What are the top 10 cybersecurity threats? Cybersecurity has been a widespread priority since the latter half of the ‘90s, when the dot-com boom brought the world online.
More than 20 years later, unprecedented events like COVID-19 pandemic contested elections, and spiking sociopolitical unrest have led to an explosion in the number and severity of cybercrimes over the course of just a few years. We’re likely to see security threats become more sophisticated and therefore more expensive over time: experts predict that the global costs of cybercrime will reach $10.5 trillion by 2025, up 15% from $3 trillion in 2015.
Is cyber risk on the rise?
Read our 2022 Cyber Risk Index Report to find out what businesses are worried about, how they’re protecting themselves, and what the future holds.
Download The Report
Proactive protection is the key to avoiding a cybersecurity attack. Take a look at what experts say are the top cybersecurity threats facing the world in 2023, and learn what you can do to protect yourself and your business from becoming targets.
Top 10 Cybersecurity Threats:
1. Social Engineering
Social engineering remains one of the most dangerous hacking techniques employed by cybercriminals, largely because it relies on human error rather than technical vulnerabilities. This makes these attacks all the more dangerous—it’s a lot easier to trick a human than it is to breach a security system. And it’s clear that hackers know this: according to Verizon’s Data Breach Investigations report, 85% of all data breaches involve human interaction.
New in 2023
In 2023, social engineering tactics will be a key method for obtaining employee data and credentials. Over 75% of targeted cyberattacks start with an email. Phishing is one of the top causes of data breaches, followed by the use of stolen credentials and ransomware. Phishing and email impersonation continue to evolve to incorporate new trends, technologies and tactics. For example, cryptocurrency-related attacks rose nearly 200% between October 2020 and April 2021, and are likely to remain a prominent threat as Bitcoin and other blockchain-based currencies continue to grow in popularity and price.
2. Third-Party Exposure
Cybercriminals can get around security systems by hacking less-protected networks belonging to third parties that have privileged access to the hacker’s primary target.
One major example of a third-party breach occurred at the beginning of 2021 when hackers leaked personal data from over 214 million Facebook, Instagram, and Linkedin accounts. The hackers were able to access the data by breaching a third-party contractor called Socialarks that was employed by all three companies and had privileged access to their networks.
New in 2023
In 2023, third-party breaches will become an even more pressing threat as companies increasingly turn to independent contractors to complete work once handled by full-time employees. Network access will continue to be a focus for criminal organizations: Hackers tapped into the U.S.’s Colonial Pipeline in April 2021 by acquiring compromised credentials and accessing a VPN that lacked multi-factor authentication, resulting in a $5 million Bitcoin payment to regain access.
According to a 2021 workforce trends report, over 50% of businesses are more willing to hire freelancers as a result of the shift to remote work caused by COVID-19. A remote or dispersed workforce will continue to present security challenges for organizations large and small.
Since COVID-19, the FBI has reported a 300% increase in cyberattacks. The study found that 53% of adults agree that remote work has made it much easier for hackers and cybercriminals to take advantage of people. A cybersecurity firm CyberArk reports that 96% of organizations grant these external parties access to critical systems, providing a potentially unprotected access route to their data for hackers to exploit.
3. Configuration Mistakes
Even professional security systems more than likely contain at least one error in how the software is installed and set up. In a series of 268 trials conducted by cybersecurity software company Rapid7, 80% of external penetration tests encountered an exploitable misconfiguration. In tests where the attacker had internal system access (i.e., trials mimicking access via a third party or infiltration of a physical office), the amount of exploitable configuration errors rose to 96%.
New in 2023
In 2023, the continued combined impact of the COVID-19 pandemic, socio-political upheavals and ongoing financial stress is likely to increase the number of careless mistakes that employees make at work, creating more exploitable opportunities for cybercriminals.
According to a Lyra Health report, 81% of workers have experienced mental health issues as a result of the pandemic, and 65% of workers say their mental health has directly impacted their work performance.
This strain will only exacerbate an existing issue: Ponemon Institute reports that half of IT experts admit they don’t know how well the cybersecurity tools they’ve installed actually work, which means at least half of IT experts already aren’t performing regular internal testing and maintenance.
4. Poor Cyber Hygiene
“Cyber hygiene” refers to regular habits and practices regarding technology use, like avoiding unprotected WiFi networks and implementing safeguards like a VPN or multi-factor authentication. Unfortunately, research shows that Americans’ cyber hygiene habits leave a lot to be desired.
Nearly 60% of organizations rely on human memory to manage passwords, and 42% of organizations manage passwords using sticky notes. More than half (54%) of IT professionals do not require the use of two-factor authentication for access to company accounts, and just 37% of individuals use two-factor authentication for personal accounts.
Less than half (45%) of Americans say they would change their password after a data breach, and just 34% say they change their passwords regularly.
New in 2023
Thanks to an uptick in remote working, systems protected by weak passwords are now being accessed from unprotected home networks, sticky note passwords are making their way into public coffee shops, and workers are logging in on personal devices that have a much higher chance of being lost or stolen.
Companies and individuals that don’t improve their cyber practices are at much greater risk now than before.
Surprisingly, IT professionals often have even worse cyber hygiene habits than the general population: 50% of IT workers say they reuse passwords across workplace accounts, compared to just 39% of individuals at large.
5. Cloud Vulnerabilities
One might think the cloud would become more secure over time, but in fact, the opposite is true: IBM reports that cloud vulnerabilities have increased 150% in the last five years. Verizon’s DBIR found that over 90% of the 29,000 breaches analyzed in the report were caused by web app breaches.
According to Gartner, cloud security is currently the fastest-growing cybersecurity market segment, with a 41% increase from $595 million in 2020 to $841 million in 2021.
While experts originally predicted an en masse return to the office, upticks in new COVID variants and breakthrough case rates have made this scenario increasingly unlikely—which means the increased threat of cloud security breaches is unlikely to wane at any point in 2023.
New in 2023
New developments in cloud security include the adoption of “Zero Trust” cloud security architecture. Zero Trust systems are designed to function as though the network has already been compromised, implementing required verifications at every step and with every sign-in instead of granting sustained access to recognized devices or devices within the network perimeter.
This style of security gained popularity in 2021 and is likely to see widespread adoption in the coming year.
6. Mobile Device Vulnerabilities
Another pattern caused by the COVID-19 pandemic was an uptick in mobile device usage. Not only do remote users rely more heavily on mobile devices, but pandemic experts also encouraged large-scale adoption of mobile wallets and touchless payment technology in order to limit germ transmission.
A larger population of users presents a larger target for cybercriminals.
New in 2023
Mobile device vulnerabilities have been exacerbated by the increase in remote work, which led to an uptick in companies implementing bring-your-own-device policies. According to Check Point Software’s Mobile Security Report, over the course of 2021, 46% of companies experienced a security incident involving a malicious mobile application downloaded by an employee.
Cybercriminals have also begun to target Mobile Device Management systems which, ironically, are designed to allow companies to manage company devices in a way that keeps corporate data secure. Since MDMs are connected to the entire network of mobile devices, hackers can use them to attack every employee at the company simultaneously.
7. Internet of Things
The pandemic-induced shift away from the office led over a quarter of the American workforce to bring their work into the home, where 70% of households have at least one smart device. Unsurprisingly, attacks on smart or “Internet of Things (IoT)” devices spiked as a result, with over 1.5 billion breaches occurring between January and June of 2021.
Combined with the average American’s less-than-stellar cyber hygiene habits, IoT connectivity opens a world of vulnerabilities for hackers. The average smart device is attacked within five minutes of connecting to the internet, and experts estimate that a smart home with a wide range of IoT devices may be targeted by as many as 12,000 hacking attempts in a single week.
New in 2023
Researchers predict that the number of smart devices ordered will double between 2021 and 2025, creating an even wider network of access points that can be used to breach personal and corporate systems. The number of cellular IoT connections is expected to reach 3.5 billion in 2023, and experts predict that over a quarter of all cyberattacks against businesses will be IoT-based by 2025.
While ransomware attacks are by no means a new threat, they’ve become significantly more expensive in recent years: between 2018 and 2020, the average ransom fee skyrocketed from $5,000 to $200,000. Ransomware attacks also cost companies in the form of income lost while hackers hold system access for ransom. (The average length of system downtime after a ransomware attack is 21 days.)
In a 2021 survey of 1,263 cybersecurity professionals, 66% said their companies suffered significant revenue loss as a result of a ransomware attack. One in three said their company lost top leadership either by dismissal or resignation, and 29% stated their companies were forced to remove jobs following a ransomware attack.
New in 2023
Ransomware attacks will persist and evolve as criminal organizations look to evade the OFAC block list and apply pressure tactics for payment. In fact, cybercriminals can now subscribe to “Ransomware-as-a-Service” providers, which allow users to deploy pre-developed ransomware tools to execute attacks in exchange for a percentage of all successful ransom payments.
Similar to legitimate software companies, cybercriminal groups are continually developing their tool kit for themselves and their customers – for example, to make the process of data exfiltration quicker and easier. Another trick that threat actors sometimes pull off is rebranding their ransomware, changing bits and pieces in the process.
According to Microsoft, 96.88 percent of all ransomware infections take under four hours to successfully infiltrate their target. The fastest malicious software can take over a company’s system in under 45 minutes.
5 Key Ransomware Statistics:
- Ransomware cost the world $20 billion in 2021. That number is expected to rise to $265 billion by 2031.
- In 2021, 37 percent of all businesses and organizations were hit by ransomware.
- Recovering from a ransomware attack cost businesses $1.85 million on average in 2021.
- Out of all ransomware victims, 32 percent pay the ransom, but they only get 65 percent of their data back.
- Only 57 percent of businesses are successful in recovering their data using a backup.
9. Poor Data Management
Data management is about more than just keeping your storage and organization systems tidy. To put things in perspective, the amount of data created by consumers doubles every four years, but more than half of that new data is never used or analyzed. Piles of surplus data leads to confusion, which leaves data vulnerable to cyber attacks.
Breaches caused by data handling mistakes can be just as costly as higher-tech cybersecurity attacks. In a 2018 case, Aetna was ordered to pay $17 million after mailing sensitive health information in the wrong type of envelope.
New in 2023
Due in part to the exponential explosion of data that’s taken place over the past decade, experts predict that 2023 will bring an increased shift away from “big data” toward “right data,” or an emphasis on storing only data that is needed.
To sort right data from unnecessary data, teams will increasingly rely on automation, which comes with its own set of risks.
Automated programs are like spiderwebs—a small event on one side of the web can be felt throughout the entire structure. And while the data processing itself relies on artificial intelligence, the rules and settings the AI is instructed to follow are still created by humans and are susceptible to human error.
10. Inadequate Post-Attack Procedures
Holes in security must be patched immediately following a cybersecurity attack. In a 2021 survey of 1,263 companies that had been targeted in a cybersecurity breach, 80% of victims who submitted a ransom payment said they experienced another attack soon after. In fact, 60% of cyber attacks could have been prevented if an available patch had been applied, and 39% of organizations say they were aware they were vulnerable before the cyber attack occurred.
New in 2023
One increasingly popular solution is the adoption of the subscription model for patch management software. “Patching-as-a-Service” products provide continuous updates and patches, increasing patch speed and efficiency. Automated patching also reduces the likelihood of patch vulnerabilities created due to human error.
Staying on Top of It All
Staying aware of and protecting against new cybersecurity threats as they appear can be overwhelming. With millions of hackers working around the clock to develop new attack strategies more quickly than companies can update their defenses, even the most well-fortified cybersecurity system can’t provide guaranteed protection against attacks.
That’s why it’s important to supplement your cybersecurity strategy with adequate insurance to ensure that, even if you are the victim of a successful attack, the damages won’t cripple your organization.
With comprehensive cybersecurity defenses and the safety net that insurance provides, you can rest easy knowing you’re as protected as you can possibly be.