Contact us

Scary Cyber Security Statistics for 2022

Expert Insight

Some seriously scary cyber security statistics...

As we know, October is cyber security awareness month. Which of course means that this month, we’re all about helping organisations understand risk, gain context and build security awareness.

As it’s Halloween, naturally there is no better way to do this that with some scary security stats

Scary cyber security stat #1

A recent survey carried out by SANs, found that of 300 ethical hackers questioned, nearly 60% said on average they need five hours or less to break into a corporate environment.

This includes reconnaissance, exploitation, privilege escalation and data exfiltration, with an end-to-end attack taking less than 24 hours.

Scary stuff.

What does our ethical hacker, James Hickie, have to say about this?

Taking an offensive stance when it comes to battling malicious actors is crucial. Offensive security tests are vital to an organisation’s security because they help IT teams learn how to handle many of the latest attack vectors. Penetration testing is just one type of offensive test that can be done and serves as a way to examine whether an organisation’s security controls are genuinely effective. It's the first thing I’d suggest for an organisation that wants to understand its current weaknesses and future improvement actions.

What is a penetration test?

A penetration test is a cyber security assessment conducted by a professional or ethical hacker, in order to discover vulnerabilities in various areas of an organisation’s infrastructure.

And in today’s digital landscape, the question every IT department should be asking themselves is not “do we really need a pen test?” but “when do we need a pen test?”.

With a variety of solutions available, from web app testing to cloud infrastructure testing – this is an essential for any organisation that wants to withstand a potential attack.

Scary cyber security stat #2

According to the 2022 Verizon Data Breach Report DBIR’s authors comment that changing human behaviour is required to help reduce the role of the human element, especially in driving breaches. However, they also acknowledge that this is “quite an undertaking” for many organisations.

Adopting a human-centric, zero-trust security strategy, can help an organisation manage their security risks more effectively, by specifically focusing on threats that target and exploit the people that matter most, their employees. In doing this they can turn their number one weakness, into their first line of defence.

What does our Infosec Expert, Lex Soboslay, have to say?

“Taking a human-centric approach will help business leaders understand how their people are targeted by hackers. This could be anything from, how they may be working in high-risk ways to how they access valuable company data. To mitigate these risks appropriately, you must first identify the most vulnerable people in your organization, understand the threats they face, and find out how they are being targeted by attackers. Once you’ve done this, you can implement appropriate controls that will protect them, your business and it’s reputation.”

Educating your risky people

From understanding the risks associated with personal devices to the importance of document permissions and file sharing, tailored employee training is a must.

There is no ‘one size fits all’ solution when it comes to education, and we believe different user groups require different forms of cyber security awareness and training. From interactive group sessions to tailored Stakeholder workshops, our courses focus on specific areas of business risk and how to mitigate these appropriately.

Scary cyber security stat #3

39% of UK businesses identified a cyber-attack in the last 12 months

The 2022 Cyber Security Breaches Survey identified that almost 4/10 businesses in the UK have experienced an attack in the last year… Scary odds for any business.

In terms of attack type, the NCSC state that ‘of the 39% of UK businesses who identified an attack, the most common threat vector was phishing attempts (83%). Of the 39%, around one in five (21%) identified a more sophisticated attack type such as a denial of service, malware, or ransomware attack. Despite its low prevalence, organisations cited ransomware as a major threat, with 56% of businesses having a policy not to pay ransoms.’

What does our Head of Cyber Security, Ryan Pullen, have to say about this?

“Given the number of threats in the wild, it’s critical that organisations deploy 360-degree solutions in order to prevent successful attacks. Organisations with a sophisticated cyber security strategy may opt for an “assume breach” approach where its primarily targeting anomalous behaviours already with access to your systems and heuristic analysis. Indeed, there are some obvious and basic things that you can do, such as making sure you’re not using the same passwords for different accounts and enabling multi-factor authentication where possible. Yet for true continuous protection, organisations should be looking to implement a security strategy driven by a combination of offensive, defensive and advisory techniques to cover multiple angles.”

How can you mitigate the risk?

Offensive security takes a proactive approach to protecting business networks from attacks, by testing security postures from the viewpoint of an adversary or competitor (like the previously mentioned penetration tests) . Whereas defensive solutions are focused on well informed and reactive measures, like a robust Incident Response Plan or an ongoing breach credential monitoring.

However, if you want a truly 360° solution, opting for a Managed Security Operations Centre is the most comprehensive way to protect your organisation. Embracing a trifecta of approaches, specifically through a 24/7 managed SOC, organisations are well placed to mitigate, respond to and recover from new and evolving threats as and when they arise.

Scary cyber security stat #4

In the recent IBM Cost of a Data Breach Report 2022, of the 550 organisation’s studied, eighty-three percent of organisations studied have experienced more than one data breach, only 17% said this was their first data breach.

So why exactly are data breaches recurrent?

Sam Bracey, our OSINT expert at Stripe OLT says:

“Once you’ve had one data breach and it’s been made public amongst malicious actors, you’re asking for trouble. Leaked credentials are up for sale on the dark web, and once these have been used successfully, you’re going to have a target on your head. Realistically, unless you’ve built a robust cyber security culture in your business, there are always going to be risky employees. You know – the ones that use the same password for their personal accounts and work accounts… But, it’s not all doom and gloom - you can find out which credentials are available online.”

So, how exactly can you do this?

Ideally, you’ll want to carry out a Breached Credential simulation. In summary this is an intelligence-led and objective-based simulated cyber-attack, undertaken in the event of breached access to credentials and user devices, to identify potential flaws in technology, or user accounts that could introduce further risk to the business. It’s a great solution for those that wan to get one step ahead of a repeat attack.

But, for organisations that want to take it one step further, they can carry out a Digital Footprint Review, developed predominately for Senior Stakeholders or C-suite level executives. This is essentially an offensive solution that utilises open-source intelligence to build a picture of an individual online. From social media monitoring to a leaked credential check – this solution is often used to build awareness in a business and demonstrate the ways a hacker can gain your information online.

Scary cyber security stat #5

277 days is the average time it takes to identify and contain a data breach

According to IBM, in 2022 it took an average of 207 days to identify a breach and 70 days to contain it; an unsurprising statistic considering many organisation’s have limited security capabilities.

In terms of the cost (USD), they identified:

  • Phishing attacks – cost on average
  • Business Email Compromise – cost on average 4.89 million
  • Stolen Credentials – cost on average 4.50 million
  • Social Engineering TTPs – cost on average 4.10 million

Although the costs are scary, the important question is, why does it take so long to detect?

Our Head of Security Architecture, Austen says:

“If you don’t have a robust security solution in place, this timeline has a lot to do with how long malicious actors act undetected as they move laterally within your environment, gain access to user credentials and data, and then exfiltrate it. It’s imperative every organisation takes security-by-design seriously, to ensure a hacker’s capabilities are limited, if they do indeed access your network and infrastructure.”

What is security-by-design?

The term essentially refers to a method of security whereby your business software has been designed with built in, robust security features from the ground up. This approach enables you to be proactive rather than reactive, in order to minimise the likelihood of a compromised security system.

For those working on large in-house IT projects, it’s always advisable to outsource some level of security consultancy to ensure any new systems and/or processes adopt the security-by-design, CIA triad.

  • Confidentiality – only allow access to data for which the user is permitted.
  • Integrity – ensure data is not tampered with or altered by unauthorized users.
  • Availability – ensure systems and data are available to authorized users when they need it.

Ultimately, cybercrime is an ongoing threat that should be taken seriously. By assessing your business’s cyber security posture, making company-wide changes, and improving data protection, it’s possible to protect your business…

Want to avoid becoming a statistic? Get in touch with our experts today.

Want to keep up with our expert insights and hear more from those in the know? Join our newsletter below.

Join Our Newsletter

Subscribe to our newsletter

Join our newsletter and keep up to date with the latest cyber security news and views from the industry experts at Stripe OLT.