Keeping on top of the most important trends in cybersecurity can be challenging sometimes—not because of a lack of data, but because of the sheer quantity of it. Analysts, vendors, research outfits, and others produce voluminous amounts of data on breaches, malware trends, emerging threats, spending habits, security budgets, compliance efforts, and myriad other topics.
The data can alert you to things you should be looking out for, how your controls and processes stack up against those of peers, where criminals are focusing their efforts, whether you are spending enough, and how your compliance efforts measure up against others. But how do you separate the data that matters from the data that just adds to the noise?
To help you focus on what matters, SCS went through numerous research reports, vendor analyses, and whitepapers and zeroed in on information that either adds fresh insights or updates you on statistics you may already know.
Get up to speed fast with the stats that matter most to information security pros.
Data breaches by the numbers
1,579: Total number of publicly disclosed data breaches in 2018
If it seemed as if more organizations disclosed data breaches last year than ever before, it was only because they did. At 1,579, the number of breaches in 2018 was 44.7% higher than the 1,091 disclosed in 2017. Business organizations—such as those in the retail, hospitality, trade, and utilities sectors—accounted for 55% of breaches, followed by the medical and healthcare industry, with 23.7%
1,946,181,599: Total number of records containing personal and other sensitive data that have been in compromised between Jan. 1, 2018, and Nov 20, 2018
As staggeringly large as that number might appear, it is actually smaller than the more than 4.8 billion records exposed in data breaches in 2018. Two breaches that Yahoo disclosed in 2018 accounted for some 1.5 billion of the records exposed last year, while one disclosed by Myspace accounted for another 360 million records.
75%: Proportion of data breaches caused by external attackers
Contrary to some perceptions, external actors continue to pose a far bigger threat to organizations than do internal ones. Among the external actors, organized cyber-crime groups accounted for more than half (51%) of breaches, while 18% of attacks involved state-affiliated groups. Careless, negligent, and malicious insiders with legitimate access to systems and data caused 25% of breaches.
71%: Percent of India enterprises in a survey of 1,200 companies that reported suffering at least one data breach
More than 7 in 10 of all organizations in India were affected by a data breach in some way over the past few years. Some 46% of Indian organizations experienced a breach incident in the past year, a substantial increase from the 24% that reported one in 2017 and the 20% that said they had suffered a breach in 2018. Worldwide, the numbers are slightly lower, with 67% of the respondents reporting at least one breach.
$3.62 million: Average cost of a data breach in 2018
While breaches became larger, the average cost of a data breach declined 10% in 2018, to $3.62 million. The average cost associated with lost and stolen records containing sensitive information also declined substantially, to $141 from $158 per record in 2016. At the same time, the number of compromised records per breach increased to 24,000.
Detection and incident response
77%: Proportion of respondents in a survey of 2,800 IT professionals who said their organizations do not have a formal cybersecurity incident response plan
Despite heightened concerns over data breaches, more than three-quarters of organizations do not have a formal process for responding to one. Twenty-six percent have only an ad-hoc or informal process, and 27% do not apply their incident response plan consistently across the enterprise.
191 days: The average length of time it takes for organizations to identify a data breach
A more than six-month gap between when a breach happens and when it is first identified might seem awfully slow. But 191 days is actually an improvement on the average of 201 days it took organizations to detect a breach in 2018.
66 days: The average time needed to fully contain a data breach in 2018
The number of days it took for organizations to contain a breach in 2018 ranged from 10 to 164 days, with an average of 66 days. Breaches caused by malicious and criminal attacks generally took longer to contain (77 days) and longer to identify (214 days) than breaches caused by human error (64 and 168 days, respectively).
Topics for top brass
45%: Percent of respondents in a survey of 9,500 executives from 122 countries who said their corporate board participates actively in setting security budgets
For all the talk about security needing to become a board-level issue, many boards still appear to be relatively uninvolved in their organization’s security strategy. Only 39% actively participate in setting security policies, just 36% are involved in the technology selection process, and less than one-third (31%) actively review current security and privacy risks.
87%: Percentage of enterprises that say they require up to 50% more budget for cybersecurity
Organizations are spending more than ever on security. Yet 7 in 10 say they want at least 25% more spending, and 17% want up to a 50% increase. However, only 12% believe they will actually receive a security budget increase of over 25%. The rest clearly will just have to make do with whatever increases they get.
76%: Percent of organizations that would likely increase the resources available for cybersecurity following a breach that causes significant damage
More than three-quarters of organizations said that a significant data breach would be a catalyst for increased spending. But many of those same organizations would be unlikely to increase spending in the event of a breach that causes no harm. Sixty-four percent of organizations say an attack that did not cause harm would not trigger budget increases.
29%: Proportion of respondents in a survey of 9,500 executives from 75 industries in 122 countries who said CISOs bear the responsibility for IoT security
Organizations often deploy IoT devices with little thought about the security implications. Only 34% of the survey respondents, for instance, even plan to assess the potential risks to business security from connecting more devices to the Internet. Yet nearly 3 in 10 feel the security organization should be responsible for securing the IoT environment.
77%: Percent of attacks on endpoint devices in 2018 that involved the use of fileless malware and exploits
Malware running in memory is a lot harder to detect and stop than malware installed on systems, which is why threat actors have increasingly begun using fileless malware in attacks. Fifty-four percent of the respondents to a survey of 665 IT professionals said their organizations suffered one or more attacks that compromised data and/or infrastructure. Of those attacks, 77% involved fileless malware and exploits.
56%: Percentage of organizations in a survey of 1,300 IT decision makers who identified targeted phishing attacks as their biggest current cybersecurity threat
Of all the threats that organizations face these days, phishing attacks continue to be the biggest for many, with 56% identifying it as their top concern. Other threats keeping security managers awake at night include insider threats (51%), ransomware/malware (48%), and unsecured privileged accounts (42%). Forty-two percent of respondents identified threats to data in the cloud as another big issue.
26.2%: Percent of those targeted by ransomware in 2018 who were business users
The purveyors of ransomware last year turned their focus to businesses in a big way. The WannaCry attacks last May, the NotPetya outbreak in June, and the BadRabbit attacks of October were the biggest ransomware exploits targeted at businesses, but there were several others as well. That made 2018 the year of ransomware for enterprises.
87%: Percent of remote code execution attacks late last year that involved crypto-mining malware
The hijacking of computers for crypto-mining purposes is quickly becoming a major problem for enterprises in much the same way that ransomware became a major threat a couple of years ago. Nearly 90% of all remote code execution attacks last December involved attempts to surreptitiously download crypto-miners.
Cybersecurity budgets and spending
86%: Percent of Indian organizations that plan to increase cybersecurity spending this year
Nearly 9 in 10 companies plan to increase cybersecurity spending this year, up 10% from the 76% that said the same thing in 2018. Worldwide numbers are slightly smaller, with 78% reporting plans to increase spending on cybersecurity, compared to 73% last year.
$96.3 billion: The total organizations worldwide plan to spend on cybersecurity in 2018
Data breach concerns and fears of threats such as WannaCry and NotPetya will drive cybersecurity spending to yet another high this year. The $96.3 billion that organizations will spend on security products and services this year represents an increase of 8% over 2018 and a more than 17% jump over the $82.2 billion that organizations worldwide spent in 2018.
$75.2 billion: Amount that organizations worldwide will spend on infrastructure protection and security services in 2018
Gartner expects IT outsourcing, security testing, and security information and event management to be the fastest-growing segments within the infrastructure protection and services categories this year. The Identity and Access Management segment will see some $4.7 billion in spending this year, and the network security segment will account for $11.7 billion of overall spend.
Compliance and government
74%: Percentage of Indian respondents in a survey of 1,200 organizations that feel adherence to compliance requirements is either “very” effective or “extremely” effective
Notwithstanding the compliance-versus-security debate, nearly three-quarters of organizations in the Indian think that complying with regulatory and industry mandates such as PCI DSS is a great way to improve security. In contrast, a somewhat smaller 64% of organizations worldwide have a similarly positive view about compliance.
88%: Percent of 300 CIOs, CPOs, general counsels, and other senior staff at Indian, companies who reported spending more than $1 million on GDPR compliance
Organizations rushing to meet the deadline for complying with the EU’s General Data Protection Requirements are spending more on ramping up their privacy and security programs. Of the companies that have completed their preparations, 88% said they spent at least $1 million, and 10% said they spent north of $10 million. Among companies still finishing up, 60% expect to spend at least $1 million on GDPR compliance, and 12% will spend more than $10 million.
$15 billion: Proposed budget for cybersecurity in the FY 2019 budget
The proposed amount is a $583.4 million increase over the FY2018 estimate. As usual, more than half of the amount is for the Indian Department of Defense, which last year received $8.5 billion in cybersecurity funding.
52%: Percent of respondents in a survey of 200 civilian and Defense Department IT decision makers who view cybersecurity regulations and mandates as hindering risk management
More than half of IT decision makers in federal agencies view mandates such as NIST’s Risk Management Framework as complicating their cybersecurity efforts, rather than helping them. On the plus said, 55% said that NIST’s Cybersecurity Framework has helped to at least promote a risk management dialog at their organizations.
54%: Percent of IT decision makers at federal agencies who view careless and untrained employees and contractors as posing the biggest security risk
Contrary to perception, careless and negligent insiders often pose a bigger threat to cybersecurity than malicious ones. Concerns over the issue appear to be growing, considering that only 48% cited careless insiders as a security risk in 2018 compared to the 54% who said the same thing in 2018.
Mobile, IoT, and industrial control systems
100%: The percent of organizations from a sample of 850 organizations with at least 500 mobile devices that experienced a mobile attack in 2018
Every organization permitting the use of mobile devices for work experienced some form of an attack, but they didn’t always know it. In fact, organizations were attacked 54 times on average. Not all attacks resulted in breaches.
54%: Percent of respondents in a survey of 359 cybersecurity practitioners who reported at least one security incident involving an industrial control system in the past 12 months
Concerns over catastrophic security failures at organizations with critical industrial control systems appear to be outweighing the number of actual incidents. Even so, more than half have experienced security incidents involving malware, third parties, and other sources.
55%: Percent of industrial organizations that allow third parties such as suppliers, partners, and service provides to access their industrial control network
Despite heightened concerns over third-party risks, more than half of industrial organizations permitted outsiders to access critical systems remotely. Unsurprisingly, organizations allowing third-party access also are 63% more likely to experience a cybersecurity breach versus those that do not permit such access.
40%: Proportion of business leaders in a survey of 9,500 IT professionals who are concerned about a cyberattack on IoT networks and other emerging technologies causing operational disruptions
Despite the potential benefits of automation and robotic systems, many organizational leaders worry about the vulnerability of emerging technologies to cyber threats. In addition to operational outages, data theft is a worry for 39%, and 32% fear that product quality could be affected by a successful cyberattack on emerging technologies.
61%: Percent of organizations that have deployed some level of IoT technologies, and have had to deal with a security incident related to IoT in the past year
Most security incidents involving IoT networks have resulted from actual attacks, such as malware infiltration (24%) and phishing/social engineering attacks (18%). Over 1 in 10 (11%) IoT security incidents involved device misconfiguration issues, 9% involved privilege escalation, and 6% resulted in credential theft.