Nearly every business in operation needs to be online in some capacity to reach clients or customers. Alongside the rise of the internet, there has been the constant threat of cybercrime, scams, hackers, etc. While that is not a reason to hold back on expanding into online spaces in nearly any industry, it is a factor that needs to be accounted for and addressed.
There is also the matter of trying to stay ahead of the curve in terms of cybersecurity. Cybercriminal activity is a big business, and so is cybersecurity. As we will see, billions of dollars are active on both sides, and that number will only grow. While, of course, you do not need to spend billions of dollars yourself, you do need to stay abreast of the situation and prepare countermeasures to potential threats.
Here is what you need to know in 2021 and the information you need to prepare yourself and your business:
Some Simple Facts About Hacking and Cybercriminals
Starting out, we think it would be best to clear up some potential misconceptions about how hackers operate, what they do, and how they are organized. It might not be what you think, and it certainly is not how most movies portray them (whether in a positive or negative light).
Hackers will generally not spend days at their computer trying to break through the heaviest encryption layers. They might do so for sport, but if they are trying to make money (and the vast majority of the serious ones are), they will look for the path of least resistance. They're likely to be passive in their efforts, either out of laziness or the desire to work on other projects at the same time.
Additionally, while the idea of the lone wolf hacker has persisted across modern media, in truth, most cybercriminals work in organized collectives or as part of a criminal organization. These types of crime rings perpetrate 80 percent of cybercrime. In some cases, a hacker cluster might not appear all that different from a regular IT office, with people coming and going in shifts and working at their desks.
- Cyberattacks are constantly happening. While the data might vary based on the study, it is estimated that an attack occurs every 39 seconds. Not all of them need to be successful to cause an impact on the market.
- When it comes to cyberattacks, about 43 percent of them attack small businesses. Even less than half of all cyberattacks is still far more than most people can imagine, and you need to make sure your business is prepared for a constant onslaught of attempts.
- Total cybersecurity spending in 2021 is projected to reach about $43.1 billion. While the exact numbers are still waiting to come in, there is a clear trend upwards.
- In what can only be a great cause for concern, the total cost of cybercrime worldwide is expected to reach 6 trillion dollars in 2021. This might seem like a massive number, and it is, to the degree that it is larger than the GDP of any individual country except the United States and China. This shows how much businesses have to lose.
- In total, there are about 4 million people employed in the cybersecurity sector in one form or another, and it is generally considered there is still a shortage in the field. One of the current problems is that experts are in high demand. As such, many businesses feel that they have to go without, ignoring cybersecurity in general or not taking it seriously enough as a result.
- Specifically, according to the CyberEdge 2020 CDR Report, 85 percent of businesses do not feel they have enough skilled IT personnel. This is up from 84 percent in 2019 and 81 percent in 2018.
- According to the 2020 Data Breach Investigations Report, about 28 percent of data breaches had a small business as its victim. While the number is going down from over 40 percent last year, it is still alarming, and small businesses need to assume they will be targeted.
- The number of targets, both at small businesses and outside of them, is increasing. The number of connected IoT devices will reach 75 billion within the next few years. As of 2020, there should be about 31 billion devices on the IoT. While not all of them hold valuable data, they all need to be considered in the context of cybersecurity.
All of this is just the tip of the iceberg. Depending on your research, there are many other statistics to consider.
How Valuable Is Your Data?
While most hackers would be happy to drain your or your business' bank account directly if they had the chance, that is not the easy and worthwhile route for most of them. Instead, most of them are more interested in your business' information or that of your employees or customers. In some cases, they might be interested in trade secrets or sensitive financial information that should not be released to the public.
We can consider how much organizations are willing to pay for data held captive by ransomware, which effectively locks access until the ransom is paid or other measures are taken. This can be automated or via a more personalized method. That amount is rising, according to information from Cover.
Additionally, the number of businesses that pay up when a ransomware attack hits is increasing.
- According to CyberEdge, 57.5 percent of companies paid the ransom in 2020. This is up from 45.1 percent in 2019 and 38.7 percent in 2018.
- However, it is not recommended to pay, as tempting as it might be out of fear. Out of those who paid the ransom in 2020, only 66.9 percent of organizations recovered their data. Conversely, 84.5 percent of businesses that did not pay the ransom eventually recovered their data.
People are most interested in identity theft, according to PurpleSec. Consider the breakdown of breach incident reasons or types:
- While people might think that their small business doesn't need to be concerned with identity theft, that could not be further from the truth. Your business has employee records, your records, and sometimes customer records, and often enough information to perform identity theft on someone, especially if other information is known about the victim.
- If your business has not taught you this already, data is a commodity to be sold and traded, although your business might not do so itself. The average value of someone's personal information will vary from a few cents to thousands of dollars. For organizations, that number could be much, much higher if they know how to use it. Legal or illegal, how valuable would exact data on your competitors be to your business? Entities are willing to pay for such information.
- Data is not the only valuable thing lost in a data breach. According to a Cisco report, employees had to deal with quite a bit of downtime as well. The exact amount differs depending on the size of the business and other factors. Assuming anywhere from 5-16 hours of downtime (the numbers vary significantly from incident to incident), you can do the math of how much that will cost your business alone.
- You have likely heard the term metadata before, and it refers to the larger trends of data and information, usually on customers and business practices. Now it is unlikely that cybercriminals will attack your business just to grab metadata (unless your business revolves around research, etc.). Still, it will be available to hackers in some situations, will be mined in some cases, and it will be sold if possible. While we do not have exact numbers for metadata's price, note that many businesses generate most of their income by collecting, processing, and selling it.
Social Engineering and the Human Factor
While you might think of hackers and scammers as people who are cracking codes and breaking algorithms, pitting themselves against programs and computers, the truth of the matter is much more complicated. Social engineering is the use of methods that manipulate people to get information. Some might use impersonation techniques, and others will play a confidence game. In all cases, the damage can be significant, and smart decision making and policy is the counter instead of better firewalls.
Here are a few things to know about this phenomenon:
- According to most studies, human error is the cause of 90 percent of data breaches, or at least the vast majority of them. This is because most hackers recognize that attacking your IT infrastructure itself would be costly in terms of time, especially when there is likely a more straightforward method via social engineering. Would you try to pick a lock if you know there is a key somewhere around the entrance?
- According to a 2019 report, about 70 percent of SMBs stated that employees' passwords were lost or stolen in the last year. This is a major oversight and alarming to anyone paying attention. This also means you need an extra layer of security in place other than just passwords. Mandating two-factor authentication when possible certainly helps, and the situation might call for other methods.
- Additionally, the same report also states that 70 percent of businesses are concerned about passwords getting compromised in some manner.
- About 54 percent of small to medium businesses had no knowledge of their employee's practices regarding passwords.
- While the exact numbers differ from study to study, it is clear that phishing is the most common tactic and most commonly successful tactic that hackers use. It's the bread and butter of social engineering. Business owners will need to address this threat and make sure it is addressed for every single employee.
- Despite this commonality, only three percent of targeted employees will report an attempted phishing attack up the chain, perhaps because they are simply so common.
The Consequences of a Data Breach
Data breaches are far more costly than nearly any amount of cybersecurity preparation and training you could invest in. They can outright ruin companies and tank their reputation for years. For smaller businesses, they can be a death sentence.
Here are some facts on the importance of protecting any data under your ownership or stewardship:
- According to IBM Security, the average cost of a data breach was almost $3.9 million in 2020, which would heavily impact large businesses and wipe out smaller ones. While costs vary based on the amount of data stolen, the type of data (health data is likely more valuable than just a name and email address), how long ago the breach occurred, and other factors, it is never an acceptable scenario.
- The industry the breach occurs in can affect the average cost significantly. A breach in the health care sector costs on average $7.13 million, for example. Industries that do not collect as much personal information might have a lower cost. More on all this soon.
- While one might think that a data breach happens and is over, that is not the case. In many cases, if hackers have a way in, they will keep that door open as long as possible, taking more information regularly. Until a breach is discovered and addressed, it is ongoing.
- The total cost of security breaches is projected to reach $6 trillion in 2021. This number is expected to increase to $10.5 trillion annually by 2025. While you cannot prevent all breaches, if companies invested just a bit of that money into better cybersecurity measures, the results would certainly prove helpful for them.
- In addition to the monetary costs related to lost records and attempting to clean up the mess, there are also the costs associated with public relations and consumer trust, which is extremely hard to win back after a data breach. The exact monetary costs can be hard to determine, but looking at the headlines and viewing public reaction after a breach is enough to get the picture. You do not want your business in that hot seat.
A Few Industry Statistics
Some industries have it a lot rougher than others when it comes to being targeted by cyberattacks and the consequences of a breach. Your business might not fall into any of these categories, and if it does, we hope you are on the ball already, but you might wish to learn more about other businesses you work with or what might affect targeting and impact. Here are a few categories and examples of this:
Given the sensitivity of health records, the fact that nearly everyone has them, and the importance of HIPAA compliance, health care cybersecurity is some of the most critical work in the field. Here are a few things you should know:
- As you might expect, health records are especially valuable given all the information they cover. In September of 2020, 9.7 health care records were compromised. While the same records may get compromised several times over, that is a sizable amount of the population.
- Overall, the total cost of cyberattacks on the health care industry was $25 billion just from ransomware attacks.
- Health Care businesses and organizations are constantly targeted. According to the Herjavec Group 2020 Healthcare Cybersecurity Report, 93 percent of health care businesses experienced a data breach in the last three years.
It makes complete sense that hackers and cybercriminals would want to target banks, investment firms, etc. There is a lot of money to be made if there is a big hit, and the reputational consequences to a bank are immense. Who would want to work with an insecure bank, even if the money was insured?
- According to the Varonis 2021 Data Risk Report for financial services, every employee in a financial services firm has access to about 11 million files on average. That can be a considerable risk, if not to external threats than to internal ones.
- From the same report, data breaches take an average of 233 days to detect and contain, an alarmingly long time if you are a customer. Regular checks for breaches might be wise for businesses in this industry.
- Financial services was one of the best industries in terms of detection time, though the work from home trend in 2020 has likely increased the time.
- Depending on the business's size, 8 to 19 percent of sensitive files are open to everyone in the company, with the percentage increasing as the business gets smaller.
Some of the most critical cybersecurity work is done in government, given the records involved and, in some cases, the national security implications. Every government wants to have a leg up here, but some governments are more effective than others. Here are a few stats about the current scenario:
- State and local governments are not immune. Given that many local government websites are not up to date either in their functionality or cybersecurity, they make for easy attacks from hackers. Attacks on state and local government entities are up 50 percent. This costs taxpayers millions each year, if not more.
- According to Purplesec, 1.2 billion records of the U.S. government were breached in 2018. That is about three for every person in the country.
- In 2021, the budget for cybersecurity spending is estimated to be at $18.78 billion. This is about the same as last year's spending, and is up from previous years, as shown below:
Businesses or even industries do not exist in a vacuum. Now for a few points of comparison between industries:
- While government bodies might have it a bit better than other major industries, there is an obvious problem across the business world here.
- According to the same report, only 9.7 percent of businesses with 10,000-24,999 employees were not attacked successfully. If even the most prominent businesses cannot defend themselves, what does that say about your small businesses ' need to work harder in this regard?
Things You Can Do This Week
Now that you know about the magnitude of the problem and some of the major threats out there, you should also learn a bit more about some of the things small businesses can do to protect themselves. While we do not wish to focus entirely on cybersecurity measures you should take here, as there are more extensive guides and resources that you should utilize (as well as those that are more focused), starting with the following can help:
- Create a normalized and uniform cybersecurity plan or cybersecurity protocol that is accessible to all and sent out to everyone that works for your business. Cybercriminals will take advantage of confusion in your business, perhaps stating there are new policies or a mix-up in the rules. This type of plan with clear policies that will not easily change can reduce phishing attacks and other social engineering schemes.
- Ensure all of your employees know the best practices regarding cybersecurity and are securing their work devices (and their personal devices, if they use them for work). Furthermore, you may wish you keep access to passwords, information, etc., to only those who would need to know. Fewer people knowing means fewer potential points of loss, and should a breach occur, you can track down the access point more efficiently and address it specifically.
- It is, however, wise not to let these concerns make your business so closed off it cannot run properly. There is an effective balance, and it will be different for each company.
- Have a plan in the event of a cybersecurity breach. No matter how many preparations you might make, you might find a lapse in judgment or an exploit that was not covered. While all these best practices can minimize the chance of a breach happening at your business, there is always the possibility of something new coming out that no business could reasonably prepare for. Being able to control what happens after the fact can minimize damage and prevent wrong decisions from being made.
- You can keep on top of all the news regarding cybersecurity and potential scams. While you also need to keep on top of your business and leave the finer details and specific measures to your IT team, you should know what is going on in the space and if there is a significant vulnerability in a program you are using. It would be extraordinarily embarrassing to put your own company at risk because you fell for a basic social engineering scheme or did not read the cybersecurity memo.
- As much as you might not like to think about it, you also have to consider internal risks. Try only to let people who need access to information have it and perform background checks on new employees. A history of issues means that the pattern is likely to continue. Finally, if you notice suspicious behavior, investigate it before it is too late. A disgruntled employee can do far more damage far more quickly than a hacker halfway around the world.
- You also need to think about what happens if there is a data breach involving your business. If customer data is lost in any way, even basic data such as email addresses, you need to let your customers know as soon as possible. Trying to cover up any mistakes or mishaps is a massive gamble and not ethically advisable. If discovered, it will only compound the damage to your company's reputation, if not put your business at risk of legal action.
There is more to do than the above, but that should be left to different articles and consulting with professionals. You can defend your business against cyberattacks, and you can create an effective cybersecurity plan. While it may seem like a lot of work all at once, preparation is a long-term process. Much of it should be taken care of by your IT professionals, as long as you provide the right leadership and resources in the department. Even if you are a small business of just a few people, you can still apply the above principles.
Whether you know it already or not, there are so many reasons that investing in cybersecurity is a wise choice. There is so much to learn about this topic. Whether you are a quickly growing business, a generational family business, a micro-business just getting off the ground, or something else entirely, we hope you take all the above facts and recommendations into consideration. Please keep these statistics in mind as you determine your plans going forward.