Here in the UK, official government stats show that four in ten British businesses and a quarter of charities suffered a cyber security breach or attack in the last 12 months. The risk heightens among medium businesses, with 65% suffering a breach, followed by large businesses (64%) and high-income charities (51%).
The financial impact of a data breach is devastating and well-documented. Not only does the company suffer the initial blow of lost data, but it’s also then followed by the cost of funding a recovery. The damage can then spread to consumers if their personal data ends up being sold to identity thieves on the dark web. Not as well-documented is the reputational damage. When a business relies on trust, an incident in which sensitive information is leaked seriously shakes the confidence of consumers and investors.
To help you understand the threat, we have compiled a list of the top data breach trends from 2021 and some predictions for 2022.
The Soaring Cost of a Breach
In 2021, the number of breaches skyrocketed – and so did the cost. The average price tag of a breach rose from $3.86 million to $4.24 million (£3.17 million), according to the IBM Cost of a Data Breach report. That is the highest ever average total cost in the history of the report.
The average cost of a breach rose by $1.07 million at companies where remote work was a factor.
Companies are increasingly relying on data, which needs to be easier and easier to access. Which poses an obvious question. How can you keep that data secure whilst making sure staff can easily find and access it?
Mid-Market Under Attack
Large companies enjoy the protection of enterprise-grade security, which makes them a tough target for hackers. But data-rich mid-sized organisations don’t always have access to the same security solutions. Not only this, but they are also unlikely to have a SOC or employ a large team of security professionals.
Hackers know this and are increasingly targeting the mid-market. These organisations are just as likely as larger companies to hold valuable data and perhaps even more likely to pay the ransom.
A survey of 4,000 mid-size companies across the retail, manufacturing, professional services, healthcare, transportation and education sectors found that mid-sized companies were “490% or more likely to experience a security breach by the end of 2021 as they were in 2019”.
The mid-market is facing a growing threat, and it’s not going away any time soon.
Phishing is almost as old as the World Wide Web itself and is still the number one method for cyber attacks.
In the UK, 83% of businesses have experienced phishing in the past year, prompting the Department of Media, Culture and Sport to warn that “the vast majority of breaches and attacks being identified are ones that will come via staff members’ user accounts”.
These attacks are increasingly likely to be multi-channel in nature and designed to exploit the coverage gaps in point product security systems. An incident may start in the inbox, but then use malicious links to draw victims onto websites or cloud apps – where email security can no longer protect them.
To protect against modern phishing and limit the risk of data breaches, an integrated security platform offering web, email and cloud protection is vital.
Cloud migration has been taking place at an unprecedented speed over the past two years as organisations rush to roll out remote and hybrid working models.
This, however, has resulted in a lot of problems. As hard-pressed IT teams rush to ensure their company’s cloud network is operational and efficient, cloud security is often neglected.
A study conducted by 451 Research found that 40% of organisations have suffered a cloud-based data breach in the past 12 months. The same research also found that 21% of businesses keep most of their sensitive data in the cloud. This means a breach could result in a huge fine and put a catastrophic dent in customer confidence.
Fernando Montenegro, Principal Research Analyst of Information Security at 451 Research, said: “Protecting customer data is always the priority, and organizations should strongly consider reviewing their strategies and approaches to proactively protect data in the cloud. As data privacy and sovereignty regulations grow, it will be paramount that organizations have a clear understanding of how they remain responsible for data security and make clear decisions about who is in control and who can access their sensitive data.”
Predictions for 2022:
Security Strikes Back
There is good news for organisations worried about data breaches. The tools available to secure data are getting better, offering small and medium-sized businesses the same protection that was only traditionally available to enterprises and large organisations.
“Higher data breach costs are yet another added expense for businesses in the wake of rapid technology shifts during the pandemic,” said Chris McCurdy, Vice President and General Manager, IBM Security, in a comment issued as IBM published its Data Breach Report.
“While data breach costs reached a record high over the past year, the report also showed positive signs about the impact of modern security tactics.”
Autonomy Overtakes Automation
We know that responding to a data breach quickly can limit its financial impact, with organisations that contain a breach in less than 200 days saving an average of $1.26 million.
Automation is one way of speeding up the response – but this is only part of the answer.
In the next year, we will continue to see the rise of autonomous security solutions which are capable of identifying and responding to threats, rather than simply performing simple tasks and saving humans from tedious manual work.
Censornet’s own Autonomous Security Engine shares intelligence across web, email, cloud application security (CASB) and MFA applications, demonstrating how autonomous integrated security lets companies move beyond alert-driven security and towards fully automatic threat detection and mitigation.
Data security is at the heart of Zero Trust, which will continue its march into the mainstream in 2022.
Forrester has predicted that at least five governments around the world will adopt Zero Trust practices in 2022, which means departments and supply chain businesses will have to follow Zero Trust procedures.
The Zero Trust philosophy has inspired tech like Zero Trust Network Access (ZTNA) controllers which, we’re afraid to say, will put the final nails in the coffin of VPNs. It is likely to be an organisation’s first step on the road to Secure Access Service Edge (SASE) – but widespread adoption of SASE will have to be a prediction for a later year because it won’t hit the market properly in 2022.
The Continued Death of Passwords
VPNs should already be on the chopping board at every company. But next to get the chop should be passwords.
A company’s security is only ever as good as its weakest password which is still likely to be “123456”, according to a list of 2021’s most common passwords. Which is why the password is likely to follow floppy discs into extinction.
In November 2021, Sean Ryan, Senior Analyst at Forrester, wrote: “Passwordless authentication… will protect organizations from brute force attacks, credential stuffing, phishing, and social engineering tactics. If carefully selected and implemented correctly, passwordless authentication also offers a superior user experience compared to password-centric authentication.
One solution is MFA, which will grow in popularity over the coming year. It uses a number of variables to verify users including IP addresses, geographical location and the time of day.
With MFA, you can begin to say goodbye to the password. We promise you won’t miss it.