A new report on cyber attack trends that combines information from a number of high-level sources has just been released, and it reveals a startling amount of cyber crime growth. The report revealed that cyber crime became a $45 billion industry in 2018, up tens of billions of dollars from the previous year.
The report from the Internet Society’s Online Trust Alliance (OTA) identifies trends by using data from sources including the Federal Bureau of Investigation, Symantec, security consultant Risk Based Security, the Identity Theft Resource Center and the Internet Society’s own internal data to create as comprehensive a picture as possible of the annual cyber crime market.
The current Cyber Incident & Breach Trends Report reveals that although overall incidents of cyber crime are actually down across the board, the financial impact is way up. The $45 billion stolen in 2018 alone accounts for over a third of the entire cyber crime take since 2013.
What the cyber attack trends report tells us
The report highlights both positive and negative impacts in 2018. Many of the most common types of attacks – ransomware, data breaches, and DDoS – were actually down in terms of overall count in 2018. But the financial damage done by many attack types was up significantly. Ransomware losses rose by 60% in spite of the downturn in overall incidents, business email compromise losses rose by a staggering 200%, and there were three times as many cryptojacking incidents.
One thing that all of this data on cyber attack trends suggests is that criminals are shifting from large-scale, indiscriminate attempts on lots of individuals to more focused attacks directed specifically at businesses that have significant resources. For example, businesses were targeted by ransomware 12% more frequently in 2018 and the losses to it shot up from about $2 billion to $8 billion in just one year. There was also a marked increase in ransomware attacks on government agencies. Business email compromise losses shot all the way from $677 million in 2017 to $12.5 billion in 2018. And exposed records were actually down by about five billion in total in the midst of all this, in spite of a number of huge breaches such as Marriott and the Indian national identity database.
Cryptojacking also surged by triple the 2017 amount, most likely driven by the record Bitcoin price spikes in the early part of of the year. Cryptojacking is a very appealing choice for cyber criminals as it’s more low-key and low-risk than other popular attack types, and it only involves gaining access to a company website to insert a script in order to immediately begin generating income. Given the low cost and relative ease, cryptojacking is expected to remain popular among cyber attack trends as long as cryptocurrencies hold significant value.
Another attack area that gained ground in a big way in 2018 was the supply chain attack, which went up 78%. Symantec estimates that about 5,000 websites per month were hit with attacks, which mostly targeted their shopping cart systems.
The report actually describes its own findings as conservative, given that it’s difficult to accurately determine the cost of certain attacks (such as DDoS downtime or the web of associated losses due to a data breach). Companies also show great reluctance to self-report their incidents, so the two million total cyber attacks and the $45 billion in losses that this report settles on may actually be an underestimation of the current scope of cyber crime costs.
Perhaps the most eye-catching number in the entire report is that 95% of these attacks were determined to be preventable.
Modern cyber attack readiness
The 2019 global internet report incorporates a good deal of readiness advice aimed at dealing with the current cyber attack trends.
A good first point of attention is the security status of various Internet of Things (IoT) devices connected to the company network, as well as the security state of any databases that are connected to the internet. These are two cyber attack trends that criminals are continually scanning the entire internet for, and will be located by a threat actor eventually. There is an unfortunate general lack of security consciousness in the manufacture of IoT devices, so diligence when sourcing them is the main way to address this issue. Database breaches are most frequently the result of a security misconfiguration at the user end, something that needs to be continually reviewed as updates and patches are applied.
To address credential stuffing, OTA suggests regular monitoring of breached passwords and email accounts using sites like HaveIBeenPwned and Pwned Passwords. Organizational password policy should follow current best practices, and users should be required to change their password if their email winds up on a breach list. Credential stuffing can also be defeated by limiting the number of allowed login attempts before access is frozen, and implementing multi-factor authentication (MFA).
For supply chain attacks, OTA recommends a “zero trust” policy for any third parties (or their tools) that have access to the network. Access should always be limited to only the absolute necessities, and regular penetration testing can help to identify vulnerabilities before they can be exploited.
In terms of general readiness, the biggest thing the cyber attack trends study stresses is fostering a culture of collective responsibility that identifies and promotes security. Tested response plans are also critical for the various types of cyber incident breach trends, and both data management practices and employee training need to be regularly reviewed.
The rapid rise of cyber crime
In an independent report, McAfee put the total estimated cost of losses caused by cyber crime in 2018 at $600 billion, or nearly 1% of the world’s GDP. A significant factor in this growth is the lowering of technical barriers of entry to interested criminals; ready-made phishing, ransomware and cryptojacking kits can be purchased for a trivial price from underground sources.
Regardless of the exact number, cyber crime is clearly lucrative and a major growth industry. The new reality of doing business online is keeping up with the criminals and securing against both established and emerging cyber attack trends.