Now is a great time to look back on cybersecurity statistics for 2021. They can help IT professionals understand which issues from last year may carry over into 2022.
However, it’s also useful to gain expert insights on likely cybersecurity scenarios impacting this year. Knowing about threats makes it easier to combat them. Here are 10 cybersecurity statistics from 2021 and five predictions for 2022.
A persistent cybersecurity skills shortage has caused IT teams to get more creative in seeking solutions. For example, they might run internal training programs for people without cybersecurity backgrounds seeking career changes.
A 2021 survey of IT professionals by ISACA found that 61% had understaffed security teams. Additionally, 50% of respondents said their cybersecurity applicants were poorly qualified. That’s problematic since 55% of those polled had unfilled cybersecurity positions.
Affected parties must keep doing the best they can with the available resources in the short term. However, they’ll need to continue thinking outside the box and realize there’s no quick fix to the skills shortage.
Many online registration forms remind people to always choose unique passwords. However, a study of Americans’ password habits found the majority of them don’t follow that advice.
The results showed that 68% pick the same passwords for multiple sites. Another worrying finding was that 57% came up with their passwords by slightly changing old ones.
These behaviors give cybercriminals the advantage by providing them with more opportunities to wreak havoc after successfully finding a single correct password. If it works at one site, there’s a good chance it will elsewhere.
A 2021 midyear report from Check Point showed a 29% rise in worldwide cyberattacks for the year. There was also a 93% jump in ransomware attacks globally. The researchers cited an expanding definition of what it means to fall victim to a ransomware hack.
They discussed how 2021 saw a new ransomware threat emerge that involved barring a targeted organization’s access to data, leaking that information, and directly engaging with the people identified in the stolen material. Criminals try to make them pay to avoid unwanted consequences.
Check Point researchers found that U.S. organizations experienced an average of 443 cyberattacks per week. That was a 17% increase from an average taken earlier in 2021.
A startling finding from a 2021 study reinforced the growing belief that employees are often among an organization’s weakest cybersecurity links. The research, published in July 2021, found that 94% of organizations polled had an internal data breach over the last year.
Human error caused 84% of insider data breaches, and 74% of organizations said they occurred because employees broke security rules. The results also revealed that 73% of the companies polled mentioned phishing as the primary cause.
Most people do at least a few things every day that involve using credentials. They might type in a username and password while using an online banking interface or scan an employee badge before starting a shift. A Verizon examination of cybersecurity breaches showed how criminals exploited that reality in 2021.
It found that 61% of data breaches compromised credential data. However, there was a huge range in how frequently cybercriminals tried to use those details.
Overall, 95% of organizations experienced credential breaches in 2021. Those entities had anywhere from 637 to 3.3 billion malicious login attempts afterward.
The average cost of data breaches has been significant for a while. However, in 2021, it reached the highest figure in the 17-year history of the report.
An IBM Security study concluded that data breaches cost $4.24 million per incident for affected companies. They also cost an average of $1 million more when working from home was a factor in the event.
Chris McCurdy, the vice president and general manager of IBM Security, said, “Higher data breach costs are yet another added expense for businesses in the wake of rapid technology shifts during the pandemic." However, he said that positive factors, such as more companies adopting a zero-trust approach, could eventually curb breach costs.
In July 2021, researchers at Barracuda published a report of their findings from analyzing nearly 13 months of spear-phishing attacks. Those occurred when online criminals precisely targeted people with phishing email content rather than taking a much broader approach.
Between May 2020 and June 2021, the team examined more than 12 million spear-phishing and social engineering attacks. They discovered phishing emails claimed to come from Microsoft in 43% of cases. CEOs are at a particularly high risk of all phishing attacks. The research indicated the average person in that role experiences 57 such targeted events every year.
These conclusions are vital reminders that a message is not necessarily legitimate if it seems to come from a well-known brand or person in power. Criminals who operate online are increasingly advanced in their tactics to fool people.
Improved remote device security was a defining IT trend in 2021, largely due to more people working from home. Even so, the threat landscape was full of cyber risks that kept professionals on their toes.
About 81% of IT professionals in the U.S. said having remote workers increased security challenges at their enterprises. Even so, the vast majority of organizations (96%) intend to continue with remote work for at least the next two years.
The research also looked at the most common attack vectors utilized. Phishing was the most frequent mechanism, followed by endpoint network attacks and malware. Cybersecurity professionals must take multifaceted measures to keep their organizations safe.
Business email compromise (BEC) attacks are often financially motivated. They occur when criminals pose as people in authority at particular organizations.
A 2021 report highlighted how 71% of BEC attacks occurred when a criminal spoofed an email account. That was the most common mechanism for such attacks, showing that people do not have to hack into someone’s service to do damage.
Instead, threat actors can change one character of a valid email address when impersonating someone in authority, which would still look correct at a glance. People at risk of getting messages stemming from BEC attacks should receive reminders to always look at the sender’s address carefully and never act in haste.
People who run small businesses may be at an increased security breach risk due to numerous factors. Criminals may believe targeting smaller companies allows them to cause more severe problems that take longer to fix. Alternatively, they might assume those entities don’t have as many defense mechanisms in place.
Perhaps they’re not wrong. A 2021 USTelecom study surveyed small and medium-sized businesses about their cyber-readiness. One finding was that companies with 50 employees or less devote the smallest percentage (18%) of their overall IT budgets to cybersecurity.
Another takeaway was that companies with less than $1 million in revenue were the most likely to use very few cybersecurity best practices. People associated with small businesses should explore smarter IT spending options that strengthen cybersecurity without blowing their budgets.
Now, let’s look at the expected cybersecurity trends of 2022.
Online criminals often use social engineering to make their attacks more believable. Mimecast CEO Peter Bauer believes the volume of data people share on their public feeds will make it even easier for them to craft successful plans.
He explained, “After years of high-volume breaches combined with employees sharing excessively via social media, the trove of personal information and intelligence available to attackers is extraordinary and beyond disturbing. This will enable adversaries to craft even more convincing attacks. Email and cloud communication systems continue to provide attackers the ideal venue,” said Bauer.
Before company leaders pursue digital transformation strategies, they must remember the costs associated with technical progress.
Even highly beneficial tools can broaden the attack surface exposing it to more bad actors.
Ram Shankar Siva Kumar is a data specialist at Microsoft. He shared his company’s sentiment that people must assess threats to their artificial intelligence systems in 2022. "Most organizations are worried about their data being poisoned or corrupted by an adversary," said Kumar. "Corrupting the data can cause downstream effects and disrupt systems, irrespective of the complexity of the underlying algorithm that is used."
Hackers are always on the lookout for new attack vectors. The cybersecurity experts at KnowBe4 believe many will use the metaverse as the setting for their attacks as soon as 2022.
The company’s trend list noted, “Hackers will … be drawn into this world, and we will see virtual attacks against both individuals and organizations. We will see an explosion of bad things happen to people and resources in the virtual world … virtual looting, virtual theft, account takeovers and more creative criminal exploits.”
Recent events have proven that people need not become astronauts to travel to space. Having enough money to cover the fees is often enough.
Internet security experts at BeyondTrust expect space tourism scams to show up on social media and elsewhere online this year. That prediction makes sense, especially since most cybercriminals are financially motivated. Someone considering traveling to space almost certainly has immense wealth.
Now that more people are working from home, there’s a larger attack surface for criminals to target. Dr. Ian Pratt is the global head of security for personal systems at HP. He believes the hybrid work trend will elevate phishing attacks in 2022.
Pratt commented, “Employees have been using personal devices for work or corporate devices for personal tasks, like checking emails. This will continue, and it’s likely there will be an increase in phishing attacks targeting both corporate and personal email accounts. This essentially doubles attackers’ chances of launching a successful attack, so organizations need to educate the workforce on the risks of their behavior and enforce technical controls to prevent compromise.”
There are no guarantees about what 2022 might bring on the cybersecurity front. However, the lists above will help cybersecurity professionals anticipate the future and plan accordingly.
There is no time like the present to implement advanced security practices for your company. Consider Logsign to strengthen your cybersecurity effectively in 2022!
Explore different types of security vulnerabilities and how to manage them.
Cybercrime is always a relevant threat but especially during the holidays.