A couple of times per year, I take a deep dive on writing about the newly reported cybersecurity statistics and trends that are impacting the digital landscape. Unfortunately, despite global efforts, every subsequent year the numbers get worse and show that we are far from being able to mitigate and contain the numerous cyber-threats targeting both industry and government.

Below is a synopsis with links on some of the recent cyber developments and threats that CISOs need to key a close watch on (and that you need to know) for the remaining part of 2022 and beyond.

While many of the statistics seem dire, there is some positive aspect on the trends side as the cybersecurity community has been taking several initiatives to create both cyber awareness and action. And for those attending the 2022 RSA Conference in San Francisco, hopefully the backdrop of the following statistics and trends from mid-year 2022 can also be useful to analyze and match with product and services roadmaps for cybersecurity.

What will it take for business to get a “wake up call” on cybersecurity?

Despite another record year of breaches including Solar Winds, Colonial Pipeline and others, half of U.S. Business still have not put a cybersecurity risk plan in place. The list of the 50 Biggest Data Breaches 2004-2021 below is illustrative of the problem of protecting data in both industry and government.

The 50 Biggest Data Breaches (2004-2021) (visualcapitalist.com)

· Cybercriminals can penetrate 93 percent of company networks

Link: Cybercriminals can penetrate 93 percent of company networks (betanews.com)

“In 93 percent of cases, an external attacker can breach an organization’s network perimeter and gain access to local network resources.

This is among the findings of a new study of pen testing projects from Positive Technologies, conducted among financial organizations, fuel and energy organizations, government bodies, industrial businesses, IT companies and other sectors.

An attacker’s path from external networks to target systems begins with breaching the network perimeter. According to the research, on average, it takes two days to penetrate a company’s internal network. Credential compromise is the main route in (71 percent of companies), primarily because of simple passwords being used, including for accounts used for system administration.”

· Many security executives say they’re unprepared for the threats that lie ahead

Link: Many security executives say they’re unprepared for the threats that lie ahead | TechRepublic

“As cyberattacks grow in both number and sophistication, organizations are increasingly under the gun to protect themselves from compromise. Though companies have responded by upping their security budgets and adopting more advanced defenses, keeping up with the threats that will surface over the next few years will be a challenge.

For its report titled “Cybersecurity Solutions for a Riskier World,” ThoughtLab studied the security practices and performance of 1,200 companies in 13 industries and the public sector across 16 countries.

In 2021, the average number of cyberattacks and data breaches increased by 15.1% from the previous year. Over the next two years, the security executives polled by ThoughtLab see a rise in attacks from social engineering and ransomware as nation-states and cybercriminals grow more sophisticated. The main causes of these attacks will come from misconfigurations, human error, poor maintenance, and unknown assets.

Despite the increased efforts to combat security threats, many of those interviewed by ThoughtLab see several reasons for alarm. A full 44% of the executives surveyed said that their growing use of partners and suppliers exposes them to significant security risks. Some 30% said their budgets aren’t sufficient to ensure proper cybersecurity, while several pointed out that the criminals are better funded. A quarter of all the respondents said the convergence of digital and physical systems, such as Internet of Things devices, has increased their security risks.

Further, 41% of the executives don’t think their security initiatives have kept up with digital transformation. More than a quarter said that new technologies are their biggest security concern. And just under a quarter cited a shortage of skilled workers as their largest cybersecurity challenge”

· 2022 Study: 50% Of SMBs Have A Cybersecurity Plan In Place

Link: 2022 Study: 50% of SMBs Have a Cybersecurity Plan in Place | UpCity

UpCity, a small business intelligence firm that has matched over 2 million businesses to providers they can trust since its inception in 2009, surveyed 600 business owners and IT professionals on their 2022 cybersecurity plans, priorities, and budgets. Findings include:

· Only 50% on U.S. businesses have a cybersecurity plan in place

· Of those, 32% haven’t changed their cybersecurity plan since the pandemic forced remote and hybrid operations

· The most common causes of cyber-attacks are malware (22%) and phishing (20%)

· Cybercrime cost U.S. businesses more than $6.9 billion in 2021, and only 43% of businesses feel financially prepared to face a cyber-attack in 2022”

· Software supply chain attacks hit three out of five companies in 2021

Link: Software supply chain attacks hit three out of five companies in 2021 | CSO Online

“Survey finds significant jump in software supply chain attacks after Log4j exposed.

More than three in five companies were targeted by software supply chain attacks in 2021, according to a recent survey by Anchore. The survey of 428 executives, directors, and managers in IT, security, development, and DevOps found that the organizations of nearly a third of the respondents (30%) were either significantly or moderately impacted by a software supply chain attack in 2021. Only 6% said the attacks had a minor impact on their software supply chain.”

· 82 percent of CIOs believe their software supply chains are vulnerable

Link: 82 percent of CIOs believe their software supply chains are vulnerable (betanews.com)

“A new global study of 1,000 CIOs finds that 82 percent say their organizations are vulnerable to cyberattacks targeting software supply chains.

The research from machine identity specialist Venafi suggests the shift to cloud native development, along with the increased speed brought about by the adoption of DevOps processes, has made the challenges connected with securing software supply chains infinitely more complex.

The increase in the number and sophistication of supply chain attacks, like SolarWinds and Kaseya, over the last 12 months has brought this issue into sharp focus, gaining the attention of CEOs and boards.”

· Report: Increase in socially engineered, sophisticated cybersecurity attacks plagues organizations

A new report that showed a sharp increase in cybersecurity attacks in 2021 urged organizations to consider when, not if, they too will be under attack. Attacks are becoming more sophisticated and socially engineered making them harder to detect.

Link: Report: Increase in socially engineered, sophisticated cybersecurity attacks plagues organizations – MedCity News

“A new cybersecurity report from San Francisco-based Abnormal Security found that medical industries and insurance companies had a 45-60% chance of being the target of a phone fraud attack via email: a sophisticated scam where the scammer sends an email to the target, asking the target to call them. In the second half of 2021, those attacks increased by 10 percent.

Additionally, healthcare systems are seeing a rise in more legitimate-looking yet problematic business email compromise (BEC) attacks. This occurs when the scammer accesses the target’s business email and impersonates the target, and then uses that identity to create rapport with victims and get them to pay money.”

· Businesses Suffered 50% More Cyberattack Attempts per Week in 2021

Link: Businesses Suffered 50% More Cyberattack Attempts per Week in 2021 (darkreading.com)

“Check Point Research on Monday reported that it found 50% more attack attempts per week on corporate networks globally in calendar year 2021 compared with 2020.

The researchers define a cyberattack attempt as a single isolated cyber occurrence that could be at any point in the attack chain — scanning/exploiting vulnerabilities, sending phishing emails, malicious website access, malicious file downloads (from Web/email), second-stage downloads, and command-and-control communications. All of the attack attempts Check Point cites in the research were detected and stopped by its team.”

The education/research sector sustained the most attacks in 2021, followed by government/military and communications.

Social engineering and phishing are easy means to corporate jewels that can include sensitive and proprietary emails and business E-Mail compromise is a favorite target of hackers.

Social engineering and phishing are easy means to corporate jewels that can include sensitive and proprietary emails.

· $43 billion stolen through Business Email Compromise since 2016, reports FBI

Link: $43 billion stolen through Business Email Compromise since 2016 (tripwire.com)

“Over US $43 billion has been lost through Business Email Compromise attacks since 2016, according to data released this week by the FBI.

The FBI’s Internet Crime Complaint Center (IC3) issued a public service announcement on May 4 2022, sharing updated statistics on Business Email Compromise (BEC) attacks which use a variety of social engineering and phishing techniques to break into accounts and trick companies into transferring large amounts of money into the hands of criminals.

The report looked at 241,206 incidents reported to law enforcement and banking institutions between June 2016 and December 2021 and says that the combined domestic and international losses incurred amounted to US $43.31 billion.

Worryingly, there has been a 65% increase recorded in identified global losses between July 2019 and December 2021”

And how to better protect:

“The FBI offers a number of tips to companies wishing to better protect themselves from Business Email Compromise attacks:

  • Use secondary channels or two-factor authentication to verify requests for changes in account information.
  • Ensure the URL in emails is associated with the business/individual it claims to be from.
  • Be alert to hyperlinks that may contain misspellings of the actual domain name.
  • Refrain from supplying login credentials or PII of any sort via email. Be aware that many emails requesting your personal information may appear to be legitimate.
  • Verify the email address used to send emails, especially when using a mobile or handheld device, by ensuring the sender’s address appears to match those from whom it is coming.
  • Ensure the settings in employees’ computers are enabled to allow full email extensions to be viewed.
  • Monitor your personal financial accounts on a regular basis for irregularities, such as missing deposits.”

· $43 billion stolen through Business Email Compromise since 2016, reports FBI

Link: $43 billion stolen through Business Email Compromise since 2016 (tripwire.com)

“Over US $43 billion has been lost through Business Email Compromise attacks since 2016, according to data released this week by the FBI.

The FBI’s Internet Crime Complaint Center (IC3) issued a public service announcement on May 4 2022, sharing updated statistics on Business Email Compromise (BEC) attacks which use a variety of social engineering and phishing techniques to break into accounts and trick companies into transferring large amounts of money into the hands of criminals.

The report looked at 241,206 incidents reported to law enforcement and banking institutions between June 2016 and December 2021 and says that the combined domestic and international losses incurred amounted to US $43.31 billion.

Worryingly, there has been a 65% increase recorded in identified global losses between July 2019 and December 2021”

What Should Business do to Mitigate Cyber-threats?!

The forementioned links highlight many serious vulnerabilities that industry experts have attested. But the C-Suite does not have to remain idle in response to those threats and stats. My suggestion for all businesses, especially small and medium ones who are often at risk of being put out of business by a cyber-attack, is to seriously look at cyber-risk and plan accordingly as part of a corporate operational strategy. NIST and MITRE offer great resources for cyber-risk management planning and are continually updated. Also, some potential actions to take are excerpted from my recent article in Homeland Security Today, A Cybersecurity Risk Management Strategy for the C-Suite.”

Where are the Cyber Risk Management Plans?

· A Cybersecurity Risk Management Strategy for the C-Suite.

Link: A Cybersecurity Risk Management Strategy for the C-Suite – HS Today

“Create a corporate risk management strategy and vulnerability framework that identifies digital assets and data to be protected. A risk assessment can quickly identify and prioritize cyber vulnerabilities so that you can immediately deploy solutions to protect critical assets from malicious cyber actors while immediately improving overall operational cybersecurity.

Risk management strategies should include people, processes, and technologies. This includes protecting and backing up business enterprise systems such as financial systems, email exchange servers, HR, and procurement systems with new security tools (encryption, threat intel and detection, firewalls, etc.) and policies. That risk management approach must include knowing your inventory and gaps, integrating cybersecurity hygiene practices, procuring, and orchestrating an appropriate cyber-tool stack. It should also include having an incident response plan in place if you do get breached.”

Also see my recent article from the Donald Allen Cybersecurity blog (his blog is a great resource and I suggest you subscribe for free!):

· The Risk Management Imperative For Cybersecurity

Link: Cybersecurity Risk Management – An Imperative for The Digital Age – The Donald Allen Cybersecurity Blog (dacybersecurity.com)

“Because of the new digital cyber risk environment, a security strategy for risk management is imperative.

A security strategy of risk management to meet these growing cyber-threat challenges needs to be both comprehensive and adaptive. It involves people, processes, and technologies.

Securing your data is key.

Because of digital transformation and a pandemic that transferred many from working at the office to home, data is at greater risk for a breach.

Securing data necessitates a hyper-security focus. At its core, the practice of vigilant and encompasses, identifying gaps, assessing vulnerabilities, and mitigating threats. Data security and cyber risk management are an integral part of the overall enterprise risk management (ERM) framework to stay ahead of the threats.

Defined by the most basic elements in informed risk management, cybersecurity is composed of:

  • Layered vigilance (intelligence, surveillance)
  • Readiness (operational capabilities, visual command center interdiction technologies)
  • Resilience (coordinated incident response, mitigation, and recovery)

Successful cybersecurity will also require the integration of emerging technologies for identity management, authentication, horizon monitoring, malware mitigation, resilience, and forensics. Automation and artificial intelligence are already impacting the capabilities in those areas.

Sponsored

Cybersecurity capabilities in information sharing, hardware, software, encryption, analytics, training, and protocols, must keep pace to protect and preempt the increasingly sophisticated threats in both the public and private sectors.

The Infographic I created below provides a pathway for exploring risk management frameworks:

Infographic: Strategic Paths to Cybersecurity, by Chuck Brooks

The Three Pillars of Cybersecurity Strategy

The growth and sophistication of cyber-attacks over the last couple of years, many of them state actor sponsored has caused both government and industry to reevaluate and bolster their risk management strategy approaches to cyber-defense.

There are three strong pillars of risk management that can be integrated into a successful cybersecurity strategy: Security by Design, Defense in Depth, and Zero Trust.

For more details, please see my article in FORBES, Combining Three Pillars Of Cybersecurity.

Combining Three Pillars Of Cybersecurity

Link: Combining Three Pillars Of Cybersecurity (forbes.com)

I mentioned that there are some positive cybersecurity trends earlier. One such initiative is a new government focus on a Zero Trust Management strategy. That topic is subject matter for another article.

Please seeGovCon Expert Chuck Brooks Authors New Zero Trust White Paper; Anacomp CEO Tom Cunningham Quoted” for a quick overview of the benefits and need for Zero Trust in cybersecurity.

Link: GovCon Expert Chuck Brooks Authors New Zero Trust White Paper; Anacomp CEO Tom Cunningham Quoted (executivegov.com)

Ransomware, the Scourge Continues and is still trending a preferred method of cyber-attack in 2022

The Colonial Pipeline attack showed how a ransomware attack against an industrial target can have very real consequences for people, as gasoline supplies to much of the north-eastern United States were limited because of the attack.

· Ransomware attacks, and ransom payments, are rampant among critical infrastructure organizations

Link: Ransomware attacks, and ransom payments, are rampant among critical infrastructure organizations – Help Net Security

80% of critical infrastructure organizations experienced a ransomware attack in the last year, with an equal number reporting that their security budgets have risen since 2020, a Claroty report reveals.

· Ransomware Trends, Statistics and Facts in 2022

Link: Ransomware Trends, Statistics and Facts in 2022 (techtarget.com)

· Ransomware is part of 10% of all breaches. It doubled in frequency in 2021, according to the 2021 “Verizon Data Breach Investigations Report.”

· Approximately 37% of global organizations said they were the victim of some form of ransomware attack in 2021, according to IDC’s “2021 Ransomware Study.”

· The FBI’s Internet Crime Complaint Center reported 2,084 ransomware complaints from January to July 31, 2021. This represents a 62% year-over-year increase.

· The Cybersecurity and Infrastructure Security Agency reported in February 2022 that it is aware of ransomware incidents against 14 of the 16 U.S. critical infrastructure sectors.

Ransomware is a global issue and Costa Rica is a good example of how dangerous ignoring cybersecurity protocols and not preparing for cyber-attacks can be to a nation state.

· How Costa Rica Found Itself at War Over Ransomware

Link: How Costa Rica found itself at war over ransomware | CSO Online

“Handling cyberattacks has become an everyday activity of every nation on the planet, as they try to navigate the “wild west” of the modern internet. Nation-states, for-profit cybercrime syndicates, political activists, and determined pranksters trawl the web every hour of every day, looking for their next victim. And what better victim than a nation’s government network? Government networks and systems are loaded with resources and information, including personal data that is vital for federal and civilian operations. At the same time, they are often behind the curve on security best practices, making government websites and systems prime targets.”

And importantly, actions to take that help protect against ransomware attacks

Organizations and individuals can take steps to mitigate ransomware attacks. But there is no silver bullet that will solve or defend against ransomware. What’s needed is a multilayered approach to improve IT security overall. There are six key steps to safeguard assets against ransomware risks:

1. Maintain a defense-in-depth security program. Ransomware is just one of many risks that IT users face. Having multiple layers of defense is a key best practice.

2. Consider advanced protection technologies. The use of extended detection and response can help organizations identify potential risks that could lead to ransomware exploitation.

3. Educate employees about the risks of social engineering. Often, its users clicking on something that they shouldn’t that can lead to infection. Education and vigilance are important.

4. Patch regularly. Ransomware code often targets known vulnerabilities. By keeping software and firmware updated, an attack vector can be eliminated.

5. Perform frequent backups of critical data. Ransomware’s target is data. By having reliable backups, the risk of losing data can be minimized.

6. Consider tabletop exercises. Preparing for ransomware with a tabletop exercise can identify potential gaps and ensure the right process is in place to mitigate and recover from a potential attack.” Link: Ransomware Trends, Statistics and Facts in 2022 (techtarget.com)

Please also see my FORBES article for more actions on how to mitigate malware:

· Ransomware on a Rampage; a New Wake-Up Call

Link: Ransomware on a Rampage; a New Wake-Up Call (forbes.com)

“While it is true that anyone and everyone is vulnerable to ransomware attacks, there are available protections and defenses for helping mitigate those threats. It starts with have a risk management strategy and being proactive. First (and foremost) patching and updating of software vulnerabilities must be current. Unfortunately, many companies and organizations are slow, and in many cases, negligent on the update of patches that would prevent breaches.

Also, some basic precautions can help address threats, these include training employees to recognize malware and phishing threats, disabling macro scripts, cloaking data, and keeping systems and applications updated. Identity management policies and software are also practical tools to employ. If you end up victimized by a breach, be sure to have an incident response plan in place. That plan should also include potentially contacting law enforcement to assist in recovering files and investigating who is doing the hacking.

Check your permissions on your apps to see what data they are accessing. If it is not something you authorized, be sure to revoke those access rights and to clean out your cookies.

Companies and individuals should employ anti-malware & anti-ransomware platforms, and technologies to guard your devices such as multi-factor authentication, firewalls, and email filters. Emerging technologies such as machine learning (ML) and artificial intelligence (AI) offer software tools that can detect anomalies, provide user behavioral analytics, and help mitigate threats. ML and AI are viable options for companies to consider for fortifying their security.

If you are a small or medium company that lacks resources, Managed Security Services (MSS) and Managed Service Providers (MSP) are options to consider using for both prevention and incident response. Many firms can monitor networks, provide enabling cybersecurity technologies, and threat assessments. MSS makes economic sense for many industries and businesses, which do not have (or can afford) the internal subject matter expertise or capabilities to manage increasingly sophisticated breaches. Paradoxically, some of MSS and MSPs have themselves been targeted by ransomware attacks. But in today’s world, everyone is a target.”

Great Resources for Cybersecurity Threats and Stats:

· Cybersecurity Ventures

2022 Cybersecurity Almanac: 100 Facts, Figures, Predictions And Statistics

Link: 2022 Cybersecurity Almanac: 100 Facts, Figures, Predictions And Statistics (cybersecurityventures.com)

The cyber threat is so pervasive that it is estimated to cost the world $10.5 trillion annually by 2025.

Link: Cybercrime To Cost The World $10.5 Trillion Annually By 2025 (cybersecurityventures.com)

· ISMG Security Report

Information Security Media Group (ISMG) is the world’s largest media organization devoted solely to information security and risk management. Our 28 global media properties provide security professionals and senior decision makers with industry- and geo-specific news, research, and educational events.

Link: ISMG Security Report – bank information security (bankinfosecurity.com)

CYBERSECURITY TRENDS

Proofpoint’s Annual Human Factor Report Reveals How 2021 Became the Year Cyber Criminals Got Creative

Link: Proofpoint’s Annual Human Factor Report Reveals How 2021 Became the Year Cyber Criminals Got Creative | Proofpoint US

“Key findings highlighted in Proofpoint’s 2022 Human Factor report include:

  • Cyber criminals recognize that our smartphone contains the keys to both our personal and professional lives. Smishing attempts more than doubled in the US over the year, while in the UK over 50% of lures were themed around delivery notification. In addition, cyber criminals initiated more than 100,000 telephone-oriented attacks a day.
  • High-privilege users are disproportionately targeted. Managers and executives make up only 10% of overall users within organizations, but almost 50% of the most severe attack risk.
  • Over 80% of businesses are attacked by a compromised supplier account each month. Security awareness training focusing on supply chain threats is business critical for organizations.
  • The hand-in-glove relationship between malware groups and ransomware operators continue. More than 20 million messages attempted to deliver malware linked to an eventual ransomware attack between January 1 to December 31, 2021.
  • Cyber criminals continue to capitalize on global conflicts. Earlier this year, threat actors and APT groups aligned with national interests responded to Russia’s invasion of Ukraine. We saw destructive wiper malware deployed against Ukrainian organizations and key communications infrastructure, in addition to activity from Belarus– and China-aligned actors, specifically targeting European governmental organizations involved in asylum and other relief efforts.”

· Cybersecurity Trends: Looking Over The Horizon

Link: Cybersecurity trends: Looking over the horizon | McKinsey

McKinsey examines three of the latest cybersecurity trends and their implications for organizations facing new and emerging cyber risks and threats.

“Cybersecurity has always been a never-ending race, but the rate of change is accelerating. Companies are continuing to invest in technology to run their businesses. Now, they are layering more systems into their IT networks to support remote work, enhance the customer experience, and generate value, all of which creates potential new vulnerabilities.

At the same time, adversaries—no longer limited to individual actors—include highly sophisticated organizations that leverage integrated tools and capabilities with artificial intelligence and machine learning. The scope of the threat is growing, and no organization is immune. Small and midsize enterprises, municipalities, and state and federal governments face such risks along with large companies. Even today’s most sophisticated cyber controls, no matter how effective, will soon be obsolete.

Hackers are using AI, machine learning, and other technologies to launch increasingly sophisticated attacks

The stereotypical hacker working alone is no longer the main threat. Today, cyberhacking is a multibillion-dollar enterprise,5 complete with institutional hierarchies and R&D budgets. Attackers use advanced tools, such as artificial intelligence, machine learning, and automation. Over the next several years, they will be able to expedite—from weeks to days or hours—the end-to-end attack life cycle, from reconnaissance through exploitation. For example, Emotet, an advanced form of malware targeting banks, can change the nature of its attacks.

· 7 hot cybersecurity trends (and 2 going cold)

Link: 7 hot cybersecurity trends (and 2 going cold) | CSO Online

“Is that security trend hot or not? From tools and technologies to threats and tactics, the numbers don’t lie.

hot (and not) cybersecurity trends

  1. Hot – Ransomware
  2. Hot – Cryptomining/Cryptojacking
  3. Hot – Deepfakes
  4. Hot – Videoconferencing attacks
  5. Cold – VPNs
  6. Hot – IoT and OT attacks
  7. Hot – Supply chain attacks
  8. Hot – XDR
  9. Cold – Passwords”

As the stats and trends continue to show, cybercrime is growing exponentially each year and so are the risks to governments, business, organizations, and especially consumers. Unfortunately, the internet was not built with security in mind, and we are increasingly vulnerable because of our growing dependencies on technology and connectivity.

There is hope. Cybersecurity investments in capabilities in hardware, software, training, and emerging tech must keep pace to protect and preempt the increasingly sophisticated threats in both the public and private sectors. Both budgets and awareness are rising in the cyber ecosystem, and governments are issuing mandates for preparedness. Cybersecurity is a difficult quest, but hopefully in 2023 we may see some more encouraging results.

About the Author:

Chuck Brooks, President of Brooks Consulting International, is a globally recognized thought leader and subject matter expert Cybersecurity and Emerging Technologies. Chuck is also Adjunct Faculty at Georgetown University’s Graduate Applied Intelligence Program and the Graduate Cybersecurity Programs where he teaches courses on risk management, homeland security, and cybersecurity. LinkedIn named Chuck as one of “The Top 5 Tech People to Follow on LinkedIn.” He was named as one of the world’s “10 Best Cyber Security and Technology Experts” by Best Rated, as a “Top 50 Global Influencer in Risk, Compliance,” by Thompson Reuters, “Best of The Word in Security” by CISO Platform, and by IFSEC and Thinkers 360 as the “#2 Global Cybersecurity Influencer.” He was featured in the 2020, 2021, and 2022 Onalytica “Who’s Who in Cybersecurity” – as one of the top Influencers for cybersecurity. He has an MA in International relations from the University of Chicago, a BA in Political Science from DePauw University, and a Certificate in International Law from The Hague Academy of International Law.

Chuck Brooks LinkedIn Profile: (17) Chuck Brooks | LinkedIn

Chuck Brooks on Twitter: @ChuckDBrooks

Sponsored

Leave a Reply

Your email address will not be published.