), Svpeng (22.4%), Agent (19.1%), Faketoken (12%) and
Hqwar (3.8%).“ (ENISA Threat Landscape Report 2020 – Malware)
- Phishing attacks on mobile devices are becoming increasingly common. In North America, the Q1 2020 encounter rate of enterprise mobile phishing was 24.71%, a 331% increase. (Lookout’s The State of Mobile Phishing)
Managing cybersecurity vulnerabilities improves but still troubles companies and countries around the world
Software and hardware vulnerabilities continue to be topics of prime importance for the tech world. Let’s explore some highlights that stand out from the numerous reports cybersecurity companies created on the topic:
- 18,362 vulnerabilities were published on the NVD database in 2020 which was slightly higher than the number in 2019 (17,382). (NVD Database)
- A significant portion (13%) of vulnerabilities are considered critical. (CVE Details)
- Almost 90% of web applications are vulnerable to exploits. (Positive Technologies)
- On the plus side, the severity of vulnerabilities seems to be declining as the portion of websites with high-risk vulnerabilities decreased by 17% in 2019 compared to 2018. (Positive Technologies)
- 2019 marked a change, with „Detection of rogue insiders / insider attacks“ displacing app development and testing as the most challenging security process for organizations (Imperva 2020 Cyberthreat Defense Report)
- On the bright side, 78.7% of organizations considered their organization made improvements in managing vulnerabilities and handling patch management (Imperva 2019 Cyberthreat Defense Report)
- Still, over 75 percent of large companies (500+ employees) rely on the antivirus software that came pre-installed on their computer equipment, which may not be the most effective countermeasure (NDIA 2019 Cybersecurity Report)
Reports show that security vulnerabilities in web apps continue to be a huge problem, with more than one-third of internet-facing web applications considered high risk.
What’s more, the issue is so pervasive that even countries are working on this aspect. 60% of states are reviewing code and conducting application security testing in 2020. This is a 6% increase over 2019. (Deloitte-NASCIO Cybersecurity Survey 2020)
Thankfully, there are plenty of people working to discover and patch vulnerabilities, many through bug bounty programs:
- Google paid out 2.5 million in bug bounties in 2019 and has paid a total of $21 million since 2010. (Google)
- Microsoft paid almost $14 million worth of bug bounties in 12 months. (Microsoft)
- Facebook has a bounty program too and awarded around $2 million in just under 10 months in 2020. It’s largest payout to date was $80,000. (Facebook)
The volume of IoT attacks is increasing
As the number of IoT devices continue to multiply wildly, so do the security issues associated with it. The numbers speak for themselves.
The number of Internet connected devices is expected to increase from 31 billion in 2020 to 35 billion in 2021 and 75 billion in 2025.
- In the first half of 2019, the number of cyberattacks on IoT devices increased by 300%. (F-Secure Attack Landscape H1 2019)
- This represented 2.9 billion events and was the first time numbers have surpassed a billion. (F-Secure Attack Landscape H1 2019)
- 69% of enterprises have networks that are made up of more IoT devices than computers. (Forrester State of Enterprise IoT Security in North America)
- 84% of security professionals think that computers are less vulnerable than IoT devices. (Forrester State of Enterprise IoT Security in North America)
- Security incidents involving IoT devices have impacted 67% of enterprises. (Forrester State of Enterprise IoT Security in North America)
- Only around 21% of security professionals think their current security controls are adequate. (Forrester State of Enterprise IoT Security in North America)
Forrester State of Enterprise IoT Security in North America
- Security is a primary concern for IoT developers with 39% making it a top priority. (Eclipse 2020 IoT Developer Survey Key Findings)
The overall volume of IoT attacks remained high in 2018 and consistent compared to 2017. Routers and connected cameras were the most infected devices and accounted for 75 and 15 percent of the attacks respectively.
- The most widely used techniques in IoT security are communication security (43%) and data encryption (41%). (Eclipse 2020 IoT Developer Survey Key Findings)
IoT Security Market Report 2017-2022
- As we’ve seen, default passwords are the core attack tactic, so the biggest IoT security issues that need to be solved are authentication/authorization (32%), followed by access control (15%) and data encryption (14%) (IoT Security Market Report 2017-2022)
IoT Security Market Report 2017-2022
- 57% of IoT devices may be vulnerable to attack. (Palo Alto Networks The Connected Enterprise: IoT Security Report 2020)
- Only 4% of developed believe there is no room for improvement in their IoT security practices. 17% believe a total overhaul is needed. (Palo Alto Networks The Connected Enterprise: IoT Security Report 2020)
- Only around one in five IT decision-makers use micro-segmentation to improve IoT device security. (Palo Alto Networks The Connected Enterprise: IoT Security Report 2020)
Palo Alto Networks The Connected Enterprise: IoT Security Report 2020
Social media scams and attacks spread like wildfire
With billions of users and everyday usage skyrocketing, social media platforms became a goldmine for cybercriminals and scammers.
Attitudes regarding social media seem to be changing but behaviors aren’t following suit, which leaves bad actors with plenty of opportunities to steal data and defraud users across the globe.
- Facebook breaches were responsible for a whopping 849 million leaked records in 2019. (Comparitech)
- 96% of Baby Boomers are distrustful of social media when it comes to protecting their data, followed by 94% of Gen Xers, 93% of Gen Z, and 92% of Millennials. (The Blinding Effect of Security Hubris on Data Privacy by Malwarebytes)
An overwhelming majority of all users (94 percent) refrain from sharing personal information on social media and 95 percent of polled users felt an overall sense of distrust for social media networks. If given the option to “choose the lesser evil,” they’d rather forgo using social media than search engines.
The Blinding Effect of Security Hubris on Data Privacy by Malwarebytes
- Given that crimes involving social media grew more than 300-fold between 2015-2017 in the US, this is quickly becoming one of the most pressing issues in the tech world (Bromium Into The Web of Profit – Social media platforms and the cybercrime economy)
- Facebook-related crime grew 19% in the UK in 2019. (The Commentator)
- A 2019 report found that Instagram was the most commonly used platform for child grooming (NSPCC)
Over 1.3 billion social media users have had their data compromised within the last five years and between 45-50% of the illicit trading of data from 2017 to 2018 could be associated with breaches of social media platforms, like LinkedIn and Facebook.
Bromium Into The Web of Profit – Social media platforms and the cybercrime economy
- The social media issue goes even deeper: 59% feel it’s unethical for social media platforms to tailor newsfeeds (RSA Data Privacy & Security Survey 2019)
- 67% of UK consumers believe recommendations based on purchase/browsing history are unethical (RSA Data Privacy & Security Survey 2019)
- Speaking of newsfeeds, did you know that around 30-40% of social media infections come from infected ads? (Bromium Into The Web of Profit – Social media platforms and the cybercrime economy)
- Cybercriminals are also leveraging social media to promote their hacking services: around 30-40% of the social media platforms feature accounts offering some form of hacking activities (Bromium Into The Web of Profit – Social media platforms and the cybercrime economy)
- No wonder 34% of US adults don’t trust social media companies at all with safeguarding their personal data (Statista)
- RSA found 500 social media groups dedicated to fraud, with a total of 220,000 members. 60% of those were on Facebook. (RSA 2020 Hiding in Plain Sight Report)
- WhatsApp is a popular fraud communication channel while Twitter is not preferred. (RSA 2020 Hiding in Plain Sight Report)
- During its study, RSA discovered over 15,000 compromised credit cards publicized on various social media networks. (RSA 2020 Hiding in Plain Sight Report)
- At least 20% of social media infections stem from add-ons or plugins for social media platforms (Bromium Into The Web of Profit – Social media platforms and the cybercrime economy)
- Social media phishing is on the rise with social channels accounting for 8% of attacks. (ENISA Threat Landscape Report – Phishing)
Data breaches and leaks expose everyone, becoming the fourth most important global risk for the next decade
So much personal and confidential data has leaked onto the web that it’s becoming a societal issue. Regulators around the world are trying to find solutions for this but, until they do, the onslaught continues.
- In 2019, there were a total of 1,473 data breaches affecting US consumers. This is up around 200 over 2018’s figure of 1,257. (Identity Theft Resource Centre)
- The largest data breach so far in 2020 involved the leak of 120 million records from Tetra, a marketing analysis firm. (Upguard)
- Other large breaches have affected LimeLeads (49 million records), Wawa (30 million), and MGM (10.6 million). (Comparitech)
- “Massive data fraud and theft” ranked as the fourth most important global risk for the next 10 years, followed by cyberattacks at number five (The Global Risks Report 2019 – World Economic Forum)
- Cybersecurity company RSA predicts mass data breaches will continue to play a large role in cybersecurity threats. (RSA)
- 28% of data breaches involved small business as victims (Verizon 2020 Data Breach Investigations Report)
- 22% included social engineering attacks, with phishing, pretexting, and bribery as the most common malicious actions (Verizon 2020 Data Breach Investigations Report)
- 86% of breaches were financially motivated (Verizon 2020 Data Breach Investigations Report)
- Errors caused 22% of data breaches in 2018 (Verizon 2020 Data Breach Investigations Report)
- The most frequently compromised sets of data in breaches are internal information, credentials, personal data, medical information and payment details (Verizon 2019 Data Breach Investigations Report)
- In 2017, Wikileaks released a stash of over 8,000 classified CIA documents. (New York Times)
- That same year, hackers released 2GB of emails from French presidential candidate Emmanuel Macron. (Reuters)
- McAfee finds the average number of records lost to hacking in 2017 was 780,000 per day. (McAfee)
- As a result of the growing number of data breaches, personal data is easier to buy on the dark web than ever. Bromium reports personal data (social security information, date of birth, residential addresses, etc.) can cost as little s $3. (Bromium Into The Web of Profit – Understanding the growth of the cybercrime economy)
- A large amount of private and stolen consumer information is being shared online through social media groups built around such activity. Credit card services make up 53% of the topics discussed in such groups, followed very distantly by account takeovers with 16% (RSA)
Malicious cyber-attacks and lenient cybersecurity processes again led to massive breaches of personal information in 2018.
The largest was in India, where the government ID database, Aadhaar, reportedly suffered multiple breaches that potentially compromised the records of all 1,1 billion registered citizens.
It was reported in January that criminals were selling access to the database at a rate of 500 rupees ($7,3) for 10 minutes, while in March a leak at a state-owned utility company allowed anyone to download names and ID numbers.
The Global Risks Report 2019 – World Economic Forum
- The most affected industries by breaches targeting payment card data are retail (24%) and finance and insurance (18%) (2020 Trustwave Global Security Report)
- 32% of information security professionals admitted that breaches affected more than half of their systems more than double when compared to 2016 (15%) (Cisco Annual Cybersecurity Report 2018)
- Besides financial costs, 55% of organizations have had to manage the public scrutiny of a breach (Cisco Annual Cybersecurity Report 2018)
- 17% of organizations cited losing their customers’ information as their biggest fear (EY Global Information Security Survey 2018-2019)
- Around 20% of breaches took several months or longer to discover (Verizon 2020 Data Breach Investigations Report)
- There’s been a 141% increase in North America, a 22% decrease in Europe, and a 36% decrease in Asia in terms of volume of compromised credentials, and this is just counting the figures reported over the past year (ENISA Threat Landscape Report 2018)
- Nearly 47% of data breaches in the public sector were discovered years after the initial attack (Verizon 2019 Data Breach Investigations Report)
- Public institutions suffered the highest volume of attacks: from a total of 23,399 incidents, 330 breaches featured confirmed data disclosure (Verizon 2019 Data Breach Investigations Report)
- 2 million identities were stolen and used to leave fake comments during a US inquiry into net neutrality (EY Global Information Security Survey 2018-2019)
- 1,946,181,599 records containing personal and other sensitive data were compromised between January 2017 and March 2018 (EY Global Information Security Survey 2018-2019)
- $3,62m was the average cost of a data breach in 2018 (EY Global Information Security Survey 2018-2019)
- In the UK, the average cost of a breach is £3,100 for small businesses £16,100 for medium businesses, and £22,300 for large businesses (ENISA Cyber Security Breaches Survey 2018)
- The average global cost for a data breach is $7,611 (Verizon 2019 Data Breach Investigations Report)
- Breaching social media platforms accounted for the highest number of records spilled onto the internet in 2018 (56%).Facebook accounted for over 2.2 billion records and Twitter with 336 million records (ENISA Threat Landscape Report 2018)
- Healthcare records the largest number of data breaches (27%) with the most severe incident exposing 3,5 million records (ENISA Threat Landscape Report 2018)
- In healthcare, 60% of attacks that target data are carried out by insiders, higher than any other industry (Verizon 2019 Data Breach Investigations Report)
- Identity theft remains the main type of data breach with 56% – as has been the case since 2013 (ENISA Threat Landscape Report 2018)
EY Global Information Security Survey 2018-2019
- In spite of these appalling statistics, only 17% of organizations report breaches in their information security reports (EY Global Information Security Survey 2018-2019)
- Another worrisome aspect is that “10% of the UK healthcare organizations have been breached more than 10 times in the last year” (ENISA Threat Landscape Report 2018)
- 33% of healthcare companies cite careless or unaware employees as the vulnerability that has most increased their risk exposure over the past 12 months (EY Global Information Security Survey 2018-2019)
- Command and control (C2) is the most common form of attack (47%) in data breach incidents, followed by ransomware with 28% (Verizon 2019 Data Breach Investigations Report)
- 38% of energy companies admit that it would be unlikely they could detect a sophisticated breach (EY Global Information Security Survey 2018-2019)
- Surprisingly, device loss accounts for around 50% of all breaches (ENISA Threat Landscape Report 2018)
- Europol reports external individual malicious actors carried out 73% of the breaches, while 50% were attributed to organized crime groups (ENISA Threat Landscape Report 2018)
- 84% of data breaches caused by botnets in 2018 were in Finance and Insurance, 10% in Information, and 5% in Professional, Scientific, and Technical Services (Verizon 2019 Data Breach Investigations Report)
- Data breaches caused by botnet attacks covered 180 countries and territories in 2018 (Verizon 2019 Data Breach Investigations Report)
- 98.5% of security incidents and 88% of data breaches can be classified in one of the nine patterns information security professional established years ago: POS intrusion, web app attack, insider and privilege misuse, physical theft or loss, miscellaneous errors, crimeware, payment card skimmers, Denial of Service, cyber-espionage (Verizon 2019 Data Breach Investigations Report)
Additionally, our own research at Comparitech highlights that Wall Street swiftly reacts to data breaches. We analyzed how cybersecurity breaches impact stock market prices and found out that:
- On average, stocks immediately experience a drop of 0.43% in share price following a breach
- Long-term effects include a much slower upturn in terms of share prices. We observed a 45.6% increase in share prices during the three years prior to breach, and only a 14.8% growth in the three years following the compromise
- Breached companies recover to NASDAQ’s pre-breach performance level after 38 days on average, but three years after the breach they still underperform the index by a margin of over 40%
- When they suffer a data breach, financial organizations experience an immediate decline in share price whereas internet businesses (e-commerce, social media, etc.) most frequently endure long-term effects
- Larger breaches have less of a negative influence on share prices than smaller breaches
- Breaches involving credit card details and social security numbers register a more significant negative impact on share prices than leaks containing less sensitive info, such as email addresses.
The entire analysis reveals other interesting consequences for breached companies, both in terms of financial aspects and nonfinancial ones, such as reputation and brand trust.
Users are more worried about cybercrime statistics but fail to follow through with protecting their assets
Cybersecurity statistics clearly show that technology has its limitations when it comes to safeguarding assets such as confidential data and money. To truly make strides in better protection from cybercriminals and online crooks, user behavior must be improved as well.
- Up to 73% of users reuse passwords across their online accounts, which inherently leads to a higher risk of password theft and credential misuse. (RSA Data Privacy & Security Survey 2019)
- 66% of surveyed users said they simply skim through or do not read End-User License Agreements or other consent forms. (The Blinding Effect of Security Hubris on Data Privacy by Malwarebytes)
- Only 47% know which permissions their apps have. (The Blinding Effect of Security Hubris on Data Privacy by Malwarebytes)
- 71% of Americans worry about having their personal, credit card or financial information stolen by malicious hackers. (Statista)
- 78% of people in the UK are most concerned about identity theft resulting in financial loss. (RSA Data Privacy & Security Survey 2019)
- 96% of people polled for a study mention they care about their privacy, and 93% of them use security software. (The Blinding Effect of Security Hubris on Data Privacy by Malwarebytes)
- 42% of Gen Z stated they feared blackmail in 2018. On average, only 34% of all respondents were concerned about this threat. (RSA Data Privacy & Security Survey 2019)
- 75% of consumers now limit the amount of personal information they share online (RSA Data Privacy & Security Survey 2019)
- And they do so for good reason: internationally, 36% of people surveyed by RSA said their personal information was compromised in a data breach over the last 5 years, and 45% of US respondents confirmed the same. (RSA Data Privacy & Security Survey 2019)
- What’s more, 58% of U.S. respondents said they’d consider divesting from companies that disregard protecting their data. (RSA Data Privacy & Security Survey 2019)
- Surprisingly, 76% of consumers in 21 countries acknowledge the importance of keeping their account information secure, yet many still share their passwords, among other risky behaviors with their data. A further 35% allow at least one device to go unprotected and vulnerable to all forms of viruses and malware. (Symantec)
- But there’s good news as well: a little over 53% of people now use password managers. ((The Blinding Effect of Security Hubris on Data Privacy by Malwarebytes)
- A vast majority of U.S. consumers (80 percent) now have a home internet network. One in ten has also experienced a cyber attack through their home networks. (Hartford Steam Boiler)
- 72 percent of people globally believe that connected home devices offer hackers new ways to steal data. (Symantec)
- But the downside is that 41% of people cannot properly identify a phishing email and are often unsure about an email’s legitimacy. (Symantec)
- Cyberbullying is a primary concern in the US, where 64 percent of parents believe their children are more likely to experience bullying. By comparison, only 31 percent of parents in Germany share this concern. (Symantec)
- In the past year, nearly 700 million people in 21 countries experienced some form of cybercrime. (Symantec)
The issues are even bigger in an organizational environment, whether private or public:
- 1 out of 3 employees risk running malware on a work computer (Penetration testing of corporate information systems: statistics and findings 2019 – Positive Technologies)
- When penetration testers were on the field, they discovered that 1 out of 7 employees engaged in dialog with an imposter and disclosed confidential information (Penetration testing of corporate information systems: statistics and findings 2019 – Positive Technologies)
- 1 out of 10 employees entered account credentials in a fake authentication form (Penetration testing of corporate information systems: statistics and findings 2019 – Positive Technologies)
- 1,464 government officials in one state used “Password123” as their password (EY Global Information Security Survey 2018-2019)
- Over 74 percent of surveyed small businesses state that they’ve never been the victim of a successful cyber attack (in contrast to other data which reports higher rates of successful attacks against small businesses). (NDIA 2019 Cybersecurity Report)
GDPR came into force on May 25, 2018, and everyone rushed to comply, fearing huge fines and other legal repercussions. Did it work as expected? Let’s check what the numbers have to say.
The UK Information Commissioner’s Office (ICO), for example, received 6,281 data protection complaints between May 25, 2018 (when the new regulation came into force) and July 3, up from 2,417 in the same period the previous year.
- From May 25, 2018, to mid-March 2019, supervisory authorities in the 31 countries that make up the European Economic Area reported 206,326 cases of GDPR infringement (European Data Protection Board)
- Issued fines totaled up to 55,955,871 EUR, most of which was the huge fine Google received in France (European Data Protection Board)
European Data Protection Board
European Data Protection Board
- 28% more self-reported data breaches were recorded in 2017-2018 compared to the previous year, as a result of the mandatory reporting imposed by the GDPR (ENISA Threat Landscape Report 2018)
- One of the less fortunate consequences of regulation was GDPR-themed spam:
A large number of GDPR-themed spam emails have been observed during the first quarter of 2018. This spam activity included mostly paid seminars, webinars and workshops related to the new EU’s privacy regulation.
ENISA Threat Landscape Report 2018
- 49% of organizations in EMEA said that they were not well prepared for GDPR (The Trust Factor by Radware)
- More than 42.230 complaints from individuals have been registered across Europe (The European Data Protection Board)
- The privacy regulator in Poland fined a company over £187,000 under GDPR provisions for scraping public data and reusing it commercially without notifying the respective consumers (InfoSecurity Magazine)
Cost of cybercrime stats
There’s a lot of data to dig into when it comes to the financial toll of cybercrime. Seeing the shocking figures below could help encourage proactive behavior when it comes to cyber defenses.
The big-picture view is that up to 0.80 percent of the world’s GDP is now being lost to cybercrime, according to McAfee.
Over the next 5 years, companies in the private sector “risk losing an estimated US$5.2 trillion in value creation opportunities from the digital economy—almost the size of the economies of France, Italy and Spain combined—to cybersecurity attacks.
Though it constitutes a relatively new criminal economy, cybercrime is already generating at least $1.5 trillion in revenues every year.
Bromium Into The Web of Profit – Understanding the growth of the cybercrime economy
It’s perfectly adequate to feel a bit overwhelmed by these figures. Even when looking at yearly developments, the data is a compelling argument for improving cybersecurity strategies.
In just one year, the initial costs attributable to cyberattacks increased 52% to $1.1 million.
The Trust Factor by Radware
The varied ways in which cyber criminals amass these large sums of money range from massive operations to spray-and-pray attacks, the latter targeting a large number of victims in the hope that it will compromise some of them.
Revenue generation in the cybercrime economy takes place at a variety of levels – from large ‘multinational’ operations that can generate profits of over $1 billion; to smaller, small scale operations, where profits of $30,000- $50,000 are more the norm.
Bromium Into The Web of Profit – Understanding the growth of the cybercrime economy
Wondering how they manage to move these huge sums without being caught? Here’s what the studies reveal about money laundering alone:
Around 10% or more of the estimated $1,6-$2 trillion of laundered money being circulated globally can be attributed to revenues derived from cybercrime – totalling up to $200 billion.
Bromium Into The Web of Profit – Understanding the growth of the cybercrime economy
However, malicious hackers and scammers are also spending money, “investing” in assets that can make their attacks more effective:
A zero-day Adobe exploit can cost $30,000.
A zero-day iOS exploit can cost up to $250,000.
Malware exploit kits cost $200-$600 per exploit.
Blackhole exploit kits cost $700 for a month’s leasing, or $1,500 for a year.
Custom spyware costs $200.
One month of SMS spoofing costs $20.
A hacker-for-hire costs around $200 for a small hack.
Bromium Into The Web of Profit – Understanding the growth of the cybercrime economy
Other things for sale on the Dark Web include access to compromised systems and organizations. Price points start at “50 cents to $400 for RDP access, and roughly $1,000 to $20,000 for broader access to a compromised organization” (Secureworks State of Cybercrime Report 2018).
Marketplaces are larger than one might imagine: just 25 Dark Web sites that provided access to tools and information for cybercriminal activities counted over 3 million registered users (ENISA Threat Landscape Report 2018)!
There are approximately 6,300 marketplaces selling ransomware in the dark web with 45,000 product listings.
It also doesn’t help that unscrupulous hosting providers enable cybercriminals to carry out their attacks anonymously by giving them access to anonymized servers and Internet access for as little as $100-300/month (Secureworks State of Cybercrime Report 2018).
While vulnerabilities, tools, and hosting that enable bad actors to exploit them can be pricey, personal data used in attacks come dauntingly cheap:
Today, account credentials may sell for as little as $0.20 up to $15 USD.
RSA 2018 Current State of Cybercrime
Full data profiles that include biographic information and payment card data, don’t break the bank either: they are advertised for prices as low as $10 to $25 (Secureworks State of Cybercrime Report 2018).
A different report confirms these prices: “as of March 2018, ca. 500,000 email accounts with passwords were priced at US $90 in the Dark Web” (ENISA Threat Landscape Report 2018).
Statistics about current and future cybersecurity costs abound and cover multiple angles:
- $15 billion: the value of cryptocurrency stolen from online exchanges between 2012 and 2017 (2018 Trustwave Global Security Report)
- Business email compromise (BEC) and email account compromise (EAC) led to financial losses of up to $12,5 billion between October 2013 and May 2018, as reported by the FBI (Secureworks State of Cybercrime Report 2018)
- $5 billion: the value of associated losses caused by account takeovers in 2017, when this type of attacks tripled in frequency (RSA 2018 Current State of Cybercrime)
- $5 billion: is the estimate for damages arising from ransomware attacks in 2017 (Europol Internet Organised Crime Threat Assessment (IOCTA 2018)
- $3.25 billion: global revenue generated by social media-enabled crimes (Bromium Into The Web of Profit – Social media platforms and the cybercrime economy)
- $3.2 billion: this is the level that global smart grid cybersecurity spending will reach by 2026 (Smart Energy)
- $1.7 billion: is how much energy utilities spent in 2017 on protecting their systems from cyber-attacks. (The Global Risks Report 2019 – World Economic Forum)
Other criminal groups have targeted ATM infrastructure directly.
In March 2018, Europol arrested “Denis K,” a Ukrainian national and alleged malware developer, in Spain for his part in a series of thefts since 2013 that Europol estimated had cost €1 billion to banks in more than 40 countries.
Spain’s Interior Ministry reported at the time that Denis K had personally accumulated about 15,000 bitcoins (roughly $120 million USD, at the time it was reported) from this activity.
Secureworks State of Cybercrime Report 2018
- $530 million: the cost of the January 2018 Coincheck hack, the biggest cryptocurrency heist to date. (Time Money)
- 1% of business executives who consider cybercrime the most disruptive fraud lost more than $100 million as a result (Global Economic Crime and Fraud Survey 2018 by PWC)
- $50 million: the total cost of cybercrime across 237 major companies in 6 countries. (Micro Focus)
- $13.5 million (944 million rupees) is how much an Indian bank lost “after hackers installed malware on its ATM server that enabled them to make fraudulent withdrawals from cash machines” (InfoSecurity Magazine)
- $4.6 million: is how much loss two individuals caused by conducting large-scale CEO fraud. (Europol Internet Organised Crime Threat Assessment – IOCTA 2018)
- $3.8 million: the average cost of a data breach to a business. (Microsoft)
- $2.2 million per month: this is how much money cyber criminals can make with just 10 stolen credit cards bought from the underground markets. This is why formjacking is making a fast comeback as a preferred attack tactic (2019 Internet Security Threat Report by Symantec)
- $2 million: the average cost of a DDoS attack on an enterprise in 2017 (Kaspersky)
- $729,000 is how much a businessman lost in a scam combining catphishing and whaling (EY Global Information Security Survey 2018-2019)
- $660,000 per hour: is how much e-commerce fraud causes in losses. (RSA 2018 Current State of Cybercrime)
- $500,000: is the average damage 53% of attacks cause. (Cisco Annual Cybersecurity Report 2018)
- $44,000 – the average cost for a Business Email Compromise hack (Verizon 2020 Data Breach Investigations Report)
- $292: the average fraud value following a cybercriminals’ takeover of a consumer’s mobile banking account. (RSA)
While financial value is a big aspect of the cost of cybercrime, statistics show there are other losses to consider as well:
Cybercrime was more than twice as likely than any other fraud to be identified as the most disruptive and serious economic crime expected to impact organizations in the next two years.
Global Economic Crime and Fraud Survey 2018 by PWC
- 40% of surveyed specialists see the disruption of operations as the biggest potential consequence of a cyberattack; 39% fear the compromise of sensitive data, and 32% cite damage to product quality. (The Global State of Information Security® Survey 2018 by PWC)
Imperva 2019 Cyberthreat Defense Report
- 61% of CEOs believe that security issues associated with the digital economy are far too big for their organization to handle alone; they also mention that increasing cybersecurity budgets won’t solve the issue (Accenture – Securing the Digital Economy)
- 43% of executives said the actions required to remediate security incidents were “difficult and expensive.” (Verizon Mobile Security Index 2019)
- 51% mentioned security spending is driven by previous years’ budgets (Cisco Annual Cybersecurity Report 2018)
- Criminal revenues driven by social media-enabled fraud increased by over 60% in 2018 from the previous year. (Bromium Into The Web of Profit – Social media platforms and the cybercrime economy)
- Cybercriminals manage to defraud users on mobile for double the amount they’d normally spend on a genuine transaction on the same channel: $133 – average genuine transaction value, $292 – average fraud value (RSA 2018 Current State of Cybercrime)
Companies spend money because of cybercrime in various ways. For example:
41% of executives surveyed said they spent at least twice as much in 2018 on investigations and related interventions as was lost to cybercrime
Moreover, they also pay for compromises in other ways. A report mentions that “2 in 5 companies reported negative customer experiences and reputation loss following a successful attack” (The Trust Factor by Radware).
Cybersecurity spending trends
Almost everyone falls victim to cyber-attacks nowadays. Some companies (about a third) detect attacks on a weekly basis and surveyed companies (93%) admit they’ve experienced a cyberattack in the previous 12 months (The Trust Factor by Radware).
Cybercriminals also have a type: they prefer mid-size enterprises with 5,000-9,999 employees because they’re the most aﬀected (88%) by successful cyber attacks (Imperva 2019 Cyberthreat Defense Report).
- 62% of organizations plan to spend more on cybersecurity in 2020. (ESG Master Survey Results: 2020 Technology Spending Intentions Survey)
- 53% of organizations increased their cybersecurity budget in 2018. (EY Global Information Security Survey 2018-2019)
- 15% of businesses have a sizeable IT security budget larger than $10 million, while 37% spend less than $200,000. (CSO US State of Cybercrime 2018)
- 44% of 9,500 executives in 122 countries surveyed by PWC say they do not have an overarching information security strategy (The Global State of Information Security® Survey 2018 by PWC)
- The issue goes deeper than that: 48% of these 9,500 executives confirmed they do NOT have a security awareness training program for their employees (The Global State of Information Security® Survey 2018 by PWC)
- 54% of them also lack an incident response process to help them cope with potential attacks and compromises (The Global State of Information Security® Survey 2018 by PWC)
EY Global Information Security Survey 2018-2019
- An attacker resides within a network for an average of 146 days before detection. (Microsoft)
- 86% of executives believe that “taking business resiliency to the next level requires an ambitious new vision for the Internet” (Accenture – Securing the Digital Economy)
- On average, IT security takes up 13% of the overall IT budget (Imperva 2020 Cyberthreat Defense Report)
- 66% of surveyed executives align security spending with revenues pertaining to each line of business (The Global State of Information Security® Survey 2018 by PWC)
- Only 1 in 10 organizations can process over 75% of their security event data (Oracle and KPMG Cloud Threat Report 2019)
- Around 30% of companies who experienced attacks couldn’t identify the motive (The Trust Factor by Radware)
- Only 35% of organizations have cyber insurance that satisfies their current needs (EY Global Information Security Survey 2018-2019)
- 43 percent of cyber attacks against businesses worldwide target small companies (Symantec)
- 55% of organizations only have reactive capabilities in place (EY Global Information Security Survey 2018-2019)
- However, many entities are trying to achieve more: “77% of organizations are now seeking to move beyond putting basic cybersecurity protections in place to fine-tuning their capabilities” (EY Global Information Security Survey 2018-2019)
- 41% of business executives confess spending “at least twice as much on investigations and related interventions as was lost to cybercrime” (Global Economic Crime and Fraud Survey 2018 by PWC)
- Organizational self-awareness is also increasing: fewer than 1 in 10 organizations say their information security function meets their needs “and many are worried that vital improvements are not yet under way” (EY Global Information Security Survey 2018-2019)
- Only 6% of financial services companies are satisfied with the performance of their cybersecurity program (EY Global Information Security Survey 2018-2019)
Overall, 92% of organizations are concerned about their information security function in key areas. Resources are a key issue: 30% of organizations are struggling with skills shortages, while 25% cite budget constraints.
EY Global Information Security Survey 2018-2019
Some of the missing puzzle pieces include:
- Better cloud security, as 53% of organizations host at least 50% of their infrastructure in the cloud (Cisco Annual Cybersecurity Report 2018)
- Upgrading to newer software; for example, 50% of local authorities in the UK rely on unsupported server software (EY Global Information Security Survey 2018-2019)
- Having a strategy or a program, as 53% of organizations cite their current setup and processes are obsolete in several areas, such as threat intelligence, breach detection, incident response, and data protection, among others (EY Global Information Security Survey 2018-2019)
- Only 43% of the companies have an enterprise-wide encryption strategy, leaving more than half exposed as data flows through their systems (ENISA Threat Landscape Report 2018)
- Lagging security awareness training – just 20% of businesses sent any staff to internal or external cybersecurity training in the last 12 months (ENISA Cyber Security Breaches Survey 2018)
- Just 27% of UK businesses have a formal cybersecurity policy or policies in place (ENISA Cyber Security Breaches Survey 2018)
- Human resource limitations: over 50% of organizations are “re-training existing IT staff to tackle cloud security challenges” (Imperva 2019 Cyberthreat Defense Report)
Cybersecurity statistics point out that companies are working on improvements in several areas:
- 85% of companies are interested in replacing passwords with new forms of authentication (Oracle and KPMG Cloud Threat Report 2019)
- “53% are using machine learning for cybersecurity purposes” (Oracle and KPMG Cloud Threat Report 2019)
- 86% of businesses explored the possibility of using solutions that incorporate machine learning and artificial intelligence (The Trust Factor by Radware)
- 51% of surveyed organizations are now investing more in cyber analytics (EY Global Information Security Survey 2018-2019)
Imperva 2019 Cyberthreat Defense Report
In order to achieve these improvements and more, organizations worldwide are increasing their spending. However, information security spending numbers show there are many differences across sectors and company sizes.
- 53% confirm an increase in their budget in 2018 (EY Global Information Security Survey 2018-2019)
- 76% added to their cybersecurity budget after a serious breach (EY Global Information Security Survey 2018-2019)
- Larger companies are more likely to increase their information security budgets (EY Global Information Security Survey 2018-2019)
Half of healthcare and Government & Public Sector organizations say they have increased spending on cybersecurity over the past 12 months, while 66% plan to spend more over the next 12 months.
EY Global Information Security Survey 2018-2019
- When it comes to energy companies, 57% of them have boosted spending on cybersecurity over the past 12 months, and 68% plan to increase investments over the next 12 months (EY Global Information Security Survey 2018-2019)
- In fact, the average IT security budget went from $11 million to $15 million in 2018, representing a 27% rise (CSO US State of Cybercrime 2018)
- The same report notice that 15% of companies have an IT security budget of over $10 million while 37% of them have less than $250,000 at their disposal (CSO US State of Cybercrime 2018)
EY Global Information Security Survey 2018-2019
Then there are other kinds of challenges that CISOs and CIOs have to deal with:
- 60% of surveyed organizations cited that “the person directly responsible for information security is not a board member” (EY Global Information Security Survey 2018-2019)
Conversely, only 18% of organizations say that “information security fully inﬂuences business strategy plans on a regular basis” (EY Global Information Security Survey 2018-2019).
Organizations in Technology, Media & Entertainment, and Telecommunications have a different perspective. The same report mentions that 53% of them see cybersecurity as an influential force for business decision-making.
Cybersecurity jobs growth
Industry estimates show there may be 3.5 million unfilled cybersecurity jobs by 2021 (Cybersecurity Ventures).
The situation is pressing as it is:
Almost 70% of respondents believe that their enterprise’s cybersecurity team is understaffed, with over 20% of respondents indicating that they perceive their enterprise as significantly understaffed.
- 39% of companies mention that less than 2% of their total IT staff work in cybersecurity (EY Global Information Security Survey 2018-2019)
- 85% of organizations are challenged by IT security skills shortage, up from 84% in 2017 (Imperva 2020 Cyberthreat Defense Report)
- Women make up only 20% of the infosec workforce worldwide (Cyber Ventures – Women in Cybersecurity)
- 715,715 people worked in cybersecurity in the US in 2018 (Cyberseek)
- There were 313,735 job openings for information security specialists in 2018 across the United States (Cyberseek)
- The three most requested job titles by companies in the US were in 2018 were: Cyber Security Engineer, Cyber Security Analyst and Network Engineer / Network Architect (Cyberseek)
- 57% of surveyed companies are considering training their employees to improve their cybersecurity program (Comptia 2018 Trends in Cybersecurity)
- The average yearly salary for a security engineer in the US is $88,000 and the same role in the UK pays £52,500 ($69,139) a year (Finding your first job in cyber security)
- An Information Security Analyst made an average yearly salary of $95,510 in 2017 (US Bureau of Labor Statistics)
- 9 in 10 organizations are contracting managed security service providers (MSSPs) to offload at least one IT security function (Imperva 2019 Cyberthreat Defense Report)
- 43% of organizations use third-party firms occasionally for information security projects (Comptia 2018 Trends in Cybersecurity)
- 59% of organizations declare that it’s too expensive to outsource cybersecurity to specialized companies (Comptia 2018 Trends in Cybersecurity)
- 51% of organizations believe they need new or improved security policies to enhance the effectiveness of their security teams (Comptia 2018 Trends in Cybersecurity)
Cybersecurity threats, preparedness and programs by country
It’s clear from the varied outcomes of the studies and surveys above that not all countries are equal when it comes to cybersecurity and internet freedom. Many are poorly equipped to handle cyber attacks, while others are better equipped but more frequently targeted.
This data visualization delves into a number of metrics that demonstrate the variety of threats we face online, looking at which countries deal with the highest number of threats and how they fare in terms of defenses.
This map included in the Global Cybersecurity Index (GCI) 2018 depicts the level of commitment countries across the world have to cybersecurity preparedness. Lighter shades indicate a higher level of commitment.
Countries with a high level of commitment include the UK, the US, Australia, and Canada. These nations mobilize resources to build and implement consistent information security strategies country-wide.
Countries such as Mexico, Brazil, South Africa, and Ukraine fall mid-tier, as their cybersecurity programs are in the process of maturing.
At the same time, El Salvador, Lebanon, Sudan, the Vatican, and a long list of other countries are just initiating or establishing their information security programs.
The Imperva 2019 Cyberthreat Defense Report mentions that Spain was hardest hit of all countries in 2018, with 93.7% of respondents reporting successful attacks (Imperva 2019 Cyberthreat Defense Report).
North America is the most popular target, accounting for 57% of the breaches and 72% of the records exposed (ENISA Threat Landscape Report 2018).
The same report notes a 36% decrease in the number of incidents in Europe but a simultaneous 28% increase in the volume of records breached, “with UK organizations being the most affected in Europe” (ENISA Threat Landscape Report 2018).
When it comes to breach costs, Canada suffered the biggest direct costs while the United States had the highest indirect costs. A single compromised record in Canada cost US $81 and the same in the US cost $152 (ENISA Threat Landscape Report 2018).
In terms of attack geography, “the US (45,87%), Netherlands (25,74%), Germany (5,33%) and France (4,92%) were the top four source countries for web-based attacks, representing an increase not only for each country compared to Q1 2018 but also to 2017” (ENISA Threat Landscape Report 2018).
For most countries, budget and staffing are the top challenges to developing and implementing an effective information security strategy:
The State of IT Security in Germany 2018
The homonymous report issued by Germany’s Federal Office for Information Security notes a few interesting aspects particular to the country’s cybersecurity program.
When it comes to attack tactics targeting state organizations, email is prevalent:
The most frequently detected attacks on the Federal Administration involve e-mails containing malware. Using automated anti-virus measures, an average of 28,000 e-mails of this kind were intercepted in real time each month before they reached the recipients’ inboxes.
In 2017, German authorities detected an average of 500 malware programs in HTTP traffic each month, which were subsequently blocked.
In 2017, a total of 157 IMMEDIATE notifications were reported to the Central Reporting Office and National IT Situation Centre.
Ransomware was the main topic of the notifications in 2017. There were reports of the exploitation of telephone/video conference systems for malware infections. In the middle of the year a cyber attack took place with the encryption Trojan NotPetya.
Germany has a high awareness level in terms of cybersecurity, with 92% of organizations fully aware that cyber threats are critical dangers to their operations.
Almost 90% of German companies implemented advanced cybersecurity measures, such as segmentation or minimization of gateways and malware control.
However, most companies still focus on reactive measures. The report states,“these companies report that they are particularly focused on reactive measures to respond to a cyber attack.”
It’s great to see that 97% of internet users in Germany believe internet security is very important. Less follow through.
For example, only about 30% read about information security. Just 45% of them act to keep their data safe and only 37% are quick to apply the latest updates.
In addition to these huge malware statistics targeting PCs, 690,000 new Android malware programs were detected each month during the same period.
The State of cybersecurity in Australia 2019
On the other side of the world, the Telstra Security Report 2019 provides an outlook that compares the country’s cybersecurity performance with global data.
There’s some good news coming from Australia: 100% of surveyed decisions-makers confirmed they have some level of influence over choices made for the company’s cybersecurity program, up from 97% in 2018.
This may also contribute to the fact that Australian respondents mentioned that budgets for cyber and IT security are increasing in 2019. The average budget is now roughly $900,000 AUD per year.
Australian business prioritizes security solutions such as operational technology (65%), CCTV and external video sources (61%), biometric and physical access systems (58%), and BAS, uninterruptible power supply (UPS) and alarming systems (56%).
Their caution is justified because 65% of Australian businesses had their business interrupted by a security breach in the past year.
In terms of attack tactics, Business Email Compromise (BEC) and phishing attacks are the most prevalent in Australia.
The financial losses in FY2016/17 amounted to A$20 million, an increase of over 230% from A$8,6 million in FY2015/16.
Telstra Security Report 2018
In Asia, for example, the two most common attack tactics are virus/malware outbreak and employee error. Interestingly enough, Europe features a combination of both: phishing attacks and employee errors.
A notorious example from Europe features shipping container company Maersk, which fell victim to a ransomware attack in June 2017. The infection spread through its global network and impacted shipping across 76 ports.
The fallout from the attack cost them ca. $300 million and forced them to rebuild their entire IT infrastructure.
In the APAC region, companies are interested in user and entity behavior analytics (57%) and in threat intelligence platforms (56%). In Europe, DevOps for security (55%) and security for IoT (also 55%) are top priorities (Telstra Security Report 2018).
Top cybersecurity threats 2020
Reports of cybercrimes continue to create headlines around the world and this is unlikely to change throughout the year.
Here are some of the predictions being put forward regarding what we can expect to see during the rest of 2020.
The Global Risks Report 2020 from the World Economic Forum provides a detailed outlook of how things look like for individual users:
- 75% of consumers expect cyberattacks involving the theft of money or data to increase in 2020.
- 76% of individual users cite worrying about losing their privacy to companies as a main concern for 2020
- 76% of consumers dread the loss of privacy to governments over the course of this year.
And here are some other interesting predictions for 2020:
- Ransomware is expected to cost $6 trillion per year by 2021. (Cybersecurity Ventures)
- The prevalence of Mac ransomware will increase. (Palo Alto Networks)
- Phishing attacks will increase in sophistication as attackers continue to find innovative ways to outsmart filtering and detection techniques. (Kaspersky)
- There will be increased focus on social engineering. (Kaspersky)
The focus on social engineering will increase as other types of attacks become more difficult to carry out.
When it comes to a perspective on cybercrime trends beyond 2020, the Europol Internet Organised Crime Threat Assessment (IOCTA) 2018 provides a well-documented outlook:
Within the next five years, we can expect to see continued fragmentation of the Darknet market scene.
While a number of larger, multi-vendor, multi-commodity markets may survive, there will be an increasing number of vendor shops and smaller secondary markets catering to specific nationalities or language groups.
These smaller markets will be less likely to attract the coordinated international law enforcement response that larger markets invite.
Some vendors will abandon web shops altogether and migrate their business to encrypted communications apps, running their shops within private channels/groups91 and automating the trade process using smart contracts and bots92.
Industry and media already reports trend in the abuse of apps like Telegram or Discord, despite the provider’s efforts to curtail such activity.
Gartner predicts that, by 2020, 25 percent of cyber attacks against enterprises will involve IoT devices.
In terms of threats, the World Economic Forum (WEF) 2019 Global Risks Report highlights cybersecurity threats as one of its 5 key areas. It also predicts that “massive data fraud and theft” will constitute the 4th largest global threat over a 10-year horizon, with cyber attacks following in 5th place.
7 easy ways to improve your privacy and security online
If you don’t want to be another statistic in next year’s report, we recommend you take a few simple steps toward protecting your privacy and security online.
Turn on your antivirus. There’s a good chance your computer already has antivirus software built in. If it doesn’t, or if you don’t think it’s sufficient, there are plenty of free and paid antivirus programs to avail of.
Modern antivirus programs typically have two methods of finding and removing malware from your system. The first is a simple system scan, in which the antivirus will sift through every file on your computer to look for, quarantine, and remove malware. The second is real-time scanning, in which running processes and downloaded files are scanned as they appear on your computer and flagged accordingly.
Short for virtual private network, a VPN encrypts all of your internet traffic and routes it through a remote server in a location of your choosing.
Commercial VPNs are typically paid subscription services that you can use by installing an app on your device. They have two primary effects.
The first is that all of your data is secured in an encrypted tunnel until it reaches the VPN server. This prevents your ISP and hackers on wifi networks from snooping on any of your internet activity and your traffic’s final destination.
The second is that your IP address, a unique number that can be used to identify your device and location, is masked behind the VPN’s server address. This helps to anonymize your internet activity.
Most commercial VPNs group dozens or even hundreds of users together under a single IP address, making it impossible to trace activity back to a single user.
Secure browser extensions
Your web browser is the window through which you see the internet, and it can do a lot of things, but is also vulnerable to a large number of attacks and exploits.
Fortunately, a few browser extensions can help protect your privacy and improve security online. Here is a shortlist of browser extensions we recommend:
- HTTPS Everywhere – opts for the SSL-encrypted versions of web pages whenever they are available
- Disconnect or Privacy Badger – prevents websites from using tracking cookies and similar technologies to monitor your online behavior
- Ad Block Plus – advertisements are a common attack vector by which to deliver malware and phishing ads to users. A good ad blocker can keep them at bay.
A firewall is an essential defense against unsolicited internet traffic coming or going from your computer.
Firewalls are installed on almost all modern operating systems and NAT firewalls on most routers. Keep them turned on and be selective about programs you allow to “phone home” through the firewall.
Use strong, unique passwords. Task your password generator with creating random, unique passwords for each of your accounts. Relying on a password manager means you don’t have to memorize them or write them down.
If you don’t want to go that route, at least use a combination of upper and lower case letters, numbers, and symbols and try to make it as random as possible.
Never use the same password across all of your accounts. Never use your personal details that a hacker could figure out.
Good passwords will go a long way in protecting your accounts.
Besides a good spam filter, there’s not much protection against phishing attempts. You just have to know how to spot them.
Don’t open links or attachments in unsolicited emails or text messages. Always look for valid HTTPS certificates on websites where you need to input a password or financial information.
If you’re unsure about an email, contact the sender by some other means or ask a question that only they would know to verify their identity.
Never, ever give out passwords or other private information in an email, SMS or instant message.
Read more: Common phishing scams and how to avoid them.
Don’t ignore security updates. Even though they can be annoying, not updating your software not only endangers your device, but everyone on your network.
Once a security update has been issued, hackers will deliberately target that software and users who ignore the security updates. So always update as soon as it’s practical.
How to report cybercrime
If you’ve been a victim of cybercrime then you can find more information about reporting it using the links below:
Canada: Public Safety Canada