Security breaches are becoming increasingly commonplace and dangerous. The World Economic Forum nominated cyber-attacks as one of the major threats to global stability for 2019. Not only money is at stake, as breaches have an appalling effect on organizations’ reputation, trustworthiness, and often prove to a business killer. Most important, however, is the data – our personal data that once stolen is available to cybercriminals to exploit.
We would like to draw your attention to 96 meaningful statistics concerning not only the hefty cost of data breaches but also the origins of risk, the menace for small companies, and the origin of the problem – cybercriminals. We will also focus on the effects of the COVID-19 pandemic on cybersecurity and the situation in the healthcare sector. We will finish with examples of good practices to mitigate the data breach risk, which we should not run away from, but act upon.
Data breaches – a high-frequency phenomenon
- A cyberattack occurs every 39 seconds (University of Maryland).
- It is estimated that a business will fall victim to a ransomware attack every 11 seconds by 2021 (Herjavec Group).
The hefty cost of a data breach
- On average, the cost of a data breach is $8.64 million. (IBM).
- The cost of one stolen record in a data breach is roughly $146. (IBM).
- 61% of the costs come in the first year after the data breach. (IBM).
- Breaches discovered and contained within the first 200 days of their occurrence cost companies 1.12 million dollars less than breaches contained for more than 200 days. (IBM).
- Breaches of 1 million to 10 million records cost an average of $50 million, more than 25 times the average cost of $3.86 million for breaches of less than 100,000 records. (IBM).
- A massive breach of 50 million records cost was $392 million, which is more than 100 times the average cost. (IBM).
- In 2019, data breaches cost companies a total of 2 trillion dollars. (Juniper).
- On average, the presence of an incident response team and the incident response plan testing in organizations reduces the cost of a breach by $2 million (IBM).
- The estimate for a global Cybercrime cost in 2021 is $6 trillion (Cybersecurity Ventures).
- In 2019, the country with the highest average total cost of a data breach was the United States at $8.64 million (IBM).
- Enterprise spending on cloud security solutions is predicted to increase from $636M in 2020 to $1.63B in 2023, attaining a 26.5% CAGR. (Gartner)
- The average cost of a data breach in 2020 for big businesses is more than $150 million. (BigCommerce)
- The market value of numerous companies has fallen by 25% over the year following a cyber-attack. (AON)
- Including customer turnover, increased customer acquisition activities, reputation losses, and diminished goodwill, the total cost of lost business globally was highest for United States companies at $4.13 million per company. (Ponemon Institute’s Cost of Data Breach Study)
- Losses related to cybercrime are projected to reach $6 trillion per annum by 2021. (Cybersecurity Ventures)
- The most expensive part of a cyber attack is information loss at $5.9 million. (Accenture)
The real numbers on data breaches
- 24% of incidents where malware is used involve ransomware. (Verizon).
- 34% of data breaches in 2018 involved internal actors. (Verizon).
- 36% of external data breach actors in 2019 were involved in criminal organizations. (Verizon).
- 48% of malicious email attachments are MS Office documents (Symantec).
- 71% of breaches are due to financial motivation. (Verizon).
- The average time to contain a data breach was 73 days (IBM).
- The average time to identify a breach in 2020 was 220 days (IBM).
- The data breach lifecycle of a malicious or criminal attack in 2020 took an average of 280 days (IBM).
- An average of 4,800 websites per month is compromised with form jacking code (Symantec).
- 49,07% of accidents with data leakage from databases without confidentiality disclosure have happened to stored data. (Veris)
- 1244 data breaches took place in the US in 2018 and 446.5 million records were exposed (Statista).
- 1 billion records were exposed in data breaches in the first six months of 2019 (Forbes).
The huge risk for small companies
- The cost of cyber-attacks for small businesses is between $84,000 and $148,000. (USA Today)
- 60% of small businesses go bankrupt within six months of an attack. (USA Today)
- According to the Verizon Data Breach Investigation Report, 61% of breaches hit smaller businesses last year, which is a rise compared to the previous year’s 53%. (USA Today)
- The main reason SMEs and large entities purchased cyber insurance were for risk transfer in 2018 (Statista).
- 43% of data breach victims are small businesses (Verizon).
- In 2019, data breaches cost smaller organizations relatively more than large organizations. The average cost per employee was $204 for companies with less than 25 000 employees. (IBM).
- 3.5 million cybersecurity jobs are unfilled. This number grew by 350% from 2013 when there were 1 million unfilled jobs to 3.5 million which is the projected number for 2021. (Cybersecurity Ventures)
Healthcare is in danger
- Data breaches are come at the highest price in the Healthcare industry and cost $7.13 million dollars on average. (IBM).
- 15% of breaches involved Healthcare institutions (Verizon)
- During the last three years, 93% of healthcare organizations were subjected to cyberattacks (Verizon)
- Healthcare spent the most time tackling a data breach – 329 days (IBM).
- Hospitals spend 64% per annum on advertising over the two years after a breach (American Journal of Managed Care).
- Confirmed data breaches in the healthcare sector increased by 58% in 2020. (Verizon)
The appalling effect of the pandemic on data security
- 47% of employees pointed out to distraction as the reason for falling for phishing scams while working from home. (Tessian)
- Web application breaches are the reason for 43% of all breaches. The latter has doubled since 2019. (Verizon)
- 52% of legal and compliance leaders are concerned about third-party cyber-security risks due to remote work during the COVID-19 pandemic. (Gartner)
- Remote work has resulted in an increase in the average cost of a data breach by $136,974. (IBM)
- 81% of cybersecurity specialists have reported that their job function has changed during the pandemic. ((ISC)²)
- In April, 83% of tech companies reported new customer inquiries, 36% of which in the cybersecurity sector. (CompTIA)
- The search for the term “how to remove a virus” increased by 42% in March 2020. (Google Trends)
- From January to March 2020 there was an increase of 8.3% in the usage of mobile VPN. (WatchGuard)
- 76% of remote workers report that working from home would increase the time to identify and contain a breach. (IBM)
- 33,000 unemployment applicants were subject to a data breach from the Pandemic Unemployment Assistance program in May. (NBC)
- Scams increased by 400% over the month of March. This has made the COVID-19 pandemic the largest security threat ever. (ReedSmith)
- In April, Google blocked 18 million malware and phishing emails related to Coronavirus per day. (Google)
- 500 thousand Zoom user accounts were compromised and sold on a dark web forum. (CPO Magazine)
- Every day 1,767 high-risk Coronavirus-themed domain names are created. (Palo Alto Networks)
- 471 fake online shops selling fraudulent COVID-19 items were taken down in the United Kingdom. (ZDNet)
- 450 active WHO email addresses and thousands of email addresses of COVID-19 response teams leaked in April 2020. (WHO)
- Visits to popular hacker websites and forums increased by two thirds (66%) between the months of March and May. (cybernews)
- Since COVID-19, the US Federal Bureau of Investigation reported a 300% increase in reported cybercrimes (Cybint)
Where does the risk really come from?
- As of 2019, cyber-attacks are among the top five risks to global stability (World Economic Forum).
- Cyber risk is the biggest concern for risk managers in the United States (Actuary).
- The average number of files and folders that an employee had access to on average in 2019 is respectively 17 million and 1.21 million (Varonis).
- 15% of companies found more than 1 million folders open to every employee on the company (Varonis).
- 53% of companies found that more than 1000 sensitive files were open to every employee (Varonis).
- 58% of companies found that more than 1000 of their files had inconsistent permissions (Varonis).
- 80% of companies possessing more than 1 000 000 folders found that more than 50 000 folders (5%) were open to every employee. (Varonis).
- 80% of companies with over 1 million folders found over 50,000 folders open to every employee (Varonis).
- Enterprise spending on cloud security solutions (Cyber Edge)
- The overall volume of Internet of Things attacks remained high in 2018 and routers and cameras were within the most infected devices and accounted for respectively 75% and 15% of the attacks (Symantec).
- 95% of companies found over 100,000 folders containing stale data (Varonis).
- On average, 50% of user accounts are stale (Varonis).
- Only 5% of a firm’s folders are protected (Varonis).
- The source of 90% of malware emails (Verizon).
- 38% of users reported that they have a password that never expires (Varonis).
- The number of supply chain attacks grew by 78% in 2018 (Symantec).
- The larger the data breach, the smaller the chance for the organization to have another breach in the following two years (IBM).
- 24% of data breaches are caused by human error (IBM).
- 52% of breaches are caused by a malicious attack (IMB).
- 23% of breaches are caused by system glitches. (IBM).
- 62% of breaches not involving an error, misuse, or physical action involved the use of stolen credentials, phishing or brute force (Varonis).
- Routers and connected cameras make up 90% of infected devices (Symantec).
- In 2019, c-level executives were 12 times more likely to be the target of social incidents and 9 times more likely to be the target of social breaches than in the previous years. (Verizon).
- Office applications were the most common object of exploitation worldwide in Q3 of 2018 (Statista).
- 52% of compliance leaders report that the most-increased third-party risk for their organization is cybersecurity. (Gartner)
Cybercriminals – the ‘bad guys’ of our time
- Nearly one in ten targeted attack groups use malware to disrupt business operations (Symantec).
- By stealing only 10 credit cards from the website, cyber criminals earn up to $2.2 million through for jacking. (Symantec).
- Attackers will take aim on biometric hacking and expose vulnerabilities in touch ID sensors, facial recognition, and passcodes (Experian).
- The online gaming community will be an emerging field of action for hackers, with cybercriminals posing as gamers and gaining access to the computers and personal data of the players that choose to trust them. (Experian).
- 17% of IT security professionals reported information security as the major budget increase for 2018 (ZDNet).
- 50% of large enterprises (with over 10,000 employees) are spending $1 million or more annually on security, with 43% spending $250,000 to $999,999, and just 7% spending under $250,000. (Cisco)
- Spending on Cloud Security is predicted to increase by 33% becoming a $585M market in 2020. (Forbes)
- Security Services is forecast to drive $64.2 billion in global revenue in 2020 comprising 51.9% of the total market. (Forbes)
- Data Security will grow by 7.2% becoming a $2.8 billion market in 2020. (Forbes)
In case you are currently evaluating options for integrating a SIEM product to achieve regulatory compliance, protect data, and improve your information security posture, you should consider LogSentinel. With LogSentinel Next-Gen SIEM, you get a strong set of compliance features as as well a great cybersecurity solution, so you can demonstrate compliance at reduced operational cost and minimal effort on audit, forensics, and fraud detection.
Denitsa Stefanova is a Senior IT Business Analyst with solid experience in Marketing and Data Analytics. She is involved in IT projects related to marketing and data analytics software improvements, as well as the development of effective methods for fraud and data breach prevention. Denitsa supports her IT-related experience by applying her skills into her everyday duties, including IT and quality auditing, detecting IT vulnerabilities, and GDPR-related gaps.