Looking for hard numbers to back up your sense of what’s happening in the cybersecurity world? We dug into studies and surveys of the industry’s landscape to get a sense of the lay of the land—both in terms of what’s happening and how security leaders are reacting to it. If you want data on what systems are most vulnerable, what malware is topping the charts, and how much people are getting paid to deal with it all, read on.
9 key cybersecurity statistics at-a-glance
- 94% of malware is delivered via email
- Phishing attacks account for more than 80% of reported security incidents
- $17,700 is lost every minute due to phishing attacks
- 60 percent of breaches involved vulnerabilities for which a patch was available but not applied
- 63 percent of companies said their data was potentially compromised within the last twelve months due to a hardware- or silicon-level security breach
- Attacks on IoT devices tripled in the first half of 2019.
- fileless attacks grew by 256 percent over the first half of 2019
- Data breaches cost enterprises an average of $3.92 million
- 40 percent of IT leaders say cybersecurity jobs are the most difficult to fill
The year in vulnerabilities
Let’s start by getting basic: no matter how many new and exotic vulnerabilities you’ll hear about, in this article and others on cybersecurity, there’s one that towers over all the rest. In an examination of thousands of security incidents, Verizon found that almost all malware arrived on computers via email: this was true in 94 percent of cases. In not unrelated news, the number one type of social engineering attack, accounting for more than 80 percent of reported incidents, is phishing—the end goal of which is often to convince users to install malware. So if you want to improve your security posture, you know where to start. (And before you think of phishing as some kind of sinister Eastern European or Nigerian scam, know that 40 percent of phishing command and control servers are in the US.)
That doesn’t mean other vulnerabilities aren’t important, of course. The common vulnerabilities and exploits (CVE) database lists more than 11,000 exploitable vulnerabilities in commonly used systems and software—and as of mid-2019, 34 percent had no patches available. A great example of how the process of patching vulnerabilities plays out can be seen in CVE-2017-11882, a vulnerability in Microsoft’s Equation Editor; malware delivered through this hole plummeted by more than 70 percent in just a few months as IT departments patched or upgraded servers from Windows 7. But the mere existence of patches isn’t a cure-all: according to Security Boulevard, 60 percent of breaches involved vulnerabilities for which a patch was available but not applied.
If we want to dig deeper into the world of vulnerabilities, we need to dig deeper into our computers, into the BIOS level that mediates between the bare metal and the OS. In a survey conducted by Dell, 63 percent of companies said their data was potentially compromised within the last twelve months due to a hardware- or silicon-level security breach. (Perhaps it’s unsurprising that the same survey found that only 28 percent of companies were happy with their vendors’ hardware security management.)
One final bit of attack surface to contemplate is the increasingly omnipresent collection of IoT devices that we rely on for everything from manufacturing controls to playing music in our home. Since the days of the Mirai botnet, security experts have been sounding the alarm on IoT, but it’s getting worse very quickly: F-Secure estimates that attacks on IoT devices tripled in the first half of 2019.
Plenty of nasty malware was in the wild attempting to exploit these vulnerabilities. Kaspersky says that its web antivirus platform identified 24,610,126 “unique malicious objects” in 2019, a 14 percent boost over 2018. All in all, according to Kaspersky, nearly 20 percent of all internet users were the subject of some kind of malware attack. But those attacks weren’t necessarily distributed equally, and attackers are showing more savvy and going after potentially richer targets. For instance, according to Malware Bytes, malware attacks on consumers actually dropped 2 percent, but businesses were in hackers’ crosshairs, with threats against them spiking 13 percent.
What specific types of malware attacks were en vogue over the past year? Malware Bytes noted a 224 percent rise in infection of a category of malware it calls hack tools — basically, malicious programs that can probe through systems and networks and download further malicious payloads to take advantage of weaknesses.
A couple other types of malware had a notably prosperous 2019. Fileless malware—attack code that lives only in RAM and doesn’t write files to disk—continued its rise. Trend Micro says that fileless attacks grew by 256 percent over the first half of 2019. Another threat that seemed to explode was the web skimmer, a type of code injected on the server or sometimes even the client side of online payment transactions by criminal gangs to harvest credit card numbers. Web skimming attacks shot up by 187 percent.
Emotet, a banking trojan that has bedeviled the world for more than five years, kept rolling and evolving in 2019; today it mostly serves to run nets of spambots that spread other trojans, like TrickBot. According to Cofense, in just the last three months of 2019 Emotet used over 290,000 compromised email addresses to spread malware, including 33,000 unique attachments.
The cost of security failures
Legend has it that bank robber Willie Sutton said he robbed banks because “that’s where the money is.” And Verizon’s breach report confirms that’s the primary motivation behind cybercrime: 71 percent of breaches reported were financially motivated. But clearly, cybercriminals’ gains are losses for law-abiding citizens, and those losses add up.
Remember when we said up top that email and phishing are still the dominant way malware gets delivered? Well, the damage done is staggering. RiskIQ estimates that $17,700 is lost every minute due to phishing attacks. But that’s just the start of the damage. When it comes to data breaches, not everything is as costly to victims as, say, the Equifax hack, but they can still be pretty bad: IBM looked at breaches across more than 500 organizations and pegged the average financial hit to the affected enterprise, inclusive of everything from fines to lost worker hours, at $3.92 million.
Accenture put together its own study of the costs of various types of cyberattacks, with interesting results. Malware rates as the most expensive, with an attack costing victims up to $2.6 million. Perhaps surprisingly, given its prominence in the news, ransomware came in close to the bottom of the list, with each attack costing “only” $646,000 on average. And that covers incidental costs like lost productivity, not just the ransom itself: ransom payments in such attacks are often surprisingly low. Data Breach Today pegged the average payout for Q3 2019 at $41,000. Be aware that often the payout is zero, as organizations with good backup strategies or determination not to give in will sometimes refuse to pay. In fact, the percentage of victims who pay ransom varies widely by country: 77 percent of Canadian victims do, in comparison to only 3 percent of Americans; Germany and the UK fall between these two extremes.
Finally, keep in mind that improper security can cost you even if you’re not hacked at all, as regulations increasingly make insecure or user-hostile data practices financially risky. For instance, last year Google had to pay a $57 million fine in France for non-compliance with GDPR.
Budgets and spending priorities
With those potential losses looming, enterprises are realizing they have to spend money to protect themselves, and are planning their budgets accordingly. Respondents to CIO.com’s 2020 State of the CIO study are definitely concerned: a full 34 percent saw security and risk management as the number one driver of IT spending overall at their organization.
IDG’s Security Prorities study offers some insight into how specific decisions on spending are being made. Of the responding companies, 73 percent see spending driven to align with industry best practices, an encouraging (if somewhat vague) response that demonstrates motivation to do the right thing. On the other hand, 66 percent will be spending some of their budget to comply with laws and regulations, and while one could argue that this just represents government-mandated alignment with best practices, many enterprises don’t see things this way: survey respondents said that compliance mandates were a “distraction” from executing strategic plans.
One of the biggest spending stories of 2019 was that companies are deciding they want outside help with their cybersecurity. Managed security services, which can range from incident response assistance to complete infrastructure management, are being turned to more and more often: spending on these services hit $64.2 billion in 2019, more than double investment in infrastructure protection and network security equipment. Kennet Research estimates that this spending will grow at double digit rates over the next four years.
Kennet Research also has some dispiriting news about the state of security at small and medium businesses. In a 2019 survey of decision-makers at SMBs, 18 percent list cybersecurity as their lowest priority. That attitude is driven by a certain amount of complacency: 66 percent believe that a cyberattack is unlikely — even though 67 percent of SMBs were actually hit by a cyberattack in 2019.
Cybersecurity careers by the numbers
If there’s one message all of these numbers should be screaming out at cybersecurity pros, it’s this: You are needed! The State of the CIO study revealed that 40 percent of IT leaders say cybersecurity jobs are the most difficult to fill. That’s because, according to an ISC2 study, cybersecurity professionals have effectively a 0 percent unemployment rate. (One potentially untapped source of new cybersec pros? Women: the cybersecurity workforce is currently only 20 percent female.)
With cybersecurity being both crucial and in high demand, it shouldn’t come as a surprise that infosec is gaining institutional power within many companies. According to the State of the CIO study, 54 percent of responding organizations had a security officer in the C-suite, with titles like chief security officer (CSO), chief information security officer (CISO), or the like. And those jobs aren’t necessarily just being siloed under IT: for each of those job titles, more than 40 percent report directly to the CEO rather than to a CIO or other top IT exec. (Another fun fact that shows how in-demand high-level cybersecurity pros are: 25 percent of these execs had been approached by an outside organization trying to woo them away from their current job.)
All that adds up to cybersecurity being a lucrative job field for those who can hack it. As of early 2020, ZipRecruiter pegs the average US salary for an entre-level cybersecurity pro at $74,340 a year. (That’s almost twice the national average for all entry-level jobs.) And more specialized jobs command higher salaries: according to Mondo, application security engineers can earn annual salaries up to $180,000, while information security managers can net up to $215,000 a year. Unlike many of the scary numbers we’ve touched on in this article, those figures should be music to cybersecurity professionals’ ears.
Copyright © 2020 IDG Communications, Inc.