Explore the Mythology of Cybercrime Risk
Cybersecurity is a fast-moving world that requires extensive technical knowledge to master and there are myriad sources to get that knowledge from. However, for every fact about cybersecurity that is published by a reliable source, there are a dozen myths about the same subject being bandied about. Separating the facts from the fakes can dispel those myths to bring new clarity that empowers everyone to make the right decisions and stay out of trouble.
13 Frightening Facts About Cybercrime
- 85% of breaches involved a human element
- The number of breaches that involve ransomware doubled in 2020
- 61% of breaches involved misuse of credentials
- 3-time champion phishing remained the top threat action that resulted in a breach
- The FBI recorded a 69% increase in reported cybercrime in 2020
- 61% of organizations worldwide experienced a damaging ransomware incident in 2020
- IT teams are facing a 64% year-over-year increase in ransomware threat volume
- About 60% of companies that suffer a cyberattack like ransomware go out of business
- 42% of respondents in a cybercrime survey said that their organization had been compromised because of a bad, stolen, reused or cracked password in 2020
- 80% of IT professionals in a recent survey said that their organizations have faced an increase in the number of phishing attacks that they’re combatting in 2021
- More than 80 % of reported security incidents are phishing-related
- 74% of organizations in the United States have fallen victim to a successful phishing attack
- 34% of data breaches involved internal actors
Chilling tales of hacks and breaches are always floating around. Are these cybersecurity legends true stories or the fancies of an unquiet mind? Knowing how to separate the real facts and from fake news when it comes to cybersecurity can spell the difference between life and death for an organization.
CLAIM: Security awareness training doesn’t work, it’s wasted money.
FAKE. Security awareness training works, and it is a highly effective way to reduce an organization’s chance of a cybercrime disaster. Security awareness training reduces an organization’s chance of a data breach by up to 70% – and a data breach has never been more expensive. As an added bonus, it also reduces phishing expenses by more than 50% on average.
How do you get that awesome result? By conducting security awareness training at the right cadence – at least 11 times per year. Repetition and reinforcement are crucial for building good security habits. In a UK study on companies running phishing simulations, researchers discovered that 40 – 60% of their employees are likely to open malicious links or attachments. In follow-up testing, after about 6 months of training, the percentage of employees who took the bait dropped 20% to 25%. Further training produced a steeper drop. After 3 to 6 months more training, the percentage of employees who opened phishing messages dropped to only 10% to 18%.
CLAIM: An email from a big company like Microsoft is always safe.
FAKE. Spoofing and brand impersonation are popular cyberattack tactics because people believe that emails from major companies are safe, but it’s a dangerous misconception. In fact, Microsoft is the most widely impersonated brand. An estimated 45% of all brand impersonation phishing attacks were related to Microsoft in Q2 2021, up six points from Q1 2021. Amazon landed in second place, and shipping giant DHL followed closely behind in the number three position. Most businesses have employees interacting with those brands every day, ramping up the danger.
Email spoofing is also an ascendant risk that every business needs to be alert to – spoofing ballooned by more than 220% in 2020. One major category of spoofing that has become especially prevalent in the pandemic era is the spoofing of government messages. The US IRS (Internal Revenue Service) released an official warning in early April to alert tax professionals about spoofing emails supposedly sent from “IRS Tax E-Filing” with the subject line “Verifying your EFIN before e-filing.” The U.S. Financial Industry Regulatory Authority (FINRA) was also forced to issue a regulatory notice in March 2021 warning brokers of an ongoing phishing campaign. Attackers using carefully faked messages based on FINRA templates with bogus but believable URLs were sending out fake compliance audit notices, spurring companies to react – and get their credentials stolen.
CLAIM: It’s ok to keep using an old password and use the same passwords at work and at home.
FAKE. Reusing and recycling passwords is a fast road to ruin. Huge lists of passwords stolen in previous cyberattacks around the world are available on the dark web for cybercriminals to use in attacks. An estimated 60% of passwords that appeared in one or more breaches in 2020 were recycled or reused. Businesses are in even greater danger if an employee reuses a password at work that they’ve used at home. At least 60% of people reuse their favorite passwords across multiple sites regularly, driving up the chance that it’s already compromised.
This year’s giant influx of fresh passwords from events like the RockYou 2021 leak just keeps priming the pump for new cybercrimes, especially password-fueled schemes like credential stuffing, the gateway to all sorts of bad outcomes like ransomware, and business email compromise, the most expensive cybercrime of 2020. Earlier this summer, the personally identifying data and user records data of 700M LinkedIn users appeared on a popular dark web forum – more than 92% of LinkedIn’s estimated total of 756M users. That created an enormous splash that will ultimately ripple out into a whole new world of opportunity for cybercrime.
CLAIM: A cyberattack will only come from outside the company.
FAKE. Insider risk is up by more than 40% in 2021. IBM Security Intelligence says that more than 60% of cyberattacks can be attributed to insiders. That category includes non-malicious blunders by accidental actors and deliberate actions taken by malicious insiders. About 25% of data breaches in 2020 were caused by malicious insiders. It can also be hard for companies to spot a malicious insider at work. The unfortunate result of that problem is that slow detection gives those malicious insiders more time to do damage. An insider incident takes more than twice the time to detect as other intrusions that can lead to ransomware or a data breach.
Malicious insiders can have a host of reasons why they’ve made the choice to turn on their employers, but the perennial top reason doesn’t really change. According to the Verizon Data Breach Investigations Report 2021, an estimated 70% of malicious insider breaches are financially motivated, chiefly through employees selling credentials or access to systems and data on the dark web. Another 25% of malicious insider incidents are motivated by espionage or theft of intellectual property, like selling formulas in, stealing sensitive data or disclosing company secrets on the dark web. However, some employees are simply out for vengeance. Around 4% of malicious insider incidents are caused by angry employees who want to damage the company.
CLAIM: We’re too small to need fancy things like multifactor authentication.
FAKE. Just under 45% of all cyberattacks are aimed at small to medium businesses every year. Even more disturbing is the fact that over 50% of ransomware attacks are aimed at SMBs with less than 100 employees. It’s essential to realize that every business of every size is at risk of a cyberattack, and that number won’t be going down anytime soon. As we continue to see record-breaking numbers for data breaches, intrusions and other types of cybercrime, secure identity and access management including multifactor authentication (MFA) is a key component of a good defensive strategy. MFA is also a requirement for compliance in many industries, and it is becoming a must-have for US federal contractors as the US federal government moves toward zero trust architecture.
Unquestionably, one of the fastest ways for the bad guys to slip inside a company’s environment and wreak havoc is to obtain a legitimate company password. It doesn’t make a difference if they buy it from an unscrupulous employee or harvest it from a dark web data dump; that password could spell doom for an organization. In fact, 70% of SMBs had employee passwords compromised in the last year. A small security upgrade like multifactor authentication stops more than 99% of password-related cyberattacks.
Book an appointment now, to keep your company updated with the right cybersecurity tools!
Business Runs On IT.