Cybersecurity incidents cost an estimated $45 billion in 2018, according to a new report that aggregates data from different types of reported security incidents from around the world.
It's difficult to get a complete picture of the cyber incident landscape, says Jeff Wilbur, technical director of the Internet Society's Online Trust Alliance (OTA), which today published its "2018 Cyber Incident & Breach Trends Report." "Everyone's viewing it from their own lens," he says.
When the OTA published its first edition of this report 11 years ago, it only focused on data breaches, Wilbur adds. A rapidly evolving threat landscape forced it to broaden its scope.
"A few years ago we realized this underrepresented the number of cyber incidents," he explains. "We started looking at adding business email compromise, ransomware, and other DDoS attacks because those are orders of magnitude larger than breaches that get reported.
What's interesting, he continues, is many of the techniques cybercriminals use to break into systems have largely remained the same: They use employee credentials, for example, or exploit a known vulnerability in an organization that hasn't updated its software. "The ways to get in have been relatively constant for a while," says Wilbur, though there are some changes.
Internet of Things (IoT) devices, for example, have introduced new ways of breaking into organizations, as has organizations' growing reliance on third-party vendors. "The clever way to get into systems is through third parties that may be less secure," Wilbur adds. More attackers are breaking into target organizations by planting malware on or gaining unauthorized access into vendor systems.
Supply chain- and IoT-based attacks may be growing, but email attacks and vulnerability exploitation remain the most common ways to break into a target system. However, the actions cybercriminals take once they gain access to a network continue to shift over time.
Tracking Trends in Cybercrime
In their exploration of how attack patterns fluctuate over time, researchers noticed ransomware declined overall between 2017 and 2018, though it specifically increased among enterprise users. Cryptojacking became prominent in late 2017 and grew in 2018; however, it later started to rapidly decline as cryptocurrency's value plummeted and attackers sought new ways to generate illicit income. Researchers found reports of 1.3 million incidents of cryptojacking in 2018 and 500,000 of ransomware.
Distributed denial-of-service (DDoS) attacks were reportedly down in 2018, though some reports indicate they're still causing chaos in some industries. The challenge with DDoS attacks is determining how many attacks are successful, researchers point out. There is no aggregated reporting, and most businesses hesitate to acknowledge where they are vulnerable.
Business email compromise (BEC) was up significantly in 2018, researchers say. The FBI's Internet Crime Complaint Center reported more than 20,000 BEC incidents in the US resulted in nearly $1.3 billion in losses in 2018 – up from 16,000 incidents and $677 million lost in 2017.
It's one of many types of attacks contributing to the overall cost of cyber incidents in 2018. While financial impact is tough to determine, strong estimates put the cost of ransomware at $8 billion and credential stuffing at $5 billion. Some estimates are more general; for example, the Ponemon Institute reported the average cost of a data breach grew to hit $3.86 million.
Even with loose estimates, researchers estimate a total financial impact of at least $45 billion in 2018.
What does this data mean for the rest of 2019? "We've seen more supply chain attacks, [and] we've seen more ransomware, especially in the US," he says, pointing to the new trend of cybercriminals targeting US cities including Baltimore, Maryland; Riviera Beach, Florida; and Atlanta, Georgia. While cryptojacking continues to drop off, we can expect to see more of the same threats we saw in late 2018 and early 2019, Wilbur says.
Back to Basics
As Wilbur explains, attack vectors leading to major breaches are typically simple.
These can be seen in many of the high-profile security incidents that made headlines in 2018. The breach of Aadhaar, India's national ID database, compromised 1.1 billion records and was attributed to an unsecured API. An attack on the Marriott/Starwood system affected 383 million people and was caused by intruders who had been on the Starwood network since 2014 and would have been found by a routine network check prior to its acquisition by Marriott.
Given OTA found 95% of data breaches in 2018 were preventable, it seems organizations are not taking simple steps to protect themselves. "The same rules apply, so it's actually the trend that organizations aren't doing the basics really well," he says.
This puts pressure on organizations to step up their game: you want to be the organization that, when attackers start to intrude, they don't find a vulnerability and move on to an easier target.