In 2018, over 2 million cyber incidents racked up a minimum of $45 billion in losses, according to a recently released report based on statistics gathered from organizations that track data breaches.
Jeff Wilbur, technical director of the Internet Society’s Online Trust Alliance (OTA) – which recently published its 2018 Cyber Incident & Breach Trends Report – says it’s hard to get a handle on the full extent of the cyber-incident landscape. “Everyone’s viewing it from their own lens,” he says.
The OTA published its first edition of this report 11 years ago. Initially, it focused only on data breaches, says Wilbur. But the ever-changing threat landscape made it logical to broaden the scope of the annual report, whose most recent edition appeared in July.
“A few years ago, we realized this underrepresented the number of cyber incidents,” Wilbur explains. “We started looking at adding business email compromise, ransomware, and DDoS attacks because those are orders of magnitude larger than breaches that get reported.”
“What’s interesting,” he adds, “is many of the techniques cybercriminals use to break into systems have largely remained the same: They use employee credentials, for example, or exploit a known vulnerability in an organization that hasn’t updated its software. The ways to get in have been relatively constant for a while.”
BEC remains the biggest threat
But some things have certainly changed. Devices hooked into the Internet of Things (IoT), for instance, have brought new ways of breaking into organizations to the forefront, as has the growing dependence of companies on third-party vendors. “The clever way to get into systems is through third parties that may be less secure,” says Wilbur. More and more, online bad guys are hacking into target organizations by using malware on or gaining unauthorized access into vendor systems.
Supply chain- and IoT-based attacks may be on the rise, but attacks via email and exploitation of vulnerabilities are still the attackers’ favored techniques for penetrating corporate networks. However, what cybercriminals do once they get there is shifting.
“The financial impact of ransomware rose by 60%, losses from business email compromise doubled, crypto-jacking incidents [the unauthorized use of others’ computing resources to conduct crypto-mining] more than tripled, and there continued to be a steady stream of high-profile data breaches,” the report authors write.
DDoS attacks are still running wild
Distributed Denial of Service (DDoS) attacks declined slightly in 2018, though they’re still causing a world of trouble in certain industries. The tricky part of DDoS attacks is figuring out how many attacks are successful, because no aggregated reporting exists and most organizations are shy about owning up to their vulnerability.
Many organizations use old-school deployment models without much automation, which require them to redirect IP traffic when an attack strikes. Successful attacks have hit industries ranging from banking (ABN AMRO) to education (Infinite Campus) to email services (ProtonMail) to software services (GitHub, the largest recorded DDoS attack to date).
Making matters worse, multi-vector attacks – which batter an organization from multiple angles at the same time – are now routine. Because they’re so easy to obtain on the Darknet, DDoS attacks are often employed to distract IT teams and keep them busy while the real attack target is hammered away at. Sometimes, it can take several months or even years for companies to realize what digital booty the bad guys were actually going after.
Dark figure remains high
The report says the apparent number of data breaches that exposed personal records actually shrank in 2018, with 5 billion records exposed. That’s a downturn of 35.9 percent from the previous year. But one must take this figure with a grain of salt, since most breaches go unreported.
“While it’s tempting to celebrate a decreasing number of breaches overall, the findings of our report are grim,” Wilbur notes. “So, while there may be fewer data breaches, the number of cyber incidents and their financial impact is far greater than we’ve seen in the past.”
While the financial blowback of this malicious activity is difficult to gauge, the best estimates tag the cost of ransomware at $8 billion and credential-stuffing at $5 billion. There are other estimates: the Ponemon Institute says the average cost of a data breach grew to hit $3.86 million, or around $9,000 per minute, in the case of a knocked-out data center.
The report also found that the overwhelming majority – 95 percent – of breaches could be prevented had companies heeded “simple and common-sense approaches to improving security,” such as training staff on data security and privacy and forging relationships with data-protection authorities.