Virtualization Technology News and Information
Article
RSS
Scary Security Stats: Roundup from 2023 Research

ScarySecurityStats2023 

Each year, cybersecurity companies publish a number of research reports focusing on different aspects of cybersecurity and breach trends.  Below is a list of some of the most alarming statistics from several reports published throughout the year from various companies.

++

Veeam's 2023 Ransomware Trends Report

Despite their best efforts, enterprises everywhere are still faced with the threat of ransomware. According to Veeam's 2023 Ransomware Trends Report, a whopping 85% of organizations have suffered from at least one such attack over the past 12 months. The report also found that organizations are still ill-prepared to face this threat.

  • In 93% of ransomware incidents, threat actors target the backup repositories.
  • Attacks on backup repositories have resulted in 75% of victims losing at least some of their backups during the attack, and more than one-third (39%) being completely lost.
  • 80% continue to pay the ransom, primarily do that to get their data back. Yet even after paying, 21% don't recover their data.
  • A fifth of IT leaders report that ransomware is now excluded from their company policies.

Additionally, many respondents to Veeam's survey acknowledge that progress needs to be made in incident response.

  • Despite 87% claiming they have a risk management program that drives their security roadmap, only 35% believe their program is working well and 52% are seeking to improve their situation.
  • 60% of organizations say there is insufficient alignment between their backup and cyber teams, despite backup recovery being a common element of the incident response playbook.

++

Object First - Results from a consumer survey show how the increased sophistication and frequency of cyberattacks is causing consumers to worry about their personal data being put at risk by the companies they entrust it to. 

Key findings include:

  • 81% of consumers report feeling "very scared or worried" about their data being held by organizations lacking robust resilience against ransomware.
  • After an attack, 1 in 3 consumers demand evidence of resilient backup and recovery strategies, and 30% lose all confidence in the company's data protection plan.
  • 75% of consumers are likely to switch their business to a competitor if their current vendor experiences a ransomware attack in which their data was stolen or lost indefinitely. 
  • 55% prefer vendors to have all the following protections in place: data backup and recovery, password protection including MFA, and identity and access management. 

++

According to Kaspersky Security Network, in Q1 2023:

  • Kaspersky solutions blocked 865,071,227 attacks launched from online resources across the globe.
  • Web Anti-Virus detected 246,912,694 unique URLs.
  • Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 106,863 unique users.
  • Ransomware attacks were defeated on the computers of 60,900 unique users.
  • Our File Anti-Virus detected 43,827,839 unique malicious and potentially unwanted objects.

According to Kaspersky Security Network, in Q2 2023:

  • Kaspersky solutions blocked 801,934,281 attacks from online resources across the globe.
  • A total of 209,716,810 unique links were detected by Web Anti-Virus components.
  • Attempts to run malware for stealing money from online bank accounts were stopped on the computers of 95,546 unique users.
  • Ransomware attacks were defeated on the computers of 57,612 unique users.
  • Our File Anti-Virus detected 39,624,768 unique malicious and potentially unwanted objects.

++

Keeper Security - Cybersecurity Disasters Survey: Incident Reporting & Disclosure

  • Nearly half (48%) of respondents have been aware of a cybersecurity attack that their organization did not report to the appropriate authorities.
  • Nearly one-fourth of all respondents (22%) said their organizations had "no system in place" to report breaches to leadership.
  • A combined 48% of respondents did not think leadership would care about a cyberattack (25%) nor would respond (23%).
  • Nearly one-fourth of all respondents (22%) said their organizations had "no system in place" to report breaches to leadership.
  • Despite the benefits of Privileged Access Management (PAM) solutions, nearly two-thirds of IT leaders (62%) revealed the downturn in economic conditions would likely cause them to scale back their current PAM platform.
  • Fifty-six percent of respondents tried to deploy a PAM solution but did not fully implement it, and 92% cited overly-complex solutions as the main reason. 58% of IT teams have not deployed a PAM solution because traditional platforms are too expensive.

Three in Four People at Risk of Being Hacked Due to Poor Password Practices

75% of people globally don't adhere to widely-accepted password best practices, with a majority (64%) either using weak passwords or repeat variations of passwords to protect their online accounts.

++

Specops – {New Research} Do longer passwords protect you from compromise?

  • 212.5 million total compromised passwords were 8 characters exactly
  • 85% of compromised passwords are under 12 characters in length
  • 31.1 million compromised passwords over 16 characters in length
  • The phrase ‘new hire’ appears in the second and third most commonly compromised 15-character passwords

++

Zerto –  2023 Ransomware Strategy Survey

  • The report shows that 35.4% of companies are not prioritizing recovery. This is scary, as ransomware actors are becoming more capable of impounding data. Businesses will suffer wide-ranging consequences if they cannot recover and get back up and running immediately on their own behalf.
  • Just over half of the companies surveyed (56.6%) focus on both recovery and prevention. This will haunt companies because it indicates that a holistic view is far from widespread amongst those surveyed.

++

Jumio - 2023 Online Identity Consumer Study: 

  • 57% of consumers believe generative AI tools will make online identity theft easier.
  • 67% of consumers are aware of generative AI technologies but they overestimate their ability to detect a deepfake video.
++

Rockwell Automation - Anatomy of 100+ Cybersecurity Incidents in Industrial Operations 

  • OT/ICS cybersecurity incidents in the last three years have already exceeded the total number reported between 1991-2000.
  • Threat actors are most intensely focused on the energy sector (39% of attacks) - over three times more than the next most frequently attacked verticals, critical manufacturing (11%) and transportation (10%).

++

Cyolo - The State of Industrial Secure Remote Access (I-SRA) 

  • More than half of respondents quoted visibility (55%), user education (54%), access control (53%), outdated operating systems (52%) as top exposure concerns.
  • Threats to operational safety (75%), Advanced Persistent Threats (APTs) (67%), and misconfigurations (59%) were identified as the primary risks

++

Capterra - GetApp's 5th Annual Data Security Survey 

  • IT security managers consider advanced phishing attacks the top threat heading into 2024.
  • IT security managers listed advanced phishing attacks (43%), AI-enhanced attacks (38%) and advanced ransomware attacks (33%) as the most concerning threats for the next 12 months.

++

Capterra - Three Factors That Weaken Data Classification-and Lead to Data Breaches 

  • Two in three (67%) businesses with a data classification program reported a data breach within the last two years, and a quarter of those same respondents reported multiple breaches.
  • Most companies use three (27%) or four (41%) data classification levels.
  • Companies using four data classification levels are more likely (75%) to report data breaches than those using three levels (61%).
  • Expanding beyond the three fundamental types of company data (public, internal, confidential) can cause problems as the difference between additional labels can require nuanced explanations and understanding.
  • Most data breaches result from human factors instead of malicious actors.
  • The most common type of breach was a database or other data source left unsecured (48%) while only 38% reported that a hacker or other outsider had maliciously accessed data.

++

Skybox Security - Vulnerability and Threat Trends Report 2023 

  • The National Vulnerability Database (NVD) added 25,096 new vulnerabilities in 2022.
  • That's the largest number of vulnerabilities ever published in a single year, and it's a 25% jump from the 20,196 new vulnerabilities reported in 2021.
  • By the end of 2022, the total number of vulnerabilities cataloged in the NVD hit 192,051, and the count will soon surpass 200,000.
  • 80% of vulnerabilities reported in 2022 were medium or high severity and 16% were deemed critical.

++

SecurityScorecard - Close Encounters of the Third (and Fourth) Party Kind 

  • 98% of organizations have vendor relationships with at least one third-party that has experienced a breach in the last two years.
  • For every third-party vendor in their supply chain, organizations typically have indirect relationships with 60 to 90 times that number of fourth-party relationships.
  • 50% of organizations have indirect relationships with at least 200 breached fourth-party vendors in the last two years.

++

Cofense - 2023 Cofense Phishing Intelligence Trends Review: Q2 

  • PDF documents represented the most common malicious choice for threat actors representing 42.4% of all total malicious file attachments.
  • Malicious phishing emails increased by 569% in 2022

++

Cequence - API Protection Report  

  • 31% or 5 billion malicious transactions targeted unknown, unmanaged and unprotected APIs, commonly referred to as shadow APIs, making this the top threat challenging the industry
  • Holiday shopping sees a 550% increase in API threats 

++

Thales 2023 Healthcare and Life Sciences Report

According to the Thales 2023 Healthcare and Life Sciences Report, 71% of healthcare organizations have cited an increase in attacks, far higher compared to other industries at 49%. At the same time, HLS cites an increase in cloud infrastructure attacks, largely stemming from increasing complexity in securing data in cloud environments. The report also found that:

  • Cloud-based resources are seen as the leading targets of attackers.
  • 87% of healthcare respondents have two or more cloud providers.
  • In 2022, 44% of respondents were concerned with cloud complexity for securing data; this has risen to 55% in 2023.

Thales Survey on Surprising Differences in Generational Responses to Phishing

A recent survey by Thales uncovered that millennial and Gen Z consumers have a false sense of confidence in their security abilities - baby boomers top the list as the most secure generation when it comes to spotting and properly responding to phishing attempts. Despite Gen Z being labeled as the tech savvy generation, with millennials close behind, the survey highlights that these technical competencies don't equate to stronger security skills. Among the key findings:

  • 50% of millennials and 41% of Gen Z respondents were "very confident" in their ability to identify a phishing message, compared to only 14% of baby boomers
  • When presented with actual phishing messages, baby boomer respondents most accurately identified the messages were untrustworthy whereas Gen Z respondents were the most likely to trust the phishing messages
  • The phishing message that tricked the most respondents tricked only 5% of baby boomers; the same message tricked 30% of Gen Z and 28% of millennials
  • When asked what to do with a phishing message, Gen Z and millennial respondents were more likely to select an option that would put themselves or someone else at risk to falling victim (i.e opening an attachment, forwarding the message and clicking links in the message
++

Menlo Security

How Employee Usage of Generative AI is Impacting Security Posture

  • Since the launch of ChatGPT in November 2022, use of generative AI has increased by 1,200% and carries with it a slew of security concerns, including employees inadvertently exposing corporate data. In observing generative AI usage of 500 global organizations within a 30-day period, Menlo found 10,190 instances of attempted file uploads into chatbots, and 3,394 instances of employees copying and pasting information into chatbots.
  • As employees were attempting to input sensitive and confidential information into generative AI platforms, it was found that 50.4% of data was classified as personally identifiable information (PII) and another 24.6% was classified as confidential documents.

Annual Cyberthreat Defense Report

  • 4 out of 5 ransomware attacks include threats beyond data encryption, such as threats to publicly release exfiltrated data, notify customers or the media of a data breach, or a threat to commit a DDoS attack against the organization.

++

Dig Security - The State of Cloud Data Security in 2023

  • More than 30% of cloud data assets contain sensitive information. Personal identifiable information (PII) is the most common sensitive data type that organizations save. In a sample data set of 1 billion records, more than 10 million social security numbers were found (the sixth most common type of sensitive information), followed by almost 3 million credit card numbers, the seventh most common type.
  • 91% of database services with sensitive data were not encrypted at rest, 20% had logging disabled, and 1.6% were open to the public
  • More than 60% of storage services were not encrypted at rest, and almost 70% were not logged

++

Cowbell - Q2 2023 Cyber Round-Up Report

  • SMEs without insurance fear a major cyberattack could sink them. 72% of SMEs without cyber insurance say that a major cyberattack could destroy their business.
  • Cyber incidents cost SMEs more than they anticipated. 90% of SMEs that experienced a serious incident said the cyberattack cost them more than they thought it would.
  • Cyber incidents erode customer trust and business operations. 81% of the SMEs that experienced a cyber incident say they saw a widespread drop in customer trust, and 91% said it significantly degraded their business operations.
  • Critical infrastructure top cyberattack victims. 68% of SMEs in the computer hardware or software industry have experienced a significant cyberattack in the past 12 months, with utilities/energy/ water/telecom following closely with 61%, and financial services or insurance with 60%.

++

Zimperium - Global Mobile Threat Report

  • 43% of all compromised devices were fully exploited (not jailbroken or rooted), an increase of 187% year-over-year
  • Both Apple and Android saw increasing instances of detected vulnerabilities. There was a 138% increase in critical Android vulnerabilities discovered in 2022, while Apple iOS accounted for 80% of the zero-day vulnerabilities actively being exploited in the wild.
  • Malware is continuing to proliferate rapidly. Between 2021 and 2022, the total number of unique mobile malware samples rose 51%, with more than 920,000 samples detected, including Dirty RatMilad, MoneyMonger and Dark Herring. Zimperium protected its customers from 2,000 samples each week that were not yet identified by the industry in general ("zero-day" malware).

++

XM Cyber - State of Exposure Management Research Report

  • Only 2% of exposures lie on choke points leading to critical assets. Focusing on these maximizes risk reduction while minimizing remediation workload.
  • 71% of firms have exposures that enable attackers to pivot from their on-prem to cloud environment. Once there, 92% of critical assets lie just one hop away.
  • Attackers can access 70% of critical assets in on-prem networks in just 3 steps. It's even worse in the cloud, where 90% of critical assets are just one hop away from initial compromise.
  • Endpoint detection and response capabilities cover fewer than half of all devices in 38% of firms.
  • 36% of firms grant permissions enabling at least half of their devices to access critical assets.
    • Techniques targeting credentials and permissions affect 82% organizations and constitute over 70% of all identified security exposures.

++

Salt Security - State of API Security Report

  • 54% of respondents said outdated or "zombie" APIs are a high concern, up from 42% from last quarter. (Zombie, or outdated, APIs have been the #1 concern in the past five surveys from Salt, likely the result of increasingly fast-paced development as organizations seek to maximize the business value associated with APIs.)
  • 43% stated account takeover (ATO) as a high concern.
  • Only 20% cited shadow APIs as a top concern. Given API documentation challenges, it is likely most environments are running APIs that are not documented and that the risk in this area is likely higher than many respondents realize

++

Auvik - 2023 Network IT Management Report

  • 45% of IT teams do not fully know the configuration of their networks, and 21% shared that individuals outside of ITOps are making configuration changes
  • 41.5% of respondents said network documentation is updated monthly or less often - despite 53% reporting that configuration changes are happening daily or weekly
  • Only half of IT professionals surveyed said they are performing SaaS and Cloud monitoring or Wi-Fi management. SaaS and cloud applications (e.g. Salesforce, Slack, G Suite, Microsoft 365, Zoom, etc.) are how employees are getting work done. These apps as well as the Wi-Fi employees are using at home (or at a hotel, a coffee shop, etc.) pose potential security risks to the enterprise network, and thus IT teams must have visibility and solutions for enabling their workforce to be productive while minimizing risk.

++

CardinalOps - State of SIEM 2023 Report

  • Enterprise SIEMs are missing detections for 76% of all MITRE ATT&CK techniques
  • Detections are holding organizations back, not data; SIEMs are already ingesting sufficient data to cover 94% of all MITRE ATT&CK techniques

++

Incode - Consumer Pulse on Biometrics Report

  • 38% do not trust passwords to protect their online payment processes. 
++
 
ThreatX - Cyber Talent Shortage Data Report  
  • Only 10% of consumers reported feeling protected by companies they do business with
  • 1% of consumers said they would switch to a competing brand following a vendor data breach
  • 48% of consumers confirmed their data has been left vulnerable following a data breach due to an organization’s lack of protection, and 9 in 10 agree they’re concerned this lack of protection will negatively impact their lives
  • 40% of consumers ranked financial burden as a top concern for them following a vendor data breach amid the ongoing recession. 

++

Absolute Software

  • IT and security practitioners agree that security tools like Endpoint Protection Platform (EPP), Endpoint Detection and Response (EDR), anti-virus, etc. are essential to defend against attacks, and therefore should always be running and up to date. Absolute's data shows that 25 - 30% of devices had unhealthy security controls. (Source: Absolute's 2023 Resilience Index)
  • There are 67 applications installed on the average enterprise device, with 10% of those devices having more than 100 applications installed, underlining the complexity landscape. (Source: Absolute's 2023 Resilience Index)
  • Some of the world's leading security apps are installed, running, and healthy across only 60-70% of the devices. (Source: Absolute's 2023 Resilience Index)
  • Zero Trust Network Access (ZTNA) applications have become the lifeline to enterprises, but data shows these critical tools are either not installed or are not at the required version level on more than 30% of devices, exposing organizations to unnecessary risk. (Source: Absolute's 2023 Resilience Index)

++

Bitdefender released new research showing that nearly half of Halloween-themed spam is malicious and urges the public to be on alert as Halloween (in many regions) is the start of the holiday shopping season and expects scams to increase.
 
Key findings:

  • 48% of Halloween-themed spam is fraudulent.
  • 69% of the spam is hitting U.S. inboxes followed by Ireland (9%),  Sweden (5%) and Germany (3%).
  • Origin of the spam is predominately coming from Malaysia and the U.S. (69% combined).
++
 
SlashNext - The State of Phishing 2023
  • 1,265% increase in malicious emails observed since the launch of ChatGPT in November 2022
  • 967% increase in credential phishing emails, specifically
  • 68% of all phishing emails are text-based Business Email Compromise (BEC), and do not contain any malicious links or attachments
++

Netwrix - 2023 Hybrid Security Trends Report

  • 68% of organizations experienced a cyberattack within the last 12 months
  • 40% of breached organizations incurred unplanned expenses
  • 28% of large enterprises (with more than 1,000 employees) estimated their financial damage from cyberthreats to be at least $50,000, compared to just 16% among organizations overall
  • 73% of respondents suffered a phishing attack on premises and 58% experienced it in the cloud
  • Account compromise attacks in the cloud continue to intensify, with 39% of respondents reporting it in 2023 compared to 31% in 2022 and just 16% in 2020
  • Risk associated with an organization's own employees was the top data security concern, cited by 58% of respondents

++

Parallels by Alludo - Embracing the hybrid cloud in 2023 and beyond: what the future holds for IT professionals

  1. 46% of IT professionals have chosen the hybrid cloud to improve security
  2. Yet out of the ones that don't get value from the public cloud, 33% of IT professionals say they are not getting the maximum value out of the public cloud because of security issues
  3. 62% of IT professionals view the lack of cloud management skills as a roadblock to growth
  4. 27% of IT professionals report that enhancing data security is their top goal for the next two years

++

WinZip by Alludo - The state of data security in 2023 and beyond

  1. 41% of companies had a security breach in the last 12 months
  2. 82% of overall security breaches in the U.S. were at least partially caused by human error
  3. The top three internal threats were employee mistakes and negligence (human error) at 55%, weak passwords or poor password hygiene at 51%, and mobile device vulnerabilities at 38% 

##

Published Tuesday, October 31, 2023 7:31 AM by David Marshall
Filed under: ,
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Calendar
<October 2023>
SuMoTuWeThFrSa
24252627282930
1234567
891011121314
15161718192021
22232425262728
2930311234