These 7 cybersecurity stats will keep you up at night
With 82% of data breaches caused by social engineering or human error, staff training is imperative.
In a world where so many businesses are reliant on technology to power operations, those businesses are also at risk of that technology becoming prey to hackers and cyber thieves. Not a day goes by without another mainstream headline about the latest security breach.
Google “cybersecurity breach” and you’ll see about 31,100,000 results. Tap the “News” link at the top of your search results and you’ll see the latest news about the many cybersecurity breaches around the world.
It’s scary stuff, and so are the statistics related to cybersecurity. Here are seven of the more disturbing ones.
- 82% of data breaches are caused by social engineering or human error
That’s right. According to the 2022 Verizon Data Breach Investigations Report, when it comes to security breaches, people — your people — are the problem. Despite knowing how 82% of breaches fall outside of technical interventions, less than 3% of security budgets are directed at the human layer of security. In addition, 47% is spent on network security; 22% on endpoint security; 14% on web and 14% on identity.
- By 2031, ransomware is predicted to attack businesses or devices every two seconds
Ransomware attacks represent the use of malware to attack and lock up (encrypt) an organization’s computer data. The hackers involved then demand a ransom to unlock the data or systems. In 2021, the average ransom payment was $812,000 according to CybersecurityDIVE. According to ZDNet, 83% of companies impacted end up paying the ransom.
- Percentage increases in scams range into the 1000s
Researchers at Baltimore-based ZeroFOX compared their own data to data from the FTC to calculate the increase in scamming incidents. What they found is startling. These increases range from 226% for consumer goods scams to 1,579% in retail scams. Scammers don’t take time off. As soon as you plug one potential security risk hole, they find another.
- Between 20-40% of your employees don’t know what confidential company information is
Your employees can’t protect your confidential information if they don’t know what it is. Don’t assume that they know, even if you believe it should be obvious. Be explicit about what confidential company information is, why it’s confidential, and the costs to the company if that information is unprotected and compromised by bad actors.
- 79% of organizations are concerned about security risks related to remote workers
When employees are out of sight, so is their access to your systems and data. It’s tough enough to tackle the human factors related to security incidents when employees are on-site. It’s proving to be even tougher now that so many employees are working remotely some or all of the time.
6) Having a strong security culture matters
Organizations with a “good” security culture or profile are defined as those that have one out of 1000 employees likely to be tricked into sharing credentials or other sensitive data. Organizations with a “poor” security culture, on the other hand, are at risk of having one out of 20 doing so.
7) 72% of security leaders are overconfident that they have a good security culture
We commissioned a study to evaluate security cultures across global enterprises. This was done through an online survey that generated 1,161 respondents from people with managerial duties or higher in security or risk management. The research discovered that while 92% of those surveyed said they had embedded security culture in their organizations, 72% experienced a security incident in the past 12 months.
For years, organizations have turned to technology controls to help protect their systems and data. There is an emerging realization, though, that what it really takes is addressing the human defense layer of protection against data breaches and security risks. Many organizations are lulled into a false sense of security due most likely to having too much optimism bias — the deception that bad things only happen to others.
Attitudes about security can be influenced by explaining the why behind your organization’s efforts to establish a strong security culture. Why is it important for the company? Why is it also important for employees? Explaining and then demonstrating — over time, not just once — the appropriate behaviors to protect your systems and data is critical to minimizing the impact of cybersecurity risks.
Perry Carpenter is author of, “The Security Culture Playbook: An Executive Guide to Reducing Risk and Developing Your Human Defense Layer,” his second book on the subject. He is chief evangelist and security officer for KnowBe4, a security awareness training and simulated phishing platform.
Related: