35 cyber security statistics every CIO should know in 2017
17 February 2017
9 min read
According to Ginni Rometty, IBM’s CEO, “Cybercrime is the greatest threat to every company in the world.” Whilst you may not agree with that statement, security is now part of every business and IT discussion and the need to combat the threats posed will only serve to intensify efforts in 2017.
That’s why we’ve compiled this list of statistics covering everything from the evolving threats posed by hackers to the vulnerabilities in present company cyber security policy. To kick things off, we’ll first take a look at the key workforce demographic that needs no introducing:
By 2020, millennials will form 50% of the global workforce. They’re the generation that have grown up so connected in their social lives that it begs the question how their differing online attitudes compared to more cautious generations will affect the state of cyber security in the workplace in the coming years.
1. Millennials love the Cloud
Millennial-led firms are 44% more likely to have adopted cloud workload back-up than the market average or Baby-Boomer-led firms. While the cloud brings fantastic productivity and efficiency to smaller businesses, having instant access to sensitive information on smart devices and laptops raises security concerns.
2. Millennials back it up
Millennial-led firms are 71% more likely than peers to be using basic data back-up.
3. Millennials use a wider range of devices
8% of 35+ respondents print from mobile devices compared to 39% of millennials. Making the most of this functionality is great but raises questions about print security – are your networked printers secure? An increasing number of businesses are being hacked through the unsuspecting printer in the corner of the office.
4. Millennials ignore the rules
70% of Millennials admitted to bringing outside applications into the enterprise in violation of IT policies. Perhaps even more alarming is that the same survey found 60% ‘aren’t concerned about corporate security when they use personal apps instead of corporate apps.’
"The problem is that many of these [Internet of Things] devices have little to no security, and in many cases, they're even more vulnerable to attacks and misuse than your typical PC”. Matt Olan, IT professional at Pharmacare Specialty Pharmacy
5. Millennials are careless with passwords
Just 33% of Millennials use secure passwords for all of their accounts, compared to 53% of baby boomers
6. Millennials are frequent printers of long documents
Rather than printing less, it turns out millennials print more than older generations. 65% of millennials print at least 3-4 times a week, and are 2 times more likely to print jobs that run from 6 to 15 pages in length.
7. Millennial CIOs embrace new tech faster
Millennial CIOs are 42% more likely to have already given phablets to their employees, 49% more likely to have given out Chromebooks, and have deployed a higher number of cloud apps than the average mid-market CIO.
Cyber crime, cyber attacks and vulnerabilities
2016 was the year that brought massive breaches at TalkTalk (with an accompanying £400k fine), Tesco bank, LinkedIn, Healthcare Provider Centene, The United States Inland Revenue Service and Ashley Madison amongst others.
If there is one safe prediction, 2017 is going to get a lot worse as cyber criminals continue to probe for the weakest links in corporate cyber security chains and, at the same time, become more creative and sophisticated in their strategies as they target employees rather than software.
8. Phishing and social engineering top threats
65% of professionals identified phishing and social engineering as the biggest security threat to their organisation. All it takes is one person clicking a fake email about banking or spyware to give a hacker direct access to all the data on their device and a direct path to your network.
9. Despite being aware of phishing, people still click
78% of people claim to be aware of the risks of unknown links in emails, yet click on these links anyway.
10. Breaches are becoming commonplace.
32% of companies said they were the victims of cyber crime in 2016.
11. One in five organisations experience a BYOD breach
Skycure reports that 21% of organisations have traced a data breach to their BYOD program. What’s more galling, is that 24% have found that employee-owned devices have been connected to malicious Wi-Fi hotspots.
12. CISO’s expect more problems
Unsurprisingly, 73% of CISOs expect to experience a major security breach within a year. So the question is, if nearly ¾ of CISOs are aware, what more can be done to help them adequately defend against the attacks?
13. Hackers stay hidden
The average time attackers stay hidden on a network is over 140 days. While it seems unbelievable to have a hidden spy in the middle of your business for nearly five months, it happens. During this time they are able to find additional vulnerabilities and steal data in the form of sensitive information, passwords and even documents.
14. SMBs are still unaware of threats
Two-thirds of UK small businesses don’t think they’re vulnerable to cyber crime. Small businesses are in fact bigger targets than larger businesses, because of the perceived level of security they have in-house. In actual fact, they generally hold more data than larger businesses but don’t implement additional security to keep it safe.
Which explains the following stat…
15. SMBs are vulnerable and can be hacked quickly.
It’s been estimated that half of UK SMBs could be hacked in under an hour.
16. Encryption is a double-edged sword
90% of CIOs have been attacked or expect to be attacked by hackers hiding in encryption.
17. Encrypted traffic attacks
50% of network attacks will use encrypted traffic by 2017.
18. Keys and certificates are in the danger zone
85% of CIOs expect criminal misuse of keys and certificates to get worse.
19. CIOs don’t have much confidence in their efforts
87% of CIOs believe their security controls are failing to protect their business.
20. Security teams don’t know the extent of their BYOD risks.
35% of security pros don’t know if mobile malware is present on their network, and 37% aren’t sure if a breach has occurred. Whilst only 28% and 27% are adopting endpoint security tools or network access controls, respectively.
21. Keys and certificates aren’t monitored
54% of businesses don’t know the location, ownership or use of their keys and certificates. If you’re not keeping track of what’s normal behaviour on your systems then how can you know when something is wrong? Similarly, without ownership of processes or products, who is going to be driving the security aspects?
22. IT departments ignore their own protocols
45% of IT personnel have knowingly circumvented their own policies. Sure it might be easier to ignore the Bring Your Own Device policy because you need to get some extra work done at home but all it takes is one mistake to expose your entire network.
23. It’s an inside job
59% of employees steal proprietary corporate data when they quit or are fired. Disgruntled employees often feel a sense of ownership over projects or research they’ve been involved with, which can then go on to benefit rival businesses.
“Almost half of European organisations believe that insider threats are now more difficult to detect, with senior IT managers being very worried about the things their own users can do with corporate data” Andrew Kellett, principal analyst at Ovum.
24. IT Pros fear more entry points as biggest risk of IoT
84% of IT professionals said that more entry points into the network was the most concerning security risk stemming from IoT devices in the workplace. Additionally, 68% said default passwords were also concerning.
25. Business respondents believe employees pose the biggest risk
70% of business respondents think that employees are the biggest risk to the business – which can be down to things like a lack of education about security or poorly defined Bring Your Own Device policies.
26. Majority of companies are ignoring print security
56% of companies ignore printers in their endpoint security strategy and do not see printers and hardcopy documents as an area of high risk.
27. Yet unauthorised access is commonplace
An average of 44% of network-connected printers within organisations are insecure in terms of unauthorised access to data stored in the printer mass storage. This means that anything you or your employees have printed could be waiting for a hacker to reach in and steal.
“Networked printers can no longer be overlooked in the wake of weakening firewalls to the growing sophistication and volume of cyber attacks,” Ed Wingate VP & GM, JetAdvantage Solutions at HP, Inc.
Cost of cyber crime
Of course, the cost of cybercrime isn’t just the value of the data stolen. It’s the cost of recovery time; the cost that comes from an erosion of trust with established business partners; it’s the compensation payout to customers and it’s the reputational cost incurred that can act as a detriment to winning new business. The stats below help put this true cost into perspective.
28. Average global cost of cybercrime is rising
Due to our increased reliance on data and connectivity, the global cost of cybercrime will increase to $2 trillion by 2019.
29. Breaches cost more than ever
There has been a 29% increase in the total cost of data breaches since 2013, with the average consolidated total cost of a data breach now estimate at $4 million.
30. Average number of attacks per company, per year
Two successful cyber attacks per week, losing an average of $9.5m annually ($17m in the US).
31. Cost of recovery
The mean number of days to resolve cyber attacks is 46 with an average cost of $21,155 per day – or a total cost of $973,130 over the 46-day remediation period.
32. Cost of data stolen
The estimated average cost of each stolen record is $158. That’s every bank account, every password, every social account, every print job…
33. Cost per certificate
86% of CIOs believe keys and certificates are the next big hacker marketplace.
34. Backup and recovery
Advanced back-up and recovery reduces loss by $2 million annually.
35. Information governance
Information governance reduces losses by $1 million annually, so there’s never been a better time to audit and control your data.
Summary: start defending your weakest link
On the face of it, these stats don’t make pleasant reading.
Spending on cyber security has never been higher yet the numbers of breaches continue to rise in both volume and cost.
IT security teams scramble to contend with the demands of a mobile millennial workforce who expect to bring their own apps and wearables into the office and display a worrying disregard for basic security protocols.
Meanwhile, the hackers get smarter. In 2017, expect to see a rise in the number of attacks using legitimate credentials and software and an increase in the targeting of social media and personal emails to bypass even the most locked down of network defences.
Even without such evolving threats, it’s clear tracking the fast rising number of new entry points into company networks is a major headache. But what about the entry points companies should know about and can take measures to control?
An average of 44% of network-connected printers within organisations are insecure in terms of unauthorised access to data stored in the printer mass storage. In many cases, this makes, printers and multifunction printers (MFPs) arguably the weakest ‘known’ links in the security of a company’s IT operations right now.
So, one practical conclusion to come from this list is: if your organisation isn’t prioritising printers as a part of its comprehensive security policies, perhaps it’s time it should?