The numbers don’t lie. Despite all the focus on cybersecurity, cybercriminals remain a costly threat to businesses. The 2021 Cost of a Data Breach Report by IBM highlights this fact and also shows there are certain actions you can take to counter the increased sophistication of attackers.
Before we dive into the latest statistics, let’s remember it only takes one weak link to make your organization vulnerable to a cyberattack. This means your team members, processes, and technology all have to create a cohesive unit that holds up under pressure from sustained, outside manipulation.
It also means your cybersecurity strategy — in other words, the way you protect your systems, networks, and programs from digital attacks — must be multilayered. A next-generation firewall or antivirus program can do little if an unauthorized individual can gain access to your business premises and quietly set a plot in motion to steal company data.
Where the cyber threats come from
Last year, in particular, served as a reminder of the importance of integrated cybersecurity for businesses. The barrage of attacks came primarily from four sources:
Ransomware: Attacks involving ransomware have doubled in the past two years and will, if the growth rate continues, surpass phishing as the top cause of data breaches this year. The malicious software, designed to extort money by blocking access to files or computer systems until the ransom is paid, accounted for 22% of cyberattacks in 2021.
Phishing: The most common type of cyberattack. With phishing, attackers send fraudulent emails that resemble legitimate emails to lure you into divulging sensitive data.
Malware: Computer viruses, worms, Trojan horses, and spyware all fall into this category, which is also called malicious software. Intentionally harmful, these programs steal, encrypt, and delete sensitive data. They may also alter or hijack core computer functions and monitor your computer activity.
Social engineering: Cybercriminals use this tactic to trick you into revealing sensitive information by enticing you to, for example, submit a payment or download malware. You’ll often see it combined with the above threats to prompt you to take a desired action.
A record-breaking number of data breaches
Totaling 294 million victims, 2021 set a bleak record for cybercrime, according to the Identity Theft Resource Center (ITRC). The center’s 2021 Data Breach Report revealed 1,862 data breaches last year, a 68% year-over-year increase.
Other than the military, which reported no breaches, the cyberattacks spanned a wide range of industries, from the country’s largest oil pipelines to companies entrusted with the personal information of millions of American consumers.
The manufacturing and utilities sector tallied 48 compromises, with a staggering 48 million people affected. The healthcare sector saw even more breaches — 78 — and although the number of victims was smaller, it still added up to 7 million people.
Many high-profile data breaches
Throughout the year, the high-profile cyberattacks kept coming. To take two examples:
In June, UC San Diego Health discovered threat actors had compromised employee email accounts, potentially exposing claims information, medical records, prescriptions, treatments, and Social Security numbers.
In October, Neiman Marcus disclosed it had taken the company more than a year to detect an intrusion that included the exposure and potential theft of over 3.1 million customer payment cards (fortunately, most were believed to be expired or invalid).
Targeting small businesses
Interestingly, the number of people affected dipped slightly last year. But that’s not necessarily good news for small businesses, ITRC said. As larger companies fortify their cybersecurity measures, cybercriminals shift toward smaller and more focused attacks. In fact, even before this trend emerged, nearly half of all cyberattacks were against small businesses.
The cost of data breaches is staggering
These attacks come, of course, at a high cost. For CNA Financial, the hit was direct. The large commercial insurer reportedly paid a $40 million ransom after a ransomware attack that locked employees out of corporate resources and stole company data.
For an overview of the devastating financial impact of data breaches, consider these stats from the IBM report:
- The average cost of a data breach increased by nearly 10% year over year, the largest single-year cost increase in the last seven years. It now stands at $4.24 million — or higher for companies that lag in areas such as security AI and automation, zero trust, and cloud security.
- Lost business represented the largest share of breach costs. At an average total cost of $1,59 million, it included variables such as lost business costs, increased customer turnover, lost revenue due to system downtime, and tarnished company reputation, which, in turn, made it harder to acquire new business.
- Although business email compromise (BEC) was responsible for only 4% of breaches, it still had the highest average total cost of the 10 initial attack vectors examined. Malicious insiders caused the third costliest attacks (phishing was second), underscoring the need to control and monitor who can access company networks systematically.
- Time is money. There’s hardly a better illustration of that aphorism than the increase in cost for data breaches that went undetected for more than 200 days ($4.87 million vs. $3.61 million for less than 200 days). Considering it took an average of 287 days to identify and contain a breach — seven days longer than the year before — companies paid a hefty price for being slow to react.
Protecting your business against cyber threats
Integrated cybersecurity is an essential part of any business plan. Just as you install burglar alarm systems, live video monitoring, and fire alarms and smoke detectors to protect your physical assets, you need another security layer to safeguard login credentials, customer data, intellectual property, and more.
A key component in any cybersecurity strategy is security AI and automation. The IBM report found organizations that deployed such technology cut breach costs by more than half ($2.90 million vs. $6.71 million) as it helped them more quickly detect the breach and contain its fallout.
Along the same lines, file integrity monitoring technology (FIM) can detect changes in files that may indicate a cyberattack is underway. This technology is especially important to shore up online payment forms for e-commerce businesses and comply with the Payment Card Industry Data Security Standard.
Phishing awareness training for employees is also a straightforward way to fill gaps. And so is the implementation of two-factor identification to take login attempts beyond easily replicable passwords and usernames.
Also, don’t overlook the importance of access control. Malicious insiders, whether a former employee, contractor, or business partner pose a considerable threat that you can mitigate with the right tools. Access control technology lets you revoke and grant permissions on demand with an online access control dashboard. Although internal attacks are less common, you can, at the very least, curb the threat of an in-house breach and limit employee access to certain areas of the business.
No more weak links
The bottom line is all areas of your business play a role in the defense against cybercriminals. In the end, the nature of your data and the structure of your business will determine which solution provides the best protection. A single weak link is more than most companies can afford.