Looking for hard numbers to back up your sense of what’s happening in the cybersecurity world? We dug into studies and surveys of the industry’s landscape to get a sense of the lay of the land—both in terms of what’s happening and how security leaders are reacting to it. If you want data on what systems are most vulnerable, what malware is topping the charts, and how much people are getting paid to deal with it all, read on.
9 key cybersecurity statistics at-a-glance
- 94% of malware is delivered via email
- Phishing attacks account for more than 80% of reported security incidents
- $17,700 is lost every minute due to phishing attacks
- 60 percent of breaches involved vulnerabilities for which a patch was available but not applied
- 63 percent of companies said their data was potentially compromised within the last twelve months due to a hardware- or silicon-level security breach
- Attacks on IoT devices tripled in the first half of 2019.
- fileless attacks grew by 256 percent over the first half of 2019
- Data breaches cost enterprises an average of $3.92 million
- 40 percent of IT leaders say cybersecurity jobs are the most difficult to fill
The year in vulnerabilities
Let’s start by getting basic: no matter how many new and exotic vulnerabilities you’ll hear about, in this article and others on cybersecurity, there’s one that towers over all the rest. In an examination of thousands of security incidents, Verizon found that almost all malware arrived on computers via email: this was true in 94 percent of cases. In not unrelated news, the number one type of social engineering attack, accounting for more than 80 percent of reported incidents, is phishing—the end goal of which is often to convince users to install malware. So if you want to improve your security posture, you know where to start. (And before you think of phishing as some kind of sinister Eastern European or Nigerian scam, know that 40 percent of phishing command and control servers are in the US.)
That doesn’t mean other vulnerabilities aren’t important, of course. The common vulnerabilities and exploits (CVE) database lists more than 11,000 exploitable vulnerabilities in commonly used systems and software—and as of mid-2019, 34 percent had no patches available. A great example of how the process of patching vulnerabilities plays out can be seen in CVE-2017-11882, a vulnerability in Microsoft’s Equation Editor; malware delivered through this hole plummeted by more than 70 percent in just a few months as IT departments patched or upgraded servers from Windows 7. But the mere existence of patches isn’t a cure-all: according to Security Boulevard, 60 percent of breaches involved vulnerabilities for which a patch was available but not applied.
If we want to dig deeper into the world of vulnerabilities, we need to dig deeper into our computers, into the BIOS level that mediates between the bare metal and the OS. In a survey conducted by Dell, 63 percent of companies said their data was potentially compromised within the last twelve months due to a hardware- or silicon-level security breach. (Perhaps it’s unsurprising that the same survey found that only 28 percent of companies were happy with their vendors’ hardware security management.)
One final bit of attack surface to contemplate is the increasingly omnipresent collection of IoT devices that we rely on for everything from manufacturing controls to playing music in our home. Since the days of the Mirai botnet, security experts have been sounding the alarm on IoT, but it’s getting worse very quickly: F-Secure estimates that attacks on IoT devices tripled in the first half of 2019.
Plenty of nasty malware was in the wild attempting to exploit these vulnerabilities. Kaspersky says that its web antivirus platform identified 24,610,126 “unique malicious objects” in 2019, a 14 percent boost over 2018. All in all, according to Kaspersky, nearly 20 percent of all internet users were the subject of some kind of malware attack. But those attacks weren’t necessarily distributed equally, and attackers are showing more savvy and going after potentially richer targets. For instance, according to Malware Bytes, malware attacks on consumers actually dropped 2 percent, but businesses were in hackers’ crosshairs, with threats against them spiking 13 percent.
What specific types of malware attacks were en vogue over the past year? Malware Bytes noted a 224 percent rise in infection of a category of malware it calls hack tools — basically, malicious programs that can probe through systems and networks and download further malicious payloads to take advantage of weaknesses………Read More>>