How Will Next Year Be?

I agree with Apple’s recent The Continued Threat to Personal Data report (https://www.apple.com/newsroom/pdfs/The-Continued-Threat-to-Personal-Data-Key-Factors-Behind-the-2023-Increase.pdf). It is getting much, much worse.

I have been in computer security for 36 years, since 1987. And every year for the last two decades, at the end of each year, I have been asked by reporters how I felt about the coming year: “Will cybersecurity incidents be better or worse?” And every year, I say it will likely be worse. Why?

Because every year it somehow gets worse. I am not even sure how it happens. For instance, ransomware is readily taking down companies, hospitals, critical infrastructure, law enforcement agencies, and even entire cities. Hackers can basically break into any company they like, at will. There are tens of millions of unique malware programs introduced each year and most are not detected by antivirus programs for days to months after their release. Nation-state and organized cybercrime are at their all-time pinnacle. And that is just what we have seen already. It has been this way for years. ?

Given its current already super-terrible state, how is it possible that cybercrime will get worse next year? That is the question I have asked myself at the end of each year, and somehow it just does.

This year my sentiments are backed up by Apple’s The Continued Threat to Personal Data report (https://www.apple.com/newsroom/pdfs/The-Continued-Threat-to-Personal-Data-Key-Factors-Behind-the-2023-Increase.pdf). To quote from the top of the report,

“Last year’s study, “The Rising Threat to Consumer Data in the Cloud,” found that these threats had reached historically high levels. And now, with complete data from 2022 and most of 2023 underway, many indicators show that the threat is getting even worse.”

Yeah, what they said!

This year’s Apple report says that ransomware is worse than ever, and more vendors are being exploited more often than ever. Apple says over 2.6 billion personal records were breached this year. Another new high. They say data breaches have tripled over the last decade, with a new record being reached in 2023 and the trend is accelerating. One in four people had their healthcare records exposed in a breach. Wow!

The report says that 95% of companies that incurred data breaches suffered multiple data breaches, with 75% of those having the previous data beach within the last year. Eighty percent (80%) of data breaches involved data stored in the cloud. It shows that our data handling procedures have gotten no better as we move from on-premise to cloud environments.

The Defenses Have Not Changed

Here is what I also know. How hackers and their malware creations successfully attack us has not changed in over three decades. That is the sad part. The most common way organizations get compromised is social engineering, and in particular, email phishing. Social engineering and phishing are involved in 70% to 90% of successful data breaches and at least 50% of ransomware attacks. No other root cause comes anywhere close.

Unpatched software and firmware are involved in 20% to 40% of data breaches. Mandiant says it is involved in 33% of compromises (https://blog.knowbe4.com/hands-on-defense-unpatched-software-causes-33-of-successful-attacks) this year.

These two root causes are responsible for 90% to 99% of most data breaches.

Literally better focusing on defeating just those two cybersecurity incident root causes would remove the vast majority of cybersecurity risk in most organizations. Let me say it in an even stronger way. How well you and your organization focus on mitigating those top two root causes will likely determine if your organization ends up getting hacked and becoming part of the statistics. Focus on mitigating those two threats well, and throw in phishing-resistant MFA, and you are unlikely to be hacked. Get distracted by doing a hundred other things and do not focus on those two issues and you are likely to be part of this year’s…and next year’s, statistics!