As children, we all had our bogeyman. Whatever it was that frightened us, we understood that as we grew older—and stronger, and more knowledgeable—those bogeymen, conversely, would become less frightening.
Not so in the world of cybersecurity. Unfortunately, it has proven much more difficult to outgrow the risks of real-world cyber criminals than it was the make-believe monsters that once lived in our closets.
As our knowledge and experience in the cyber world increases, the various bogeymen we now face only grow bigger, stronger and faster. Bad actors are simply more capable of wreaking more havoc more quickly than ever before. A cyberattack that used to take weeks to unfold now occurs in a matter of days. Yesterday’s adequate defenses quickly become today’s visible but ineffective security facades—the cyber equivalent of pulling the covers over one’s head and hoping for the best.
Unfortunately, this reality is turning many organizations into mere statistics. As reflected in an extensive collection of recent cyber reports spanning myriad industries, the trouble often boils down to two main culprits: innovative external threat actors and an increase in human error.
According to Verizon’s Data Breach Investigations Report (DBIR)—an industry staple, providing in-depth analysis and information about security incidents and data breaches—65% of breaches were the result of external threat actors and 35% (an increase of 20% over the prior year) were attributed to individuals within the organization. Yes, the external bogeymen are still on the scene and have grown more creative and aggressive. But we must also worry about our own employees exposing our systems and data or otherwise leaving us vulnerable to attack.
Consider CrowdStrike’s Global Threat Report which provides threat intelligence and an overview of the tactics, techniques and procedures (TTPs) used by cyber adversaries. Their 2023 report highlights a variety of TTPs at work, including identity-based attacks (emphasizing the importance of protecting user credentials), the surge of cloud intrusions (as noted by a 75% increase in cloud environment intrusions from 2022 to 2023), third-party exploitation (documenting the risk continually posed by supply chain vulnerabilities) and even malware-free attacks (which increased by 60% in 2023) as adversaries adopt more subtle methods like credential phishing and social engineering.
And yet, the bogeyman gets worse. It’s not just that these external threat actors are evermore present and aggressive, and that their attacks grow evermore diverse and complex—but that these attacks are also becoming evermore expensive.
Documenting the financial implications of data breaches, IBM’s Cost of a Data Breach Report 2023, highlights that the global average cost of a data breach in 2023 was $4.45 million—an increase of 2.3% from 2022 and an astonishing 15.3% from 2020. Those numbers get worse when you dive deep into specific industries (a 53.3% increase, since 2020, in healthcare data breach costs) and/or specific victims (a 22% increase in losses, from 2022, for the American public, according to the FBI: Internet Crime Complain Center (IC3) Report).
Bigger, faster, stronger—and more expensive to boot. The external threat actors of the cyber world continue to grow more capable and more dangerous with each passing day.
But these collective cybersecurity reports highlight a second trend continuing from recent years—an increase in human error (most notable through the breakdown of internal controls).
That same DBIR piece details how “74% of all breaches include the human element, with people being involved either via error, privilege misuse, use of stolen credentials or social engineering.”
And while the extent of human-centered vulnerabilities is difficult to quantify, three main weaknesses were identified by the Unit 42: Ransomware and Extortion Report, including: “unpatched vulnerabilities, lack of consistent controls across the organization and unauthorized use of legitimate access credentials.” It comes as no surprise that 92% of industries consider ransomware a top threat.
There is a positive note, however, regarding the weaknesses of the human element in these cyber reports. Organizations are responding. IBM’s Cost of a Data Breach Report found that 51% of organizations are “planning to increase security investments as a result of a breach … [including] areas such as incident response (IR) planning and testing, employee training and threat detection and response technologies.”
Additionally, evidence supports the argument that effective cybersecurity defenses and internal controls dramatically improve containment efforts. Per that same IBM report, “Among organizations that experienced a ransomware attack, those that had automated response playbooks or workflows designed specifically for ransomware attacks were able to contain them in 68 days (or 16% fewer days) compared to organizations without automated response playbooks or workflows.”
The facts and figures pulled and summarized from the various reports above—and plenty others beside—could be seen by some as a hodgepodge of unrelated data serving no purpose other than to stoke fears about the landscape within which our organizations operate.
We would argue, however, that there are discernible trends and commonalities—such as the continued evolution of external threat actors, the vulnerabilities of human elements and the breakdowns of internal controls—that your organization should consider moving forward. And while designing, implementing, monitoring and optimizing your cybersecurity policies and procedures might sound too mundane or too pedestrian to tangibly improve the confidentiality, availability and integrity of your systems and data, many (if not all) of the negative outcomes highlighted in these reports could have been prevented or mitigated with deeper knowledge and appropriate controls.
The better you understand your bogeyman—whether the imagined monsters in your closet or the very real threats of the cyber world—the better equipped you are to keep them at bay.
If you have questions about whether your organization is taking the proper steps to avoid being a statistic in next year’s reports, please connect with our cybersecurity professionals. Successfully navigating this landscape is no easy feat. Let’s go there, together.