Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

02:30 PM
Marc Wilczek
Marc Wilczek
Connect Directly
E-Mail vvv

Data Breach Threats Bigger Than Ever

A quarter of IT and security leaders expect a major data breach in the next year.

In its 2018 Strategic Security Survey (registration required), Dark Reading polled some 300 IT and security leaders and found that more organizations, not fewer, expect to face data breaches in the coming year compared with the previous year's survey. Moreover, the companies believe they're not fully ready to protect their data against intruders.

A large proportion of respondents expect that staffers with privileged access might be the source of a breach, but they're also wary of attackers from outside mounting one of many sophisticated new attacks. A growing attack surface, distributed denial-of-service extortion, targeted attacks, and ransomware are contributing to the unease that many organizations sense. But concerns about overstaffing and budgets seem to have abated compared to the level of worry expressed in 2017. Almost one in five (19%) respondents said they believe their companies are more vulnerable to data breaches than a year ago, a somewhat higher number than the 17% who felt that way last year. The proportion of respondents who believe their company's data-breach exposure hasn't changed has dropped. In Dark Reading's 2017 survey, 55% of respondents said their vulnerability to data breaches had remained stable over the past 12 months; this year, only 48% made that claim.

These results are worrying. The money poured into cybersecurity has skyrocketed in recent years, yet most companies feel that investment hasn't translated into the ironclad security they need.

Cybercrime and Targeted Attacks on the Rise
Sixty-one percent of respondents said that the most likely reason for a major data breach next year would be a negligent end user or an employee breaking the company's Internet-use policy. This gloomy prediction is probably attributable to the hugely disruptive successes that hackers have racked up by targeting corporate end users and executives.

That said, just over half of the survey respondents said cybercriminals are the biggest threat to their security. Twenty-six percent of IT departments expect a serious breach next year stemming from a targeted attack, and 21% have already experienced one, up from 17% who reported having one in last year's survey. Another reason why targeted threats are a growing problem is simply that more people are aware of them. In the last few years, Western intelligence agencies have uncovered state-sponsored attackers — especially from Russia, China, and North Korea — who are launching laser-targeted assaults on companies with critical infrastructure.

The Cost of an Average Breach: $3.62 million
Last year, the Ponemon Institute estimated the average global cost of a data breach was $3.62 million, or about $141 per record. Costs in the US are nearly twice that. Cyberattacks of any kind can have brutal financial ramifications: 17% of respondents lost between $100,000 and $999,999, 9% lost between $1 million and $4.9 million, and 2% lost more than $5 million.

One might think that with so much money at stake, top executives would be spending more time learning how to make their companies more secure. Some of them are: 25% of the IT and security pros in the Dark Reading survey are satisfied that their corner-office teams are sufficiently security-savvy. But 39% say their top managers understand the business risks of data breaches but aren't sure how to quantify them. Both numbers are lower than the 29% and 45% reported last year. A quarter of respondents said their top managers don't really get how breaches might disrupt or even destroy the business, compared with 18% who reported a similar lack of comprehension last year. The numbers suggest that top managers are getting worse, not better, at grasping the potential consequences of data breaches.

App Security Emerges as Weakest Link in the Value Chain
Yet another cyber vulnerability is rooted in applications. Forty-two percent of the survey respondents say bugs in programs are their biggest data security threat, a percentage  in line with the 41% reported in the 2017 survey. These security concerns are familiar: Countless security studies and reports in the past few years have shined a spotlight on the high prevalence of vulnerabilities such as SQL injection and cross-site scripting. More recently, these issues have grown worse because of the rising popularity of software development models such as DevOps and agile, which tend to prioritize speed of development and delivery over security. Experts in the latter sphere also worry about the frequent use of open source code in today's software because some of it may undergo insufficient security testing.

Once again, malware and phishing were cited as the top two online problems. While 52% of respondents said they had suffered a malware-related breach, 48% said they'd been phishing targets. Ransomware was the third most-cited reason for a security breach in 2017, but the proportion of respondents (16%) that said they'd been victims of a ransomware attack was down substantially from previous surveys.

Evidently, data breach concerns are higher than ever —although more people are aware of breaches and are spending more money on cybersecurity solutions to prevent them. The growing number of highly sophisticated threats and targeted attacks is not only wreaking financial damage but also leaving many organizations wondering whether they're capable of doing enough to protect their data. Compared with last year, more organizations expect to suffer a major breach in the next 12 months, and most feel that breach will stem from an employee's careless actions rather than an outside attacker. Perhaps most troubling, top management seems to be less security-savvy than last year. It's clear that many organizations will run into some major potholes on the Internet highway in the coming year.

Related Content:


Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Marc Wilczek is a columnist and recognized thought leader, geared toward helping organizations drive their digital agenda and achieve higher levels of innovation and productivity through technology. Over the past 20 years, he has held various senior leadership roles across ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-05
The “Elementor Addon Elements� WordPress Plugin before 1.11.2 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
PUBLISHED: 2021-05-05
The “Livemesh Addons for Elementor� WordPress Plugin before 6.8 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
PUBLISHED: 2021-05-05
The “HT Mega – Absolute Addons for Elementor Page Builder� WordPress Plugin before 1.5.7 has several widgets that are vulnerable to stored Cross-Site Scripting (XSS) by ...
PUBLISHED: 2021-05-05
The “WooLentor – WooCommerce Elementor Addons + Builder� WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-priv...
PUBLISHED: 2021-05-05
The “Elementor Addons – PowerPack Addons for Elementor� WordPress Plugin before 2.3.2 for WordPress has several widgets that are vulnerable to stored Cross-Site Scriptin...