Cyber-crime has increased 600% since the start of 20204, the cybersecurity threat has never been higher and the average cost of a data breach is larger than it has been for 17 years. The global pandemic meant that CISOs and their teams were stretched to capacity as they faced major challenges almost overnight. Businesses found it increasingly difficult to administer their planned security strategies across huge numbers of remote end-points.
COVID-19 accelerated the digital transformation of businesses globally resulting in extensive changes to the way we work and substantial changes to the working environment; consequently, the security infrastructure has become increasingly ineffective.
Following their data breach survey in 2021, the UK government reported that despite the increased risk, 84% of UK businesses report that COVID-19 made no change to their level of cybersecurity prioritisation. 1
An evolving threat landscape.
As the UK appears to show signs of emerging from the pandemic, businesses should consider what more they can do within the modern, hybrid, remote, cloud-based working environment, most now operate within.
Fewer than a quarter of UK businesses and charities have cybersecurity policies which incorporate their new home or hybrid working structure and just one fifth include the use of personal/BYO devices. Only 3 in 10 have a business continuity plan, which incorporates cybersecurity and a data breach event, leaving 77% without a cybersecurity incident response policy. 1
The 2021 cyber-crime statistics not only show an ever-increasing number of cyber-attacks attempts and data breaches, they highlight how sophisticated they have become. However, rather than causing alarm, keeping a close eye on these reports can be an effective tool and help CISOs shape their cybersecurity strategies; responding rapidly to the evolving threat landscape.
How many data breaches were there in the UK in 2021?
Almost 40% of UK businesses reported a cybersecurity breach between March 2020 and March 2021. Of those businesses that identified attacks, 1 in 5 lost money and a third reported other negative consequences, 1 such as a financial fine, business disruption, loss of revenue/custom, and damage to reputation or market position. All can continue for years after the breach event.
In 2020, the average time to identify a data breach was 207 days.5 According to Verizon’s Data Breach Investigation Report 2021, for organisations with more than 50% of their employees working remotely, it takes on average 58 days longer to identify and contain the threat.
How much does the average data breach cost?
According to Cybersecurity Ventures, at the current global growth rate of 15% year-on-year, cyber-crime will cost companies an estimated $10.5 trillion annually by the year 2025.
In 2021, the average global cost of a data breach to an organisation reached $4.24 million5.
With 350,000 new malware signatures detected every day6 and the average cost of ransomware remediation increasing from $761,106 in 2020 to $1.85 million in 20218, it is unsurprising that these forms of attack make the headlines. Cybersecurity Ventures estimate that ransomware costs will reach $265 billion annually by 2031 – predicting that a new attack will occur every 2 seconds.
However, 95% of breaches result from human error. Despite phishing awareness training, 20% of employees will still open a suspicious email, stressing the importance of investing in your team as much as your tech.2 The cost of regular training, test phishing, penetration testing and enforcing cybersecurity best practice is small compared to the cost of a breach.
The rapid shift to remote operations has seen data breach costs rise – the total for the average breach event increased by $1.07 million as a direct result of homeworking.2 The decreased security of home Wi-Fi networks and a larger attack surface provided by the cloud, IaaS, laptops, tablets and smartphones, have played into the cyber-criminals hands.
The inherently vulnerable Internet of Things (IoT) is poorly protected. At the start of 2022, Embroker reported, IoT attacks are expected to double by 2025. By then, there will be 75 billion IoT devices, globally.2 Three times that of 2019. Currently, only 3% of corporations protect employees’ mobile devices from the increasing threat of mobile malware – third-party app stores being responsible for 99% of infections.6
Whilst 43% of larger organisations now hold cybersecurity insurance for damage limitation, this cannot compensate for the loss of trust, custom, reputation or the sheer upheaval a data breach causes. The financial costs can be far-reaching and continue for several years after the event. In 2021, Titanfile reported that following a breach, an organisation’s share price falls by 7.27%, on average.
Which sectors are targeted by cyber-criminals?
As you would expect, financial institutions are the most targeted. In 2020, Morgan Stanley was subject to multiple individual lawsuits and a $60 million fine from the U.S Treasury after discarding devices without data destruction – the redundant IT equipment containing unencrypted financial and personal information.
The criminals are acutely aware of the critical role the healthcare industry plays in society – the second most targeted sector. Tight budgets often mean a reliance on legacy systems and inadequate disposal of end of life IT assets. Highlighting the importance of IT asset disposal, it is one of the biggest challenges in data governance with more than 93% of healthcare organisations having experienced a data breach in the last couple of years. The way organisations destroy, reuse or recycle their redundant IT assets, often means the difference between secure data or a devastating costly breach. Professional data erasure via a professional IT asset disposition services is essential when it comes to data security, providing an ITAD chain of custody to ensure compliance with data protection laws, including the EU & UK GDPR data destruction requirements. Public sector organisations also saw a significant rise in data breaches of over 78% between 2020 – 2021,5 and Forbes Magazine reported a 42% increase in U.S supply chain attacks in the first quarter of 2021.
Has remote working increased cybersecurity risk?
Enabling businesses over the last 2 years, the technology that facilitated collaborative working means that valuable files are constantly shared, transferred, copied, synced and emailed with far less visibility. According to Security Magazine, 75% of organisations do not have consistent, centralised visibility into their file movements across all environments,3. A third of UK businesses are not using any security monitoring tools leaving them simply unaware of the level of risk.1
In the past three years, potential data loss is more likely to occur through an end-point. In 2020, this was 4.5 times more likely than a direct server attack. Hackers are not always responsible for a data breach – a third are caused by an insider. Nevertheless, every day, trusted insiders create 13 data exposure events by moving and sharing corporate files.3 Add to this that only 5% of organisations protect their files appropriately;6 heightening the potential risks. According to a 2021 study, commissioned by Code 42, data breaches from insiders can cost as much as 20% of a corporation’s annual revenue3.
The advantages of two-factor authentication and the use of VPNs has improved the direct security of borderless offices, however, employing a Zero Trust model reduces the average data breach cost by $1.76 million.2 This approach assumes no traditional network edge, once defined by the office perimeter. Networks can be local, cloud-based or a combination with a raft of hybrid resources and a variety of users. This security framework authenticates, authorises and continually monitors all users, whether inside or outside the organisation – as such a zero trust model addresses today’s modern business structure.
The risk and financial costs of a data breach are both at their highest ever level but cybersecurity policies have not changed to reflect the changing digital environment, post-pandemic. Revised data security policies that encompass today’s collaborative methods of working, remote working, the IoT and BYODs are vital for the new digital infrastructure. An IT asset disposition policy will ensure secure, environmentally friendly ITAD and responsible disposal and the avoidance of any data security issues in the future.
The zero-trust approach and end-point detection software are an effective first line of defence, whilst initiatives such as awareness training, penetration testing and vulnerability assessments will provide effective ongoing cybersecurity management. However, more must be done to implement effective strategies, build resilience and crucially, protect company data after COVID-19 created an unprecedented level of change within our business environment.
1 gov.uk, 2 CyberTalk, 3 Security Magazine, 4 PurpleSec, 5 IBM, 6 TitanFile, 7 Tech Republic, 8 Enisa – EU agency for Cybersecurity’s Threat Landscape Report 2021, 9 CrowdStrike.
tier1 are a trusted ITAD partner offering a comprehensive data erasure, IT asset disposal services and data centre decommissioning.
Our business support and lifecycle management services help you mitigate the ever-evolving cybersecurity threats, supporting stretched IT teams with updates, upgrades, software installation and even hardware delivery/collection to remote teams.
Find out how we can support your organisation – contact us on 0161 777 1000 or visit tier1.com
Resources.
gov.uk, Cybertalk, Security Magazine, IBM, TitanFile, Cybint Solutions, Forbes, Kratikal, Tech Republic, the ICO, Insights, Verizon, Embroker, Transpere, CrowdStrike,
