According to the Global Risk Report, cyber attacks, being the fifth, top-rated risk of 2020, have become a new norm for almost every industry and business type. The rise of internet usage and technology evolution has made data security a primary concern across the globe. Our article refers to several sources, including a cybersecurity breaches survey based on UK businesses of all shapes and sizes (micro firms, small firms, medium, large firms, firms and charities). Additionally, the article also discusses the latest trends, facts, impacts, defensive measures used to minimise the effects of data breaches.
Surprisingly, this year (2021) had seen fewer businesses identifying cyber attacks or data breaches than 2020 (when it was 46%) and charities showing the same amount of activity. It is unknown if this decrease is down to reduced business activity during COVID-19 or improved cyber hygiene.
However, the statistical evidence presented by the DCMS cybersecurity breaches survey says otherwise.
- 35% fewer businesses are now deploying security monitoring tools (5% fewer than last year). As overall risk exposures have gone up during the COVID-19, enterprises find it hard to stay up with security challenges.
- Organisations (39%) and charities (26%) have identified cyber attacks or breaches. The most common form of attack is phishing attacks.
- One in five end up losing assets, data or money. One third have reported specific adverse outcomes or impacts regardless.
In terms of cybersecurity as a priority for businesses:
- 77% say cybersecurity is a high priority, and it hasn’t become a higher priority during or due to pandemics.
- Many organisations have invested in new security solutions such as remote setup, multi-factor authentication, cloud security measures.
Cybersecurity management approaches faced new challenges due to pandemic led changes in the working style of businesses.
- Logging and monitoring have been harder for organisations with remote staff. This relates to the previously mentioned item around the lack of security monitoring deployment.
- 32% of large businesses have admitted a significant risk of using an unsupported version of the Windows Operating System (likely to be Windows 10 and Windows 7).
- Fewer businesses (78%) have well-configured network firewalls, up-to-date malware protection and endpoint tracking.
- The pandemic has caused conflicts between IT and security teams, causing challenges between prioritisation for service continuity and maintenance work and security areas such as patching.
Some medium and large businesses have taken the following measures, an overall indication of a proactive approach towards security:
- 43% of businesses have taken some form of cyber insurance
- 34% are undertaking cybersecurity assessments
- 20% have been carrying out regular phishing drills
- 15% have conducted vulnerability assessments
- 12% reviewed third party supplier risk
Which businesses are at risk?
Cyber attacks are prevalent among small to large enterprises, public sectors, NGOs, and the education sector. It has been stated that threat actors launch cyber attacks every 39 seconds, indicating no organisation is immune to cyber attacks these days. New technologies, updates, and patches are introduced and used by businesses to fix the vulnerabilities and risks on the network, infrastructure, IoT devices, and network-connected (Smart devices).
Some of them are at high risk, and some of them are at low risk. The sheer number of attacks in the last year has left a devastating impact on the overall world economy and the state of cybersecurity.
Recent events and cybersecurity statistics show:
- Cloud data breach based incidents will show an uptick in 2021 and beyond due to a remote workforce
- With rising technologies and 5G development, IoT devices will be more prone to cyber attacks
Today, many businesses have generated a digital footprint to cope with their revenue and finances utilising modern technologies and digital products. Over that, covid-19 has also pushed many of the businesses to leave their traditional and physical presence. Many companies emerged on the internet during the lockdowns to combat business crises and take advantage of virtualisation and intelligent devices.
- 68% of medium-sized businesses use smart devices (network-connected devices)
- 77% of big enterprises utilise their digital footprints and network-connected devices for their online activities
Now that almost every industry has a digital and virtual presence over the internet. They expose some and most of the data online, including bank account details, customer information, social media accounts, email addresses, payment and booking details, etc.
With so much data available over the internet, it has become an effortless target for malicious attackers to pull out their suspicious activities in the form of phishing and other information security attacks.
- 83% of businesses regularly encounter phishing attacks (including spear phishing, CEO fraud, and ransomware attacks.)
As for now, every organisation is on the list of cybercriminals activities, but some of the businesses industry are at a high risk than others, such as:
The Healthcare industry has been a constant under the radar of cybercriminals and suffers the highest number of ransomware attacks than any other industry. It is more critical than before for healthcare providers and hospitals to adopt reasonable security practices.
According to the statistics, more than 93% of the healthcare sector has suffered data breaches or security incidents in the past three years, which is comparatively low to the current time as in just 2020, the overall health industry has seen a drastically increased ratio of the data breach at 58%
Common attack vector:
The cyberattacks targeting the healthcare organisations are not limited to ransomware only; other malware and botnet have been proved equally devastating to the overall sector.
- Employee negligence has contributed as a most common vector in the health industry’s data breach or security incidents at 81. The cost of an average breach is now $3.63 million to the entire health sector.
The reason behind such a high percentage of attacks is that healthcare-related organisations and businesses have a large amount of individuals’ data, including payment info and Personal Identification Information (PII). Whereas
- 56% of healthcare organisations take cybersecurity as a high priority issue
- Adherence to compliances such as ISO 27001 is seen at 16% to the overall healthcare sector
- 29% of healthcare organisations do not encrypt patient data and use the public cloud, allowing attackers to steal data.
Financial institutions are one of the most targeted business sectors by cybercriminals. They either steal data or direct money indirect attacks targeted at financial organisations or sell the stolen data on the dark web.
- The overall data breaches included 10% of the financial industry
- The highest cost of cybercrime is an average of $18.3 million in the general finance services sector
- 26% of enterprises faced destructive results of attacks
- 67% of financial institutions have reported a rise in cyber attack episodes over the past year
- 69% of financial institutions are planning to increase cybersecurity spending by 10%
Common Attack vector:
- Most malware attacks are hitting financial assets. Banks and the rest of financial institutes are hit by 29% malware attacks than any other industry.
The most common attack vectors used on financial and insurance services are
- 46% of Web attacks were involved in the economic breach last year
- 67% cyber attacks were increased in all economic sectors in 2020
- 21% of financial services suffered watering hole attack
The first reason that catalyses in breach of the financial sector is the accessibility of the sensitive files. According to cyber stats, ⅔ of financial services org has more than 1000 sensitive files accessible to most employees. Where in a large organisation, the accessible file ratio is up to 20 million. These make a high percentage of exposed sensitive files at 21% in the entire finance sector.
The other apparent reason is only 10% of the whole financial businesses adhere to NIST standards. Once the company is hit by a security attack, on average, it takes 233 days for the financial institutions to detect and contain the breach.
Small and Medium Businesses
The time had gone when cybercriminals used to target large enterprises. Now, attackers target businesses beyond their size, especially the small business, as they’re budget constraint with no resources on the information security platform
- Three out of four small businesses do not have IT, security professionals, or teams.
- 51% of small companies do not allocate budget to cybersecurity and not concern about cyber attacks
- 66% of small businesses take cybersecurity seriously and are concerned about the risk
Common attack vector:
Small companies hold the highest targeted suspicious email rate at 1 in 323. The following attack vectors have been found.
- 35% malware affected the SMBs
- Small businesses suffer 49% of web-based attack
- Overall, 26% of SQL injection attacks
- 14% zero-day attacks launched on small businesses
- The same small companies face 13% insider threats
- 2% ransomware takes SMB hostage
- Similarly, small companies face 21% DoS/DDoS
- Overall, 11% of XSS exposes small businesses
Small businesses are the most favourite target because of their lack of security awareness and preparedness. The statistics show:
- 43% of cyber attacks target small businesses
- 70% of the small businesses lack the capabilities to deal with such attacks.
Businesses with profiles and digital footprints trends
A significant rise has been observed in terms of businesses’ online payments. The covid-19 impact or whatsoever, the businesses’ online bank account ratio has been increased to 82% compared to the 75% in 2020, and the online payment trend has been increased to 30% compared to 23% in 2020.
- Similarly, the online bank account percentage for the charities has increased to 65% to ease people from donating online, which was 54% as surveyed in 2019.
- As surveyed, 59% of the businesses (small, mid, and large enterprises) and 50% of the charities have at least three exposure points from the aforementioned figure.
- Both businesses and charities hold many customers and individual data and perform online activities such as transactions, donations or online payment, etc.
- 45% of the surveyed charities use digital services and allow people to donate them online.
- 42% of mid-sized businesses and 44% of large enterprises have online payment capabilities.
- Among them, 57% of the food and hospitality industry are the most common sector that allows their customer to avail online booking or payment services and 40% of the retail and wholesale sectors.
Source: DCMS breaches survey 2021
Personal Data Collection
The private businesses and industries collect, store and process customer personal data. It also includes special category data. Amongst these, the majorities are
- 82% of the financial institution
- 80% of healthcare, social work, and social care
- 67% of real estate businesses and administration
Some more facts and cybersecurity statistics
Many other organisations than DMCS have issued statistics on cybersecurity.
- Any company hit by a malware attack get affected by the average cost of $2.4
- The average cost of a data breach has been driven to $3.86 million globally
- Overall cyber-attack percentages involve 33% of social engineering scam
- Hackers are carrying out cyberattacks faster than before – hackers attack every 39 seconds
- In previous times, data breaches affected 43% of small businesses.
- The estimated cost of a ransomware attack to businesses is more than $75 billion per year, which was $133,000 previously
- A ransomware attack has been grown 350% annually while attacking small businesses every 14 seconds
- Ransomware attacks hit 75% of the businesses despite having the up-to-date endpoint protection
- 10% of all ransom demands are over $5,000.
- In 2023, $33 billion will be stolen by cybercriminals
- The average cost in time of a malware attack is 50 days
- Third-party introduced 50% of the security risk to other businesses and vendors
- Increased spending on managed security services has been introduced and documented in 85% of small businesses’ plan
- 51% of small businesses do not allocate any budget to security
- 4% of malware sent to small businesses is delivered via email
The most common malicious email disguises include:
- Phishing campaign with 7% of fake invoices
- Disguise error or failure of notice in 3% of email delivery3% is email delivery failure notices
- 1.1% are legal/law enforcement message
- 0.3% are scanned document
- Lack of password policies have been found in 69% of small businesses
- 6% of small businesses only review their security posture once an attack hits them.
- Manufacturing companies account for nearly a quarter of all ransomware attacks, followed by professional services with 17% of attacks, and then government organisations with 13% of attacks
- Lifestyle (15%) and entertainment (7%) were the most frequently seen categories of malicious app
- Worldwide cybercrime costs will hit $6 trillion annually by 2021
- 52% of legal and compliance leaders are concerned about third-party cyber risks due to remote work since COVID-19
- Remote work has increased the average cost of a data breach by $137,000
- 47% of employees fall for phishing scam during distraction in remote working
If you are interested in making use of statistics in cyber security, here’s a great video on how these stats play an important role in shaping next-gen cyber security defences:
How are organisations dealing with cybersecurity?
With the new attack vectors and techniques being used, the methodologies to deal with cyber incidents and handling data breaches are changing. A survey conducted over 39% and 26% of breached businesses and charities to explore how they deal with cybersecurity, handle incidents, and take steps for future improvement and data protection.
Incident response plan
The collected statistics are mentioned below, describing the incident response capabilities and process of businesses and charities.
- 66% of businesses and 59% of charities have at least one of the mentioned incident response plans in their business and formal documentation strategies that help them deal with the breach or attack incident
- While 37% of companies and 41% of charities take four of the listed activities to handle the breach
- In the same manner, 75% of big enterprises, 68% of a mid-sized business, and 73% of high-income charities take into account the log of cyber incidents
- On the broad industry level, following the sectors have the communication and engagement plan in place to address the breach on high priority
- 35% of Financial institutions
- 28% of health and social care and social work
- And overall, 17% of survey information and communication sectors.
Among the breached businesses and charities, it has been observed that 93% of the companies and 59% of charities have a proper process of internal reporting that includes informing the senior management or director in case of data breaches or any type of cyber attack incident.
However, the ratio of externally reporting the breach has been observed as a rare case.
Among the breached businesses and charities, it has been found that only 37% of businesses and 28% of charities have the process and have reported their incident to concerned authorities or outside the organisation, and that too includes involving the cybersecurity service provider as an external reported resource.
- Besides such a case, the survey concludes that 29% of businesses and 23% of charities’ breaches are reported externally. Among those who report incidents externally includes:
- 19% of banks
- 14% of Internet service providers
- 10% of polices
- 10% of client or customers
- 5% of suppliers
- And 5% of government and agencies
Monitoring Tool Deployment
- With the rise of remote working, direct user monitoring has become an arduous task for many organisations. This has taken down the deployment of security monitoring tools to 35% from 40% of 2020
- Most of the businesses have started deploying the monitoring tools and undertaking risk assessment and other activities. Those activities include a few of the following or all of the activities
- 35% of businesses have started using monitoring tools, while the percentage of charities 25%
- 34% and 32% of businesses and charities have the risk assessment activity, respectively
- 20% and 14% of businesses and charities have simulated the social engineering exercises to test their staff and employees
- 15% of businesses are carrying out vulnerability audits
- Penetration Testing has started being carried out by 13% of businesses in 2021
- 9% of businesses have now invested in threat intelligence.
Cyber security awareness
To deal with cyber security, only a smaller proportion of businesses have been found with security awareness. Only 35% of the businesses said their board members are aware of cybersecurity briefs. At the classified level, 20% of construction companies, 24% of food and hospitality companies and
24% of entertainment services are minor organisations with board members or any executive assigned to cybersecurity roles.
External cybersecurity guidance
On the other hand, 53% of the businesses have been reported seeking external guidance around cybersecurity practices and services in the past year.
Whereas seeking external information security guidance has been found most common among the small, mid-size, and large businesses with the percentage at 61% of small businesses, 74% of mid-sized businesses, 74% of large enterprises
At a classified industry sector level, 69% of financial and insurance institutions seek external cybersecurity guidance and help than the 67% of information and communication businesses.
The software update, backup and other security policy
- The statistics state that only 43% of the business have appropriate software updates policies that follow the patch time frame of 14 days.
- 70% of the businesses back up their data via cloud services; the charities ratio in the same regard is 51%.
- 83% of the business have up to date malware protection, while in the case of charities, this percentage is almost 69%
- 79% of businesses and 57% of charities have enforced strong passwords policies to all users and employees.
- 78% of the businesses and 57% of charities utilise the firewalls for their entire IT and data protection as well as individual devices security
- 64% and 34% of businesses and charities allow access via company-owned devices
- 58% of businesses have enforced social engineering policies to prevent fraudulent email and website visits.
- 73% of businesses around entertainment have updated malware protection, whereas only 71% of food and hospitality firms have updated malware protection software
- 61% of construction businesses have restricted IT access, and 58% have policies around phishing attacks.
- Compared to 58% of large companies, 21% of small businesses have cyber insurance policies in place.
Information security experts and professionals have repeatedly mentioned that having an unpatched software or older version of OS, tools, applications, and software can help or trigger any type of cyber attack.
However, on the contrary, it has been observed that 20%, i.e., one out of five businesses and 17% of the asked charities, utilises the older version of windows.
Impact of Cyber Breaches
Cybercriminals have advanced their attack vectors, both in sophistication and frequencies, taking the pandemic situation in their favour. Once the attack is successful, post-exploitation effects can be disastrous, which the targeted organisation has to deal with at any cost. It could lead to attackers staying silently observing the users for long periods, exfiltrating data in large amounts, or simply deleting/modifying information and stealing the critical information in a few hours.
The impact of a cyber-attack can vary according to business nature and attack vector. It cost £13,400 to average enterprises where breaches were identified and associated with an outcome. No matter the business niche, a successful cyberattack can damage costs linked to brand reputation and customer loyalty.
On a broad level, the average cost of stolen bank details is 259.56$. However, the impact of cyber breaches and attacks can be categorised into a threeway.
Financial: The loss of business finances in case of paying ransomware or as a result of economic loss. Especially in isolated systems, fraudulent payment through a phishing attack, loss of financial information, or theft of business data by any kind of breach/attack.
Reputational: Businesses face reputational damage in data theft or loss of PII (Personal Identification Information). This can affect the Business-customer B2C and B2B relationships and result in loss of a customer, loss in sales or profit.
Legal Penalties: GDPR, DPA, and other privacy laws force the business to respect the requirements and fulfil the legal requirement for fines if the organisation mismanages the data or becomes a victim of cyber attacks due to their lack of due diligence towards security.
The regulatory bodies would take the business liable to pay penalties and fines of 20 million or 4% of annual turnover. Other than the 3 cases, the following are the impacts of security attacks.
- While preparing for GDPR, 88% of the companies spend more than $1million
- If things stay the same, it has been forecasted that 22 billion records would be stolen by 2023 by cybercriminals
It has also been published in cyber stats that remote workers caused 20% of the security breaches; the primary reason that has been concluded is that only 23% of businesses have remote work policies, and 18% have such cyber policies that cover the use of personal devices such as laptop, desktop, etc.
All such factors and incidents have estimated the cybercrime will be projected to cost $10.5 trillion annually by 2025
Breaches prevention and lessons learned
62% of businesses and 69% of charities have learned from security incidents and taken actionable steps to prevent future attacks (Including the 78% of mid-sized organisations, 79% of large enterprises).
However, 36% of businesses and 28% of charities ignored the breach and impact and have not taken action since then.
What steps are taken?
In 2020, $2,672 spending was reported per employee, and this year the figure has increased too. Many businesses have started taking cybersecurity as a priority, which is considered a good sign for both customers and the company.
Some medium to large enterprises has taken a proactive approach by ensuring security as a priority.
- 72% of financial and insurance institutions
- 62% of Information and communication technologies
- 56% of healthcare, social care, and social work
In contrast to these sectors, the food and hospitality sector and construction sector have been less interested in making the information security presence a priority. This includes the following percentage
- 62% of the food and hospitality sector
- 64% of the construction
In addition to the priority, 19% of businesses and 26% of charities started working on their staff security training and awareness.
- 36% and 23% of technical and people-related changes have been made in business cases, respectively. Whereas the percentages in charities are 31% and 33%, respectively
- 14% of businesses installed anti-malware and anti-viruses to detect suspicious activities and update and change the configuration. The figure goes to 16% for the same precautionary step in charities.
- 10% of charities and 11% of businesses considered changing and updating their firewalls and system configuration to prevent breaches and threats upcoming to their infrastructure.
- 5% of businesses and 4% of charities decided to install new software and threat protection tools other than relying upon anti-virus or anti-malware.
- 10% of businesses and 11% of charities managed to change their governance process and policies.
A more significant proportion of companies have started following cybersecurity best practices to make their infrastructure resilient. Many businesses are now re-evaluating their policies to incorporate security consideration, rolling out MFA (multi-factor authentication) to restrict unauthorised access, following standards to implement security for SaaS, Iaas, etc. This includes the following set of new processes and features introduced into the mid to large-sized business.
- 43% of the businesses are taking out cyber insurance.
- Out of 100, only 34% of companies are undertaking cybersecurity risk assessments
- 20% of the businesses are undergoing social engineering testing and awareness to reduce phishing attacks
- Vulnerability audits have been carried out by 15% of the business.
- 12% of the businesses review their third party risk imposed by their vendors, suppliers, and partners.
- 31% of businesses have invested in the business continuity plan
- 23% of businesses have introduced cyber policies for their remote work.
- Personal device for work policies has been proposed by 18% of the businesses
The overall qualitative study shows a reduction in data breaches and cyber attacks this year. The study also sheds light on how many organisations have invested in their IT security and incident response plans. While many organisations have seen adopting new security solutions, including solid password policies, multi-factor authentication, VPN connection, privilege access, authorised access to files, including high demand for cloud security. Some of the industries remain less interested in the data protection of their assets.
The collected statistics can significantly help SMB and large enterprises pull off the right security strategy by considering the trend of attack in their industry. This year, the significant change in the cyber insurance ratio highlights how most companies started to understand the necessity of information security in their businesses and organisation. In addition to it, these surveys also guide most of the companies investing in threat intelligence to stay ahead of threats and risk breathing in the cybersphere and assist in improving the security behaviour and methodologies.
With corresponding to the cybersecurity team, organisations can now align their business strategies with security considerations and provide cyber trends. The shared incident and security breach information can be used to improve data security, incident response capabilities and overall security budget.
Shahrukh, is a passionate cyber security analyst and researcher who loves to write technical blogs on different cyber security topics. He holds a Masters degree in Information Security, an OSCP and has a strong technical skillset in offensive security.