35 cyber security statistics every CIO should know in 2017

17 February 2017

9 min read

Cybercrime is now part of every business and IT decision. Discover the latest trends, and the implications behind them, in our essential round-up of the key stats you need to know.

According to Ginni Rometty, IBM’s CEO, “Cybercrime is the greatest threat to every company in the world.” Whilst you may not agree with that statement, security is now part of every business and IT discussion and the need to combat the threats posed will only serve to intensify efforts in 2017.

That’s why we’ve compiled this list of statistics covering everything from the evolving threats posed by hackers to the vulnerabilities in present company cyber security policy. To kick things off, we’ll first take a look at the key workforce demographic that needs no introducing:

Millennials

By 2020, millennials will form 50% of the global workforce. They’re the generation that have grown up so connected in their social lives that it begs the question how their differing online attitudes compared to more cautious generations will affect the state of cyber security in the workplace in the coming years.

 

1. Millennials love the Cloud

Millennial-led firms are 44% more likely to have adopted cloud workload back-up than the market average or Baby-Boomer-led firms. While the cloud brings fantastic productivity and efficiency to smaller businesses, having instant access to sensitive information on smart devices and laptops raises security concerns.

Source

 

2. Millennials back it up

Millennial-led firms are 71% more likely than peers to be using basic data back-up.

Source

 

3. Millennials use a wider range of devices

8% of 35+ respondents print from mobile devices compared to 39% of millennials. Making the most of this functionality is great but raises questions about print security – are your networked printers secure? An increasing number of businesses are being hacked through the unsuspecting printer in the corner of the office.

Source

HP11004029_BusinessNow_stats1_Desktop.jpg

4. Millennials ignore the rules

70% of Millennials admitted to bringing outside applications into the enterprise in violation of IT policies. Perhaps even more alarming is that the same survey found 60% ‘aren’t concerned about corporate security when they use personal apps instead of corporate apps.’

Source

"The problem is that many of these [Internet of Things] devices have little to no security, and in many cases, they're even more vulnerable to attacks and misuse than your typical PC”. Matt Olan, IT professional at Pharmacare Specialty Pharmacy

5. Millennials are careless with passwords

Just 33% of Millennials use secure passwords for all of their accounts, compared to 53% of baby boomers

Source

HP11004029_BusinessNow_stats4_desktop.jpg

6. Millennials are frequent printers of long documents

Rather than printing less, it turns out millennials print more than older generations. 65% of millennials print at least 3-4 times a week, and are 2 times more likely to print jobs that run from 6 to 15 pages in length.

Source

 

7. Millennial CIOs embrace new tech faster

Millennial CIOs are 42% more likely to have already given phablets to their employees, 49% more likely to have given out Chromebooks, and have deployed a higher number of cloud apps than the average mid-market CIO.

Source

 

Cyber crime, cyber attacks and vulnerabilities

2016 was the year that brought massive breaches at TalkTalk (with an accompanying £400k fine), Tesco bank, LinkedIn, Healthcare Provider Centene, The United States Inland Revenue Service and Ashley Madison amongst others.

If there is one safe prediction, 2017 is going to get a lot worse as cyber criminals continue to probe for the weakest links in corporate cyber security chains and, at the same time, become more creative and sophisticated in their strategies as they target employees rather than software.

 

8. Phishing and social engineering top threats

65% of professionals identified phishing and social engineering as the biggest security threat to their organisation. All it takes is one person clicking a fake email about banking or spyware to give a hacker direct access to all the data on their device and a direct path to your network.

Source

 

9. Despite being aware of phishing, people still click

78% of people claim to be aware of the risks of unknown links in emails, yet click on these links anyway.

Source

 

10. Breaches are becoming commonplace.

32% of companies said they were the victims of cyber crime in 2016.

Source

 

11. One in five organisations experience a BYOD breach

Skycure reports that 21% of organisations have traced a data breach to their BYOD program. What’s more galling, is that 24% have found that employee-owned devices have been connected to malicious Wi-Fi hotspots.

Source

 

12. CISO’s expect more problems

Unsurprisingly, 73% of CISOs expect to experience a major security breach within a year. So the question is, if nearly ¾ of CISOs are aware, what more can be done to help them adequately defend against the attacks?

Source

 

13. Hackers stay hidden

The average time attackers stay hidden on a network is over 140 days. While it seems unbelievable to have a hidden spy in the middle of your business for nearly five months, it happens. During this time they are able to find additional vulnerabilities and steal data in the form of sensitive information, passwords and even documents.

Source

 

14. SMBs are still unaware of threats

Two-thirds of UK small businesses don’t think they’re vulnerable to cyber crime. Small businesses are in fact bigger targets than larger businesses, because of the perceived level of security they have in-house. In actual fact, they generally hold more data than larger businesses but don’t implement additional security to keep it safe.

Which explains the following stat…

Source

 

15. SMBs are vulnerable and can be hacked quickly.

It’s been estimated that half of UK SMBs could be hacked in under an hour.

Source

HP11004029_BusinessNow_stats5 _Desktop.jpg

16. Encryption is a double-edged sword

90% of CIOs have been attacked or expect to be attacked by hackers hiding in encryption.

Source

 

17. Encrypted traffic attacks

50% of network attacks will use encrypted traffic by 2017.

Source

 

18. Keys and certificates are in the danger zone

85% of CIOs expect criminal misuse of keys and certificates to get worse.

Source

 

19. CIOs don’t have much confidence in their efforts

87% of CIOs believe their security controls are failing to protect their business.

Source

 

20. Security teams don’t know the extent of their BYOD risks.

35% of security pros don’t know if mobile malware is present on their network, and 37% aren’t sure if a breach has occurred. Whilst only 28% and 27% are adopting endpoint security tools or network access controls, respectively.

Source

 

21. Keys and certificates aren’t monitored

54% of businesses don’t know the location, ownership or use of their keys and certificates. If you’re not keeping track of what’s normal behaviour on your systems then how can you know when something is wrong? Similarly, without ownership of processes or products, who is going to be driving the security aspects?

Source

HP11004029_BusinessNow_stats3_Desktop.jpg

22. IT departments ignore their own protocols

45% of IT personnel have knowingly circumvented their own policies. Sure it might be easier to ignore the Bring Your Own Device policy because you need to get some extra work done at home but all it takes is one mistake to expose your entire network.

 

23. It’s an inside job

59% of employees steal proprietary corporate data when they quit or are fired. Disgruntled employees often feel a sense of ownership over projects or research they’ve been involved with, which can then go on to benefit rival businesses.

Source

“Almost half of European organisations believe that insider threats are now more difficult to detect, with senior IT managers being very worried about the things their own users can do with corporate data” Andrew Kellett, principal analyst at Ovum.

24. IT Pros fear more entry points as biggest risk of IoT

84% of IT professionals said that more entry points into the network was the most concerning security risk stemming from IoT devices in the workplace. Additionally, 68% said default passwords were also concerning.

Source

 

25. Business respondents believe employees pose the biggest risk

70% of business respondents think that employees are the biggest risk to the business – which can be down to things like a lack of education about security or poorly defined Bring Your Own Device policies.

Source

 

26. Majority of companies are ignoring print security

56% of companies ignore printers in their endpoint security strategy and do not see printers and hardcopy documents as an area of high risk.

Source

 

27. Yet unauthorised access is commonplace

An average of 44% of network-connected printers within organisations are insecure in terms of unauthorised access to data stored in the printer mass storage. This means that anything you or your employees have printed could be waiting for a hacker to reach in and steal.

Source

“Networked printers can no longer be overlooked in the wake of weakening firewalls to the growing sophistication and volume of cyber attacks,”  Ed Wingate VP & GM, JetAdvantage Solutions at HP, Inc.

Cost of cyber crime

Of course, the cost of cybercrime isn’t just the value of the data stolen. It’s the cost of recovery time; the cost that comes from an erosion of trust with established business partners; it’s the compensation payout to customers and it’s the reputational cost incurred that can act as a detriment to winning new business. The stats below help put this true cost into perspective.

 

28. Average global cost of cybercrime is rising

Due to our increased reliance on data and connectivity, the global cost of cybercrime will increase to $2 trillion by 2019.

Source

 

29. Breaches cost more than ever

There has been a 29% increase in the total cost of data breaches since 2013, with the average consolidated total cost of a data breach now estimate at $4 million.

Source

 

30. Average number of attacks per company, per year

Two successful cyber attacks per week, losing an average of $9.5m annually ($17m in the US).

Source

 

31. Cost of recovery

The mean number of days to resolve cyber attacks is 46 with an average cost of $21,155 per day – or a total cost of $973,130 over the 46-day remediation period.

Source

 

32. Cost of data stolen

The estimated average cost of each stolen record is $158. That’s every bank account, every password, every social account, every print job…

Source

 

33. Cost per certificate

86% of CIOs believe keys and certificates are the next big hacker marketplace.

Source

 

34. Backup and recovery

Advanced back-up and recovery reduces loss by $2 million annually.

Source

HP11004029_BusinessNow_stats6_Desktop.jpg

 

35. Information governance

Information governance reduces losses by $1 million annually, so there’s never been a better time to audit and control your data.

Source

 

Summary: start defending your weakest link

On the face of it, these stats don’t make pleasant reading.

Spending on cyber security has never been higher yet the numbers of breaches continue to rise in both volume and cost.

IT security teams scramble to contend with the demands of a mobile millennial workforce who expect to bring their own apps and wearables into the office and display a worrying disregard for basic security protocols.

Meanwhile, the hackers get smarter. In 2017, expect to see a rise in the number of attacks using legitimate credentials and software and an increase in the targeting of social media and personal emails to bypass even the most locked down of network defences.

Even without such evolving threats, it’s clear tracking the fast rising number of new entry points into company networks is a major headache. But what about the entry points companies should know about and can take measures to control?

An average of 44% of network-connected printers within organisations are insecure in terms of unauthorised access to data stored in the printer mass storage. In many cases, this makes, printers and multifunction printers (MFPs) arguably the weakest ‘known’ links in the security of a company’s IT operations right now.

So, one practical conclusion to come from this list is: if your organisation isn’t prioritising printers as a part of its comprehensive security policies, perhaps it’s time it should?

Cyber Security eBook