Research from various sources show that in 2022, the annual rate of data breaches is rising yet again, but only about half of surveyed organizations feel that they are prepared to handle cyber incidents according to multiple reports. This information was compiled from several different institutions and varying ranges of audiences, yet many of the results paralleled each other or even repeated across subjects. Based on current rates, it seems likely that cyber attacks will increase again from 2021; however, some trends do indicate scattered improvements beginning to take hold over recent years.
Cybersecurity Research Cited
For this article, three primary sources were reviewed to aggregate the data featured:
- Identity Theft Resource Center First Quarter 2022 Data Breach Analysis
An aggregated report that collected and reviewed data from publicly reported breaches across the US by the Identity Theft Resource Center (ITRC), a nonprofit that aids identity theft victims.
- 2022 Thales Data Threat Report
An international study conducted by 451 Research for Thales Group that focused on interviews with IT decision-makers around the globe about ransomware preparedness.
- National Cyberattack Prevention Survey by Provident Bank
A survey of cybersecurity preparedness among owners and executives from businesses between $1-$40 million in revenue size, carried out by New Jersey-based Provident Bank.
Cyber Breaches Grow Year Over Year
The research shows that the rate of sustained data breaches (and compromises) continues to grow Year over Year (YoY), with spikes from 2016 to 2017 and 2020 to 2021. The first quarter of 2022 already outpaced similar periods in previous years, and if past trends repeat through the rest of the year, then the US will see another unprecedented rate of cyber attacks.
Shrinking Number of Victims
One piece of potential good news from these reports is that the number of victims attributed to publicly reported breaches has gone down YoY since 2019, decreasing up to 50% from 2021 to 2022. However, there could be reasons other than better cyber hygiene behind this trend, such as the consolidation of targets among sophisticated hackers as well as the lack of reporting to avoid reputational damage.
Types of Cyber Attack Seen
Though answers varied between subject groups in the US and those abroad, anywhere from between a fifth to half of respondents had seen or experienced at least one cyber attack within the past year alone, with many suffering more than three in 2021. The majority of these were various phishing attempts that most often included malware delivery, with ransomware accounting for a sizable portion of those. The modern nature of a breach lends itself to allowing hackers to carry out multiple attacks with one successful penetration, so many of the different types are not mutually exclusive and are often to be expected from more sophisticated cybercriminals.
Data Sprawl and Risks
Survey results also indicated a shrinking level of confidence in data security and ownership, with a decreased number of respondents proclaiming they knew for sure all of the places their data was stored and how secure it was. Much of this uncertainty seems to be tied to both increased migration to the cloud and other distributed networks for remote work enablement. Response from IT decision-makers surveyed in the US reflecting a growing rate of adoption for SaaS and web-based resources, paired with steadily accumulating worries about managing the security complexities these new solutions brought.
Ransomware
Though ransomware was only a part of overall malware attacks, its impact could be felt much more severely among the data collected, including being the top culprit among publicly reported breaches. Despite this, the level of preparedness and planning in place still remained around the halfway mark for the total number of survey respondents, and 40% of those in the US would be not be making changes to their existing cybersecurity budgets.
Remote Work Security
Enforcing security for networks that include remote workers was a top-of-mind concern for US-based IT managers, with up to 76% stating they were worried about handling the risks and another 42% professing no confidence that current systems allowed them to. This follows fears that have culminated since the start of the 2020 global pandemic, with previous research indicating that disruption and increasing productivity demands were hampering new telecommuters’ focus on protecting their company’s data. However, it is important to note that human error accounted for less than 8% of breaches in Q1 2022.
Data Compliance
Compliance worries were divided between IT and other business decision-makers, as well as between countries and different technology users. About half of US IT respondents felt cloud environments presented challenges for maintaining data privacy, while 43% admitted their systems had failed an audit in the past year. On the other hand, SMB and midmarket business respondents were much more confident they were handling things with a consolidated security and compliance approach, with almost 70% saying their business continuity plan (BCP) addressed both categories.
Most Targeted Industries
The list of sectors reporting the most data compromises from 2020 to Q1 2022 is a familiar one, with many of these industries showing up often in the news cycle related to significant breaches. These include:
- Healthcare
- Financial Services
- Manufacturing
- Professional Services
While there were others that saw a lower volume of compromises, some still had a greater ratio of affected victims with each breach, namely the Technology sector. Additionally, industries like Manufacturing and Financial saw significant YoY spikes in both the number of breaches and victims impacted between 2020 and 2021.
How the Prepared Are Responding
The research results overall indicate that those respondents that were on the more confident side of the 48-52% divide for preparedness were working off of direct experience, and this correlates directly with the number of those who had been breached previously. A good example of this is the rate of ransomware preparation among healthcare institutions – 57% versus the 48% average found among the rest of those surveyed. Other indicators are the segments who reported that they were or would be prioritizing new cloud security toolsets, encryption, and zero trust security protocols.
Trends to Take Away from the Research
There are enough parallels between the various audiences of these three reports, along with several other sources, to begin drawing out a few higher-level patterns:
- Fear is currently the greatest driver of security policy and response to perceived (or real) cyber threats
- There remains a disconnect between IT and other business leaders on what needs to be prioritized
- Uncertainty surrounds the cloud and other distributed computing, despite cloud-related compromises shrinking YoY
- Most smaller businesses are seeking ways to be cost-effective on cybersecurity
- Efforts at education and cyber hygiene are limiting the growth rate of human error breaches
- Hackers are always moving away from the gaps victims know to exploit more overlooked vulnerabilities
- Phishing and ransomware will continue to remain the top two threats for the immediate future
Good Governance Wins Out
Despite some of the more apprehensive responses included with these reports, there are positive trends to be found in the aggregated data, namely in the impact education and knowledge-sharing has had on cybersecurity awareness. The biggest and most recurring challenges found among across almost every organization when it comes to cyber defense are resources and time, the former being especially persistent for SMBs.
Even when common weak points are secured, hackers are still finding new ways to get around emerging defenses, as the Attack Vector disparities in the ITRC report hint at. The only consistent method for keeping pace with bad actors is having good governance for your IT objectives in place. Technology solutions cannot handle every threat and can always be bypassed with the right knowledge and access, but human intelligence empowers you to solve problems dynamically.
Learn More About IT Governance Services
Managed IT governance services allow small business to capture the benefits of an experienced network security and management team at a fraction of the investment and commitment. Learn more about how an MSP (managed service provider) like SWK Technologies can help you cut through the fear and noise of cybersecurity to develop a clear action plan for protecting your data.
Contact SWK here to learn more about our IT governance and other managed services, and how we will help you ensure you’re getting the most out of your technology.
Ask Us About Governance for Cybersecurity