Last year I wrote two FORBES articles* that highlighted some of the more significant cyber statistics associated with our expanding digital ecosystem. In retrospect, 2021 was a very trying year for cybersecurity in so many areas. There were high profile breaches such as Solar Winds, Colonial Pipeline and dozens of others that had major economic and security related impact. Ransomware came on with a vengeance targeting many small and medium businesses. Perhaps most worrisome was how critical infrastructure and supply chains security weaknesses were targeted and exploited by adversaries at higher rates than in the past. Since it is only January, we are just starting to learn of some of the statistics that certainly will trend in 2022. By reviewing the topics below, we can learn what we need to fortify and bolster in terms of cybersecurity throughout the coming year.
- Alarming Cybersecurity Stats: What You Need To Know For 2021
Alarming Cybersecurity Stats: What You Need To Know For 2021 (forbes.com)
Cybersecurity and Business
MORE FOR YOU
The past two years has seen a rapid shift of work to remote and hybrid offices. The statistics show that hackers welcomed that shift and took advantage of the vulnerabilities and gaps in security by businesses.
Cyber risks top worldwide business concerns in 2022 Cyber risks top worldwide business concerns in 2022 – Help Net Security
“Cyber perils are the biggest concern for companies globally in 2022, according to the Allianz Risk Barometer. The threat of ransomware attacks, data breaches or major IT outages worries companies even more than business and supply chain disruption, natural disasters or the COVID-19 pandemic, all of which have heavily affected firms in the past year.
Cyber incidents tops the Allianz Risk Barometer for only the second time in the survey’s history (44% of responses), Business interruption drops to a close second (42%) and Natural catastrophes ranks third (25%), up from sixth in 2021. Climate change climbs to its highest-ever ranking of sixth (17%, up from ninth), while Pandemic outbreak drops to fourth (22%).y affected firms in the past year. “
Cybercriminals can penetrate 93 percent of company networks Cybercriminals can penetrate 93 percent of company networks (betanews.com)
“among the findings of a new study of pentesting projects from Positive Technologies, conducted among financial organizations, fuel and energy organizations, government bodies, industrial businesses, IT companies and other sectors. In 93 percent of cases, an external attacker can breach an organization’s network perimeter and gain access to local network resources.”
Businesses Suffered 50% More Cyberattack Attempts per Week in 2021 Businesses Suffered 50% More Cyberattack Attempts per Week in 2021 (darkreading.com)
The rise — partly due to Log4j — helped boost cyberattack attempts to an all-time high in Q4 2021, new data shows. The education/research sector sustained the most attacks in 2021, followed by government/military and communications. Source: Check Point Software
Corporate Cyber Attacks Up 50% Last Year
Corporate Cyber Attacks Up 50% Last Year (cybersecurityintelligence.com)
2021 saw 50% more cyber attacks per week on corporate networks compared to 2020.
Most Targeted Sectors Worldwide by Hackers in 2021
· Education/Research sector up by 75%
· Cyber attacks on Healthcare sector up by 71%
· ISP/MSP up by 67%
· Communications +51%
· Government / Military sector up by 47%
Cybersecurity and Small and Medium Sized Businesses
While many large businesses suffered breaches, small and medium businesses were an easier target for hackers because of their lack of resources and security expertise.
2022 Must-Know Cyber Attack Statistics and Trends 2021 Must-Know Cyber Attack Statistics and Trends – Embroker
Cyber attacks on all businesses, but particularly small to medium sized businesses, are becoming more frequent, targeted, and complex. According to Accenture’s Cost of Cybercrime Study, 43% of cyber attacks are aimed at small businesses, but only 14% are prepared to defend themselves.
Not only does a cyber attack disrupt normal operations, but it may cause damage to important IT assets and infrastructure that can be impossible to recover from without the budget or resources to do so.
Small businesses struggling to defend themselves because of this. According to Ponemon Institute’s State of Cybersecurity Report, small to medium sized business around the globe report recent experiences with cyber attacks:
- Insufficient security measures: 45% say that their processes are ineffective at mitigating attacks.
- Frequency of attacks: 66% have experienced a cyber attack in the past 12 months.
- Background of attacks: 69% say that cyber attacks are becoming more targeted.
The most common types of attacks on small businesses include:
- Phishing/Social Engineering: 57%
- Compromised/Stolen Devices: 33%
- Credential Theft: 30%
10 Small Business Cyber Security Statistics That You Should Know – And How To Improve Them 10 Small Business Cyber Security Statistics That You Should Know – And How To Improve Them – Cybersecurity Magazine (cybersecurity-magazine.com)
“Keeping up with the latest cyber-attack statistics is pertinent for understanding the state of cyber threats, commonly leveraged vulnerabilities, implications of successful cyber attacks, and effective strategies for mitigating prevalent threats.
- 43% of all data breaches involve small and medium-sized businesses.
- If you’re still in denial about the chances of your small business becoming a victim, 61% of all SMBs have reported at least one cyber attack during the previous year.
- A benchmark study by CISCO found that 40% of the small businesses that faced a severe cyber attack experienced at least eight hours of downtime. And this downtime accounts for a major portion of the overall cost of a security breach.
- The above-mentioned CISCO study also found that ransomware was not among the top three cyber threats identified by small businesses. Business owners may be underestimating the threat of ransomware, however, MSPs are not. 85% of MSPs consider ransomware one of the biggest threats to their SMB clients.
- 30% of small businesses consider phishing attacks to be the biggest cyber threat.
- 83% of small and medium-sized businesses are not financially prepared to recover from a cyber attack.
- Despite the staggering numbers, 91% of small businesses haven’t purchased cyber liability insurance. This truly reflects how unaware and unprepared small business owners are to deal with security breaches.
- Only 14% of small businesses consider their cyber attack and risk mitigation ability as highly effective.
- 43% SMBs do not have any cybersecurity plan in place.
- One in five small companies does not use endpoint security, and 52% SMBs do not have any IT security experts in-house.”
Cybersecurity and Healthcare:
Most hospitals and healthcare facilities have traditionally focused their budgets on acquiring new medical technologies and improving patient care. Covid19 put a huge burden on budgets and hackers have exploited cyber vulnerabilities, especially via ransomware.
Healthcare Cybersecurity Report 2021-2022 Healthcare Cybersecurity Report 2021-2022 (herjavecgroup.com)
“70% of recently surveyed organizations reported that healthcare ransomware attacks have resulted in longer lengths of stays in hospital and delays in procedures and tests that have resulted in poor outcomes including an increase in patient mortality.”
Half of internet-connected devices in hospitals are vulnerable to hacks, report finds Half of internet-connected devices in hospitals are vulnerable to hacks, report finds – The Verge
“Over half of internet-connected devices used in hospitals have a vulnerability that could put patient safety, confidential data, or the usability of a device at risk, according to a new report from the healthcare cybersecurity company Cynerio.
The report analyzed data from over 10 million devices at over 300 hospitals and health care facilities globally, which the company collected through connectors attached to the devices as part of its security platform.”
Cybersecurity and IoT Devices:
With everything and anything connected, hackers can take advantage of many attack vectors and weak device passwords. The threat is growing as IoT expands.
Top 10 cyber security threats in 2021 List secondary lists page (cybermagazine.com)
According to Symantec, IoT devices experience an average 5,200 attacks per month. The fact that a majority of new IoT devices are still in their infancy means there is a much larger attack surface for cybercriminals to target the vulnerabilities associated with them.
For a deep dive on the IoT Cybersecurity conundrum, Please see my slide below and FORBES article: Cybersecurity Threats: The Daunting Challenge of Securing the Internet Of Things: Cybersecurity Threats: The Daunting Challenge Of Securing The Internet Of Things (forbes.com)
Although ransomware has been around for decades, in 2021 it became a preferred cyber-weapon of choice for hackers. Being able to exfiltrate and hold hostage data for payment of cryptocurrencies has made the deployment of ransomware a growing trend.
Ransomware Statistics, Trends and Facts for 2022 and Beyond Ransomware Statistics, Trends and Facts for 2022 and Beyond (cloudwards.net)
5 Key Ransomware Statistics:
- Ransomware cost the world $20 billion in 2021. That number is expected to rise to $265 billion by 2031.
- In 2021, 37 percent of all businesses and organizations were hit by ransomware.
- Recovering from a ransomware attack cost businesses $1.85 million on average in 2021.
- Out of all ransomware victims, 32 percent pay the ransom, but they only get 65 percent of their data back.
- Only 57 percent of businesses are successful in recovering their data using a backup.
Please also see my recent FORBES article:
Ransomware on a Rampage; a New Wake-Up Call Ransomware on a Rampage; a New Wake-Up Call (forbes.com)
“The sobering reality is that ransomware is on a rampage. Ransomware will continue to be a destructive threat because there are so many available soft targets. We live in an increasingly hyper-connected world that impacts all aspects of our lives. From now and onward, managing and protecting data will be a security imperative for every industry and organization.
Awareness and understanding the ransomware threat can help address many of the cybersecurity challenges. Emerging cybersecurity technologies, mitigation tools, and protocols can help limit the exploding trend of ransomware attacks. Taking pro-active measures to protect systems, networks, and devices, and be more resilient, need to be part of a new wake-up call.”
Compendiums On Cybersecurity Statistics:
If you seek a more comprehensive overview of cybersecurity stats, please check out these compendium articles. They cover many policy, operational, and industry specific elements of the cybersecurity ecosystem.
- Cryptocrime, or crimes having to do with cryptocurrencies, are predicted to exceed $30 billion in 2025, up from an estimated $17.5 billion in 2021, according to Cybersecurity Ventures.
Cybersecurity Ventures Infographic:
All the Cybersecurity Statistics, Figures and Facts You Need to Know in 2022
All the Cybersecurity Statistics, Figures and Facts You Need to Know in 2022 | Cybersecurity | CompTIA
“State Sponsored Threats: According to Microsoft, nearly 80% of nation-state attackers targeted government agencies, thinks tanks and other non-government organizations.
The United States remains the most highly targeted country with 46% of global cyberattacks being directed towards Americans
Cost of Cybercrime rising: The cost of cyber crime has risen 10% in the past year.
Cybersecurity Workforce: it’s estimated that there will be 3.5 million unfilled cybersecurity jobs by the end of 2025.
The pandemic presented lots of new cybersecurity issues and companies are working diligently to ensure they are prepared for anything that comes their way in the future. Expect to see the following.
· Enhanced software supply chain security.
· Ransomware will become more of a problem for businesses.
· Companies are transitioning to a zero trust framework for cybersecurity.
· Increased scrutiny on the cybersecurity measures of third-party providers.
· Rise in cyber insurance to offer further protection for businesses.”
22 Cyberstatistics to Know for 2022 22 cybersecurity statistics to know for 2022 | WeLiveSecurity
Phishing Attacks: Phishing attacks were connected to 36% of breaches, an increase of 11%, which in part could be attributed to the COVID-19 pandemic. As might have been expected, threat actors have been observed tweaking their phishing campaigns based on what’s making the news at any moment in time. (Verizon 2021 Data Breach Investigations Report)
Cost of Data Breach: 2021 saw the highest average cost of a data breach in 17 years, with the cost rising from US$3.86 million to US$4.24 million on an annual basis. (IBM Cost of a Data Breach Report 2021)
Ransomware Payouts: Cryptocurrency has been the preferred payment method for cybercriminals for a while now, especially when it comes to ransomware. As much as US$5.2 billion worth of outgoing Bitcoin transactions may be tied to ransomware payouts involving the top 10 most common ransomware variants. (FinCEN Report on Ransomware Trends in Bank Secrecy Act Data)
DDoS Attacks: The number of distributed denial-of-service (DDoS) attacks has also been on the upward trend, in part due to the COVID-19 pandemic. 2020 saw more than 10 million attacks occur, 1.6 million attacks more than the previous year. (ENISA Threat Landscape 2021)
Cybersecurity Statistics for 2022 (Infographic)
Cybersecurity In The Year Ahead
The Top 22 Security Predictions for 2022 The Top 22 Security Predictions for 2022 (govtech.com)
Dan Lohrmann is one of the world’s most knowledgeable and prolific cybersecurity experts. His article on predications for 2022
“What will the New Year bring in cyber space? Here’s your annual roundup of the top security industry forecasts, trends and cybersecurity prediction reports for calendar year 2022.
Last December in “The Top 21 Security Predictions For 2021,” I noted the following summary of expected trends for 2021:
- There will be huge security impacts in the coming year from the move to work from home (WFH) fueled by COVID-19. More attacks will occur on home computers and networks, with bad actors even using home offices as criminal hubs by taking advantage of unpatched systems and architecture weaknesses.
- The rush to cloud-everything will cause many security holes, challenges, misconfigurations and outages.
- More growth in the security industry. Our numbers of new products and new mergers and acquisitions will cause network complexity issues and integration problems and overwhelm cyber teams.
- Privacy will be a mess, with user revolts, new laws, confusion and self-regulation failing.
- Identity and multi-factor authentication (MFA) will take center stage as passwords (finally) start to go away in a tipping-point year.
- Tons of high-profile IoT hacks, some of which will make headline news.
- Ransomware will get worse and worse — with new twists, data stealing prior to encryption, malware packaging with other threats and very specific targeting of organizations.
- Lots of 5G vulnerabilities will become headline news as the technology grows.
- Advanced Persistent Threats (APT) attacks will be widely available from criminal networks. The dark web will allow criminals to buy access into more sensitive corporate networks.
New focuses this year cover:
- Cyber threats in space.
- A heavy emphasis on operational technology (OT) cybersecurity — vulnerabilities, threats and impacts.
- A strong emphasis on cryptocurrencies and crypto wallet security attacks. As Bitcoin and other cryptocurrencies rose in 2021, now the bad actors want your bitcoins even more.
- More application security vulnerabilities — especially when code is widely used, such as the Log4j vulnerabilities.
- Issues created by a lack of talent and vacancies in public- and private-sector organizations — as the talent war gets worse.
- Renewed emphasis (but in new ways) on AI, autonomous vehicles, drones and other new technologies being hacked.
- Note that security industry vendor acquisitions have changed many of the familiar names, such as the activities with FireEye, McAfee Enterprise and Mandiant.
Industry expert Chuck Brooks also offered these security predictions for the new year on the AT&T website. Here are two:
- More automation and visibility tools will be deployed for expanding protection of remote employee offices, and for alleviating workforce shortages. The automation tools are being bolstered in capabilities by artificial intelligence and machine learning algorithms.
- Cybersecurity will see increased operational budgets because of more sophisticated threats and consequences of breaches (and especially ransomware) to the bottom line. Cybersecurity becomes more of a C-Suite issue with every passing year as breaches can be disruptive and devastating for business.”
I only touched a tiny bit of the topics and issues relating to cybersecurity stats and predictions. Please see my analysis on protecting critical infrastructure and supply chains as we move forward in 2022. It is a large and important challenge! I will revisit new stats later in the year ad cybersecurity is never static.
GovCon Expert Chuck Brooks Highlights Importance of Protecting Critical Infrastructure; Supply Chains in 2022
GovCon Expert Chuck Brooks Highlights Importance of Protecting Critical Infrastructure; Supply Chains in 2022 (executivegov.com)
GovCon Expert Chuck Brooks, a highly esteemed cybersecurity leader, recently published his latest feature in the January issue of the CISO MAG detailing the importance for federal executives to focus on protecting the critical infrastructure supply chain in IT and OT systems.
“Protecting critical infrastructure Industrial Control Systems, Operational Technology, and IT systems from cybersecurity threats is a difficult endeavor,” said Chuck Brooks. “They all have unique operational frameworks, access points, and a variety of legacy systems and emerging technologies. Protecting the critical infrastructure supply chain in IT and OT systems will be a public and private sector priority.”
In addition, GovCon Expert Chuck Brooks discussed the potential cybersecurity workforce shortage that could exist in 2022. It was reported by Cybersecurity Ventures that roughly 3.5 million jobs in cybersecurity were left unfilled in 2021, which could pose significant operational challenges in the federal sector moving forward.
Brooks mentioned the Internet of Things (IoT) as an area to watch for growing cybersecurity risks. In particular, Brooks highlighted the challenge that IoT poses from having a lack of visibility and the ability to determine if a device has been compromised and not performing as intended.
“The increased integration of endpoints combined with a rapidly growing and poorly controlled attack surface poses a significant threat to the Internet of Things,” Brooks explained. “Protecting such an enormous attack surface is no easy task, especially when there are so many varying types and security standards on the devices. It will only worsen in 2022 as connectivity grows.”
You can read the full article from GovCon Expert Chuck Brooks on CISO MAG.
Chuck Brooks, President of Brooks Consulting International, and Adjunct Faculty at Georgetown University. He is a Technology Evangelist, Corporate Executive, Speaker, Writer, Government Relations, and Marketing Executive. LinkedIn named Chuck as one of “The Top 5 Tech People to Follow on LinkedIn.” He was named as one of the world’s “10 Best Cyber Security and Technology Experts” by Best Rated, as a “Top 50 Global Influencer in Risk, Compliance,” by Thomson Reuters, “Best of The Word in Security” by CISO Platform, and by IFSEC as the “#2 Global Cybersecurity Influencer.” He was featured in the 2020 and 2021 Onalytica “Who’s Who in Cybersecurity” – as one of the top Influencers for cybersecurity issues and in Risk management. He was also named “Best in The World in Security” by CISO Platform, one of the “Top 5 Executives to Follow on Cybersecurity” by Executive Mosaic, and as a “Top Leader in Cybersecurity and Emerging Technologies” by Thinkers360. Chuck was named by Oncon in 2019 “Top Global Top 50 Marketer” by his peers across industry.
Chuck also a Cybersecurity Expert for “The Network” at the Washington Post, Visiting Editor at Homeland Security Today, Expert for Executive Mosaic/GovCon, the Advisory Board of CISO MAG, and a Contributor to FORBES. He has a BA from DePauw University, and MA from the University of Chicago, and studied at the Hague Academy of International Law