In 2022, the average cost of a single data breach was $4.35 million, according to IBM’s Cost of a Data Breach Report. And most organizations—more than 83%—reported experiencing more than one breach.
The increased connectivity of the digital world means greater security vulnerabilities and cyber risk. Remote and hybrid work arrangements, increasingly sophisticated attackers, creative social engineering, and a rise in the number of passwords people use have all contributed to more cyber attacks. And the results can be costly.
Organizations that are ill-prepared or lacking in security and risk protocols will find themselves paying a hefty price both in reputation and financial loss. The U.S. Federal Bureau of Investigation (FBI) estimates total losses from U.S.-based cybersecurity attacks exceeded $10.3 billion in 2022.
While it’s nearly impossible to prevent all cyber attacks, your organization can reduce cyber risk by ensuring it’s prepared for the most common types of attacks.
No. 1: Compromised passwords / credentials
Compromised credentials are the most common cause of data breaches, according to IBM. These attacks come with a hefty average cost of $4.5 million and the longest life cycle of any cyber attack, totaling approximately 327 days for organizations to identify and contain the breach.
Brute force attacks, where attackers use automation to try a variety of symbol and letter combinations to guess credentials, are a common method of finding passwords, but attackers may use a variety of other techniques. (Of course, when the number one global password is “password” followed by “123456” it takes less than one second for an attacker to crack the code.) Once attackers have credentials, they can access private company data, systems or networks.
No. 2: Social engineering and phishing
Social engineering—perhaps one of the oldest methods of conning people—occurs when hackers manipulate victims into divulging sensitive personal information, clicking bad links, visiting dangerous websites or taking other actions with negative consequences. These types of attacks rely on human trust and error, and unfortunately, humans remain the weakest link in cybersecurity attacks. Social engineering is a simple but effective attack, and bad actors continue to evolve more sophisticated ways to manipulate employees.
Today, phishing is one of the most prominent forms of social engineering with an estimated 84% of organizations reporting at least one successful phishing attack in 2022. During a phishing attempt, the attacker will reach out via email, phone call (vishing), or text (smishing), claiming to represent a legitimate institution like a bank, utility or credit card company. The victim might be asked to click on a link that will install malware or reveal personal information (i.e. credentials or financial information) that the attacker can use for nefarious purposes.
In 2022, phishing was the number one type of cyber incident reported to the FBI’s Internet Crime Complaint Center.
No. 3: Internet-facing services
Internet-facing services, which include cloud services, applications, websites or services accessible over the internet, are increasingly vulnerable to cybersecurity attacks. In 2023, 38% of executives said they expect more serious attacks via the cloud, according to PWC. Hackers will use these points of access in an attempt to obtain sensitive data or launch attacks on organizations. The use of vendors and third-party suppliers also put organizations at risk for internet-facing services.
No. 4: Supply chain attacks
By 2025, 45% of organizations worldwide will have experienced attacks on their software supply chains, a three-fold increase from 2021, according to Gartner. As digital business requires an increasingly complex ecosystem of third-party systems, organizations are growing more concerned about the growing cybersecurity risks introduced by both third parties and vendors. However, only 6% of companies report full visibility on their supply chain, according to Zippia.com.
Each partner in these ecosystems can act as a vector for bad actors if their organization is compromised. The more partners, the more potential vectors. IBM reported 19% of surveyed companies said they were breached as a result of a supply chain compromise.
No. 5: Man-in-the-middle attacks
The aptly named man-in-the-middle attack happens when an outside attacker intercepts and essentially eavesdrops on company interactions—including the exchange of personal information—via unsecured traffic or unencrypted messages/data.
In certain types of man-in-the-middle, the attackers will manipulate or change the information before sending it on. For example, in a financial institution, this type of attack could be used to siphon off funds to an illegitimate account. These attacks are common on unsecured Wi-Fi and can be an issue for remote employees as attackers, for example, can intercept messaging between the sender and the VPN gateway to capture any sensitive company information being shared (i.e. credentials, IP, etc).
No. 6: SQL injection attacks
This is a type of cyber attack specifically targeting Structured Query Language (SQL) databases. These databases are popular with organizations because they are highly scalable, flexible and efficient, and handle large amounts of data. However, attackers can inject malicious SQL statements, which the applications database then executes. This enables the attacker to bypass authentication measures and gain access to the database. The attacker can then modify, delete or use the accessed data.
In 2017, hackers used malware and phishing emails to gain access to the U.S. Securities and Exchange Commission’s database to view, alter and steal non-public financial information.
No. 7: DDoS
A distributed-denial-of-service (DDoS) occurs when an attacker floods an organization’s server with many requests from different devices and sources to overwhelm the system and create a slowdown or shutdown. Attackers use these to extort money or paralyze a business and make it unavailable to legitimate customers. Due to the multiple points of attack, they can be challenging to shut down.
In 2022, hackers launched a DDoS to temporarily take down the customer-facing sides of several U.S. airports. Note: A similar attack with just a single or limited number of attackers is called a denial-of-service (DoS) attack.
No. 8: Malware
The term malware (aka malicious software) includes a variety of cyber attacks including ransomware, viruses, Trojans, worms and others. The software can access organizations’ systems through email attachments, file-sharing networks or unsecured networks. Once the software gains access it can steal data, disrupt operations, or even take control of devices to use other DDoS attacks.
The most well-known malware attack in the past few years was WannaCry, which used a type of ransomware that rapidly spread around the world causing widespread disruption by ransoming important organizational data, including that of the U.K.’s National Health Service.
No. 9: Ransomware
Ransomware, a type of malware, uses malicious software to encrypt a target’s data and demand payment under the threat of sharing it publicly or deleting it—hence “ransoming the data.” As data plays a critical role for modern companies—often its most valuable asset—the inability to access data can be catastrophic for organizations in terms of business continuity, reputation, loss of personal employee or customer data, and security.
For some organizations, such as hospitals or medical facilities, bad actors holding sensitive patient data hostage can be hugely impactful as the hospitals need to delay care or send patients elsewhere. These types of attacks are growing increasingly popular.
In 2022, 76% of organizations were targeted by a ransomware attack with 64% of those organizations falling victim to the attack, according to ProofPoint’s 2023 State of the Phish Report. Unfortunately, even if organizations pay the ransom, there’s no guarantee they’ll be able to recover the data. The report estimated only half were able to retrieve the ransomed information, which can have devastating, long-term effects on an organization.
The future of cyber risk
In our connected digital world, cyber attacks are not a matter of “if”—they are a matter of “when.” Organizations, regardless of size, industry or geography must look for ways to reduce cyber risk.
Thwarting common cyber attacks is key, but security and risk leaders need to also think about emerging risks and trends in cybersecurity. Cyber-physical attacks, essentially cyber attacks that spill over into the physical world, are an increasing concern for organizations.
For example, in 2021 hackers accessed customer data from IT firm Kaseya and demanded $70 million for its return. The attack had wide-ranging physical consequences including 800 closed Swedish grocery stores, New Zealand schools that were knocked offline and more than 1,000 affected businesses. This means organizations must make monitoring potential physical threats alongside known cyber risks a top priority.
Other emerging cyber trends, including human-centric security design, address the 95% of cybersecurity issues that can be traced back to human error (i.e. social engineering, weak passwords, etc). Additionally, many security and risk teams are looking to consolidate security vendors to improve their security posture.
AI platforms that can surface cyber risks and critical events in real time—in combination with response teams and strong incident response plans—will improve organizations’ ability to identify and contain cyber attacks and significantly reduce cyber risk. While it’s unlikely that security and risk teams will be able to thwart every cyber attack, addressing both common and emerging cyber risks will go a long way in protecting the organization, minimizing disruption and strengthening business resilience.
Learn how organizations like yours can realize these benefits with Dataminr Pulse for Cyber Risk. Powered by Dataminr’s leading AI platform, Pulse for Cyber Risk provides real-time, actionable cyber risk intelligence.
