Credit: Dreamstime
Looking for hard numbers to back up your sense of what's happening in the cyber security world? We dug into studies and surveys of the industry's landscape to get a sense of the lay of the land—both in terms of what's happening and how security leaders are reacting to it.
If you want data on what systems are most vulnerable, what malware is topping the charts, and how much people are getting paid to deal with it all, read on.
Nine key cyber security statistics at-a-glance
- 94 per cent of malware is delivered via email
- Phishing attacks account for more than 80 per cent of reported security incidents
- $17,700 is lost every minute due to phishing attacks
- 60 per cent of breaches involved vulnerabilities for which a patch was available but not applied
- 63 per cent of companies said their data was potentially compromised within the last twelve months due to a hardware- or silicon-level security breach
- Attacks on IoT devices tripled in the first half of 2019
- Fileless attacks grew by 256 per cent over the first half of 2019
- Data breaches cost enterprises an average of $3.92 million
- 40 per cent of IT leaders say cyber security jobs are the most difficult to fill
The year in vulnerabilities
Let's start by getting basic: no matter how many new and exotic vulnerabilities you'll hear about, in this article and others on cyber security, there's one that towers over all the rest.
In an examination of thousands of security incidents, Verizon found that almost all malware arrived on computers via email: this was true in 94 per cent of cases. In not unrelated news, the number one type of social engineering attack, accounting for more than 80 per cent of reported incidents, is phishing—the end goal of which is often to convince users to install malware.
So if you want to improve your security posture, you know where to start. And before you think of phishing as some kind of sinister Eastern European or Nigerian scam, know that 40 per cent of phishing command and control servers are in the US.
That doesn't mean other vulnerabilities aren't important, of course. The common vulnerabilities and exploits (CVE) database lists more than 11,000 exploitable vulnerabilities in commonly used systems and software—and as of mid-2019, 34 per cent had no patches available.
A great example of how the process of patching vulnerabilities plays out can be seen in CVE-2017-11882, a vulnerability in Microsoft's Equation Editor; malware delivered through this hole plummeted by more than 70 per cent in just a few months as IT departments patched or upgraded servers from Windows 7.
But the mere existence of patches isn't a cure-all: according to Security Boulevard, 60 per cent of breaches involved vulnerabilities for which a patch was available but not applied.
If we want to dig deeper into the world of vulnerabilities, we need to dig deeper into our computers, into the BIOS level that mediates between the bare metal and the OS. In a survey conducted by Dell, 63 per cent of companies said their data was potentially compromised within the last twelve months due to a hardware- or silicon-level security breach.
Perhaps it's unsurprising that the same survey found that only 28 per cent of companies were happy with their vendors' hardware security management.
One final bit of attack surface to contemplate is the increasingly omnipresent collection of IoT devices that we rely on for everything from manufacturing controls to playing music in our home.
Since the days of the Mirai botnet, security experts have been sounding the alarm on IoT, but it's getting worse very quickly: F-Secure estimates that attacks on IoT devices tripled in the first half of 2019.
Malware trends
Plenty of nasty malware was in the wild attempting to exploit these vulnerabilities. Kaspersky says that its web antivirus platform identified 24,610,126 "unique malicious objects" in 2019, a 14 per cent boost over 2018. All in all, according to Kaspersky, nearly 20 per cent of all internet users were the subject of some kind of malware attack.
But those attacks weren't necessarily distributed equally, and attackers are showing more savvy and going after potentially richer targets. For instance, according to Malware Bytes, malware attacks on consumers actually dropped two per cent, but businesses were in hackers' crosshairs, with threats against them spiking 13 per cent.
What specific types of malware attacks were en vogue over the past year? Malware Bytes noted a 224 per cent rise in infection of a category of malware it calls hack tools — basically, malicious programs that can probe through systems and networks and download further malicious payloads to take advantage of weaknesses.
A couple other types of malware had a notably prosperous 2019. Fileless malware—attack code that lives only in RAM and doesn't write files to disk—continued its rise. Trend Micro says that fileless attacks grew by 256 per cent over the first half of 2019.
Another threat that seemed to explode was the web skimmer, a type of code injected on the server or sometimes even the client side of online payment transactions by criminal gangs to harvest credit card numbers. Web skimming attacks shot up by 187 per cent.
Emotet, a banking trojan that has bedeviled the world for more than five years, kept rolling and evolving in 2019; today it mostly serves to run nets of spambots that spread other trojans, like TrickBot. According to Cofense, in just the last three months of 2019 Emotet used over 290,000 compromised email addresses to spread malware, including 33,000 unique attachments.
The cost of security failures
Legend has it that bank robber Willie Sutton said he robbed banks because "that's where the money is." And Verizon's breach report confirms that's the primary motivation behind cyber crime: 71 per cent of breaches reported were financially motivated. But clearly, cyber criminals' gains are losses for law-abiding citizens, and those losses add up.
Remember when we said up top that email and phishing are still the dominant way malware gets delivered? Well, the damage done is staggering. RiskIQ estimates that $17,700 is lost every minute due to phishing attacks. But that's just the start of the damage.
When it comes to data breaches, not everything is as costly to victims as, say, the EquiEquifax hackax hack, but they can still be pretty bad: IBM looked at breaches across more than 500 organisations and pegged the average financial hit to the affected enterprise, inclusive of everything from fines to lost worker hours, at $3.92 million.
Accenture put together its own study of the costs of various types of cyber attacks, with interesting results. Malware rates as the most expensive, with an attack costing victims up to $2.6 million.
Perhaps surprisingly, given its prominence in the news, ransomware came in close to the bottom of the list, with each attack costing "only" $646,000 on average. And that covers incidental costs like lost productivity, not just the ransom itself: ransom payments in such attacks are often surprisingly low.
Data Breach Today pegged the average payout for Q3 2019 at $41,000. Be aware that often the payout is zero, as organisations with good back-up strategies or determination not to give in will sometimes refuse to pay.
In fact, the percentage of victims who pay ransom varies widely by country: 77 per cent of Canadian victims do, in comparison to only three per cent of Americans; Germany and the UK fall between these two extremes.
Finally, keep in mind that improper security can cost you even if you're not hacked at all, as regulations increasingly make insecure or user-hostile data practices financially risky. For instance, last year Google had to pay a $57 million fine in France for non-compliance with GDPR.
Budgets and spending priorities
With those potential losses looming, enterprises are realising they have to spend money to protect themselves, and are planning their budgets accordingly. Respondents to CIO.com's 2020 State of the CIO study are definitely concerned: a full 34 per cent saw security and risk management as the number one driver of IT spending overall at their organisation.
IDG's Security Priorities study offers some insight into how specific decisions on spending are being made. Of the responding companies, 73 per cent see spending driven to align with industry best practices, an encouraging (if somewhat vague) response that demonstrates motivation to do the right thing.
On the other hand, 66 percent will be spending some of their budget to comply with laws and regulations, and while one could argue that this just represents government-mandated alignment with best practices, many enterprises don't see things this way: survey respondents said that compliance mandates were a "distraction" from executing strategic plans.
One of the biggest spending stories of 2019 was that companies are deciding they want outside help with their cyber security.
Managed security services, which can range from incident response assistance to complete infrastructure management, are being turned to more and more often: spending on these services hit $64.2 billion in 2019, more than double investment in infrastructure protection and network security equipment. Kennet Research estimates that this spending will grow at double digit rates over the next four years.
Kennet Research also has some dispiriting news about the state of security at small and medium businesses. In a 2019 survey of decision-makers at SMBs, 18 per cent list cyber security as their lowest priority. That attitude is driven by a certain amount of complacency: 66 per cent believe that a cyber attack is unlikely — even though 67 per cent of SMBs were actually hit by a cyber attack in 2019.
Cyber security careers by the numbers
If there's one message all of these numbers should be screaming out at cyber security pros, it's this: You are needed! The State of the CIO study revealed that 40 per cent of IT leaders say cyber security jobs are the most difficult to fill.
That's because, according to an ISC2 study, cyber security professionals have effectively a zero per cent unemployment rate. One potentially untapped source of new cybersec pros? Women: the cyber security workforce is currently only 20 per cent female.
With cyber security being both crucial and in high demand, it shouldn't come as a surprise that infosec is gaining institutional power within many companies. According to the State of the CIO study, 54 per cent of responding organisations had a security officer in the C-suite, with titles like chief security officer (CSO), chief information security officer (CISO), or the like.
And those jobs aren't necessarily just being siloed under IT: for each of those job titles, more than 40 per cent report directly to the CEO rather than to a CIO or other top IT exec. Another fun fact that shows how in-demand high-level cyber security pros are: 25 per cent of these execs had been approached by an outside organisation trying to woo them away from their current job.
All that adds up to cyber security being a lucrative job field for those who can hack it. As of early 2020, ZipRecruiter pegs the average US salary for an entry-level cyber security pro at $74,340 a year. That's almost twice the national average for all entry-level jobs.
And more specialised jobs command higher salaries: according to Mondo, application security engineers can earn annual salaries up to $180,000, while information security managers can net up to $215,000 a year. Unlike many of the scary numbers we've touched on in this article, those figures should be music to cyber security professionals' ears.
Join the newsletter!
Tags cyber
