In recent weeks, Ransomware, an already known devil in the security threat landscape, made an even bigger splash with the May 2017 WannaCry attacks which crippled and terrified organizations all over the globe. In the wake of WannaCry, organizations are looking for additional ways to stay safe from these types of threats. As with any major IT initiative, executive buy in is critical. Security and resiliency are key for any successful business. Below are 10 real life information security statistics from 2017 to help you build a business case for improving your security footprint.
Almost all WannaCry ransomware victims were running Windows 7 (data from Kaspersky Lab).
98% of Ransomware victims were running Windows 7
According to Kaspersky Lab, 98% of the WannaCry ransomware victims were running Windows. As of April 2017, 48.5% of Windows users worldwide use Windows 7. Originally, it was believed that outdated Windows XP systems helped spread the WannaCry virus. However, the number of affected XP machines was found to be insignificant. This statistic shows the maturity of cyber criminals and WannaCry specifically, in that updating your operating system, while important, isn’t enough to protect yourself from new age cyber criminals.
10%…The percentage of time security professionals will spend on employee education (IDC)
Security Awareness Training is often the first line of defense against cyber-crime. Phishing scams and poor passwords represent the major entry point for ransomware and other data leaks.
65% of companies said they don’t enforce their password policy (Ponemon Institute)
Passwords that do not expire, force a minimum length, require numbers, or are case sensitive can leave your organization at significant risk. Since people often use the same password for multiple purposes, data thieves can also discover a password from one source, such as the 2017 LinkedIn data breach, and then use it to access other sites. These types of social engineering attacks can often get around technical security measures by attacking a specific employee. With a poor password, it will only be easier to get into the system.
In 2016, LinkedIn reported they had lost 117 million Account Credentials in a Data Breach
40% of all spam email had ransomware (CNBC)
This ties in to the importance of educating employees on identifying shady or fraudulent emails. Check out this short video on How to Identify Phishing scams, which you can share with your employees as a quick intro/reminder to phishing.
92% of surveyed IT firms reported attacks on their clients (Datto via The Atlantic)
Many companies turn to Managed Services as a way to increase security, and this stat is not a knock against that notion. While backend systems often gain a security boost when moved to the cloud or an MSP, data thieves are still getting in through phishing scams and social engineers. Many of these attacks are successfully defended, and being backed by a Service Provider can help you quickly identify and deal with any attack that does manage to get inside. Another recent study mentioned that hacks can often live on your systems undetected for months, which shows the importance of having a proper monitoring system in place to help detect these threats.
70% of businesses paid the ransom in a Ransomware attack (CNBC)
With the individual amount of a ransomware demand often being low (average is $1,000), a lot of companies choose to pay the demand and get back to work. While it might seem like a small amount, it’s still money, and time, off your books.
70% of millennials admitted to bringing outside applications into work in violation of IT polices (Wired)
Oh, those pesky millennials. According to Forbes, millennials (those born between 1982 and 2004) will represent 75% of the workforce by 2025. Millennials in the workforce are often seen as pain in the butt rule breakers when compared to older generations. For IT, this is best represented by Shadow IT, or employees using devices and apps not approved by IT. One of the main concerns for Shadow IT is in fact security, where sensitive company information can find its way onto insecure servers (think file sharing, private email, etc.)
78% of people claim to be aware of the risks of unknown links in emails, yet click on them anyway. (Barkley)
What? There is an issue with my PayPal Account!? I better quickly click this unknown link immediately to see what’s wrong! The majority of employee caused security breaches are indeed innocent mistakes, and IT teams need to keep educating employees as often as possible on the dangers of phishing and other email scams. Check out this blog article for some more employee information security statistics and training tips.
1 million Gmail users were affected by a sophisticated phishing scam
In the grand scheme of things, 1 million Google mail users might not sound like a huge amount when it comes to affecting your business. However, this stat again shows the sophistication of today’s hackers and cyber criminals. Google goes to great lengths to secure their email platform, and even that fell to a significant data breach.
Target paid $18.5 million to 47 states in a settlement for the 2013 data breach (NY Times)
And that’s not counting the $202 million in legal fees they have paid since the start of the fiasco where 40 million customer credit card numbers were stolen. In addition, part of the settlement is also to increase security measures, which will ultimately mean more money. On top of all that, their CEO was forced to step down amidst the scandal. This all goes to show the steep price a company may have to pay for poor security practices.