With high-level Cybersecurity breaches in the news, such as MGM, Caesars, and Clorox, this Cybersecurity Awareness Month has gotten a little too spooky for businesses. To keep cyber attackers away, we’ve compiled a list of real-world cybersecurity statistics (Tricks) along with recommendations (Treats) on how your business can avoid getting spooked this Halloween.

Trick: 90% of employees who admitted undertaking a range of unsecure actions during their work activities knew that their actions would increase risk to the organization and undertook the actions anyway.

(Gartner)

• Treat: Entity-wide cybersecurity awareness training programs and anti-phishing campaigns are paramount. Regularly educating workforce users to be vigilant against warning signs is a critical factor in preventing human-enabled vulnerabilities that attackers look to exploit. Detailed policies and procedures should be updated at least annually and distributed to all employees to review and sign off on.  A mature control environment enforced from the top down will help ensure that less risky actions are taken during the decision-making process.

Trick: 68 % of business leaders feel their cybersecurity risks are increasing.

(Accenture)

• Treat: A cybersecurity risk assessment should be performed at least annually to keep up with the evolving threat landscape and help identify new or unmitigated risk areas. A significant number of organizations do not perform cyber risk assessments regularly or at all and, as a result, are unaware of their critical vulnerability risk areas that need addressing. For publicly traded companies, performing a cyber risk assessment is no longer suggested. It is required per the new SEC Cybersecurity Disclosure Rules.

Trick: 43% of cyber-attacks target small and medium-sized businesses (SMBs), of which 60% will go under 6 months after a cyber-attack.

(National Cyber Security Alliance)

• Treat: Many SMBs often have the mentality of “they won’t come after us; they want the big fish.” But cybercriminals are looking for the easiest targets. SMBs are less likely to dedicate adequate resources toward cybersecurity risk management, which makes them easy targets for attackers to wreak havoc.

Trick: The average ransomware payment continues to rise, estimated at $800,000, and the average cost of a ransomware recovery is nearly $2,000,000.  Ransomware damage costs are expected to exceed $265 billion USD annually by 2031.

(IBM)

• Treat: Ransomware attackers typically penetrate information systems by tricking users into clicking phishing links, compromising user credentials, or exploiting known system vulnerabilities. Research has found that nearly a third of all malware (which is approximately 94% distributed via e-mail) being discovered is ransomware-intended, which can cause significant disruption in key infrastructure. The best ways to help combat these attack vectors are through stringent access controls, security awareness training programs, and formalized patch management programs to ensure that information systems are running on the most up-to-date supported versions.

Trick: Around 20% of companies that pay the ransom were not able to recover their data after the payment was made.

(VEEAM)

• Treat: Companies should keep in mind that it’s not always worth it to pay the ransom. Companies should invest in strong data backup practices, including testing the recoverability of data and maintaining immutable backups (offline). It may be cheaper in the long run to rebuild than paying the ransom. Disaster recovery plans should include recovery point objectives (RPO) – the amount of data that companies are willing to lose and recover time objectives (RTO) – the maximum amount of time for restoring data, networks, and applications, after a disaster or attack. Companies should be mindful not to ‘reinfect’ their environment with a restoration. Backups should be restored within a sandbox or test environment prior to pushing to production to make sure the backup data was not infected by the attack (using the latest backup may include malware or other infected data).

Trick: The annual cost of cybercrime will likely increase by 15% ever year until it hits $10.5 trillion in 2025.

(World Economic Forum)

• Treat: It is projected that cyber-attacks will occur every 11 seconds. Everyone and every organization is a potential cybercrime victim, but you can mitigate the risk and impact of a cyber-attack by understanding your threat landscape and having detailed incident response and disaster recovery plans, in addition to solid access and monitoring controls. Performing regular assessments against industry standards and frameworks like NIST-CSF, MITRE ATT&CK, and CIS will aid in defining your identification and response plan and hardening security configurations currently in place.

Trick: 54% of SMBs do not use multi-factor authentication (MFA) for their business. Of those that have the option to use MFA, only 28% of SMBs require its use. More than half of super admins don’t have MFA enabled.

(Cyber Readiness Institute)

• Treat: MFA drastically mitigates the risk of unauthorized access via compromised user credentials. However, due to the increased sophistication of cybercriminals, organizations should now avoid using SMS (i.e., text messaging) as a one-time code authentication factor when utilizing MFA to access information systems.

Trick: 90% of security leaders think their organization is falling short in addressing cybersecurity risk.

(Foundry)

• Treat: Organizations in which the Board, Audit Committee, and senior executives prioritize cybersecurity trends have fewer security incidents and lower breach costs. Allotting an adequate budget to IT and Information Security is a critical governance step towards creating a secure control environment.

Trick: More than 77% of organizations do not have an Incident Response plan.

(cybintsolutions)

• Treat: An Incident Response Plan (IRP) is one of three critical pillars within the Crisis Management suite of policies; with the other two being Disaster Recovery (DR) and Business Continuity plans (BCP). While DR and BCP help get systems back and running and help continue operations in the event of an outage, the IRP should be established as a plan to respond to and limit the risk of negative consequences. Testing the IRP with the necessary stakeholders is often an overlooked step and can be the difference between the IRP being effective or ineffective when put into use during a crisis.

Trick: Almost 70% of applications contain at least one vulnerability after 5 years in production, and 90% of all common vulnerabilities and exposures (CVEs) uncovered could be exploited by attackers without any technical skills.

(Astra)

• Treat: A formalized patch management program is the best way to help ensure that all information systems are kept up to date with the latest security. With a stronger emphasis often placed on patching workstation operating systems; patches to applications, servers, and firewalls are often overlooked and present an easily exploitable vulnerability for attackers.

Trick: 53% of companies have experienced a third-party data breach in the past year. 50% of organizations don’t monitor third parties with access to sensitive and confidential information.

(Ponemon Institute)

• Treat: Establishing and maintaining a robust vendor management program is a key consideration for mitigating vendor-related risks. This may include the establishment of a vendor risk management policy for onboarding and monitoring vendors, vendor risk ratings, compliance with internal control reports and SLAs, and requirements for the completion of cybersecurity validations. Assigning an “owner” of the vendor management program is also a key differentiator between successful and ineffective vendor risk management functions. Companies should conduct regular security audits, review SOC 2 reports, and perform an annual performance review of their third-party vendors and require them to implement comprehensive security measures to protect sensitive data.

Trick: In 2023, it is projected that there will be a shortage of 3.5 million cybersecurity professionals globally.

(Cybersecurity Ventures)

• Treat: Centri Can Help. At Centri, our IT risk and cybersecurity advisory services are designed with your greatest assets in mind — your people. We’re here to offer you the support, resources, and expertise you need, exactly when you need it most. Our advisory experts work alongside your senior leadership to help understand your current needs and align them with the right solutions. Please contact us for more information or to explore how our expertise in cybersecurity risk management aligns with the specific needs of your company.

About Centri Business Consulting, LLC

Centri Business Consulting provides the highest quality advisory consulting services to its clients by being reliable and responsive to their needs. Centri provides companies with the expertise they need to meet their reporting demands. Centri specializes in financial reporting, internal controls, technical accounting research, valuation, mergers & acquisitions, and CFO and HR advisory services for companies of various sizes and industries. From complex technical accounting transactions to monthly financial reporting, our professionals can offer any organization the specialized expertise and multilayered skillsets to ensure the project is completed timely and accurately.

For more information, please visit www.CentriConsulting.com