Year 2021 in review

2021 is coming to its end and it’s time to take a closer look at what just happened in the world of CyberSecurity. Since the (COVID-19) pandemic started, our way of working changed to an unprecedented degree and we had to adjust quickly. Combining the last and the current year, raised the alarming cyber threat bar significantly and what we actually experienced is equally distressing and frightening. 

2021 in numbers

Even though 2021 has been dominated by phishing and ransomware it is still worth checking how those numbers changed so far.

  • Healthcare data breach costs increased from an average total cost of $7.13 million in 2020 to $9.23 million in 2021, a 29.5% increase (IBM)
  • Personally identifiable information (PII) was the most common type of record lost ($180 per record), included in 44% of breaches (IBM)
  • Compromised credentials was the most common initial attack vector, responsible for 20% of breaches (IBM)
  • Breaches through supply chain attacks increased from 44% to 61% (Accenture)
  • Average number of days to identify and contain a data breach, 287. The longer it took to identify and contain, the more costly the breach was (IBM)
  • An 80% cost difference where security AI and automation was fully deployed vs. not deployed (IBM)
  • Hybrid cloud had the lowest average total cost ($3.61m, 28.3%) of a data breach, compared to public, private and on premise cloud models (IBM)
  • On average 270 attacks (unauthorized access of data, applications, services, networks or devices) per company over the year, an increase of 31% compared to 2020 (Accenture)
  • Average total cost of a ransomware breach was $4.62m (IBM)
  • 10% Increase in average total cost of a breach from 2020 to 2021 (IBM)
  • Remote working and digital transformation due to the COVID-19 pandemic increased the average total cost of a data breach by $1.07m (IBM)

“Security is not my priority" (startup CTO)

This could have been one of those (not so) funny famous last sentences, unfortunately it wasn’t (the last, at least yet...).
After we came back from the initial shock, we realized that it’s kind of understandable, at least for startups (still, "Ignorantia juris non excusat"). The time (and various other) pressure from the board / investors might still result in such statements and it might well represent the state of security & privacy of the respective organization.

One of the key issues we see is that CISO’s or equivalent (if at all exists, affordable) still not included / involved in the planning, operations and overall decision making process and in some cases lacking the trust (???), real mandate and budget from their superiors. Well, as much cliche as it is, you can't make a silk purse out of a sow's ear.

Some of our experiences

  • Security by Design and Zero Trust are still buzzwords, we can confirm that the tendency for the earlier is growing, but it stays in minority, the second is still in a “yet to come, then we’ll see” phase.
  • Lack of time (and resources) 
    • lacking the support, mandate from leadership, management
    • once the security backlog is growing, security gradually getting deprioritized and except some of the urging tickets get’s solved (often ugly-workarounded), the rest is waiting for time / dedication / support from leadership / management
    • good will and intention is present in almost all forms of organizations, but...
  • Tooling
    • Successful sales cycles from the vendors, but bad customer care / success from them → wrong or missing internal introduction → lack of proper internal knowledge, training → reports / alerts are full of false positives, get ignored → problem stays
    • There is a tool for everything slowly (complex, all in one or powerful, often hard to use ones) but nothing can replace the manual, semi-automated checkups / tests
  • Legacy and unpatched IT systems and applications all over the spectrum
  • SecDevOps is mainly still DevOpsSec (in better cases some internal entity wins the responsibility as a “project” and it’s left alone with it)
  • Awareness, education, training, campaign, checkups are completely missing or outdated or easy to pass (from employee/user interviews: “oh no, yet again, let me copy the answers of XY”)
  • Often companies craving for some sort of quick clearance through a paper / document (even certification) but without proper internal resource allocation / investment for change
  • 2FA / MFA, one would expect that in these modern days, it is present and enforced everywhere, well it is still NOT enforced but more shockingly not even present in many cases
  • Usability (user friendliness) VS. security / privacy: as we all know, these two are not always going hand in hand and in case of underrepresented security function, the pressure from Product wins, increasing the risks or introducing new ones

To finish our look back with something positive

  • the average code quality we had the chance to see during the carried out audits (architecture, code reviews, pentests etc.) shows improvement
    (reasons of it varies from skilled developers, well chosen tools and libraries, to security conscious mid-management)
  • founder(s) / senior management (aka C-level) is more and more open to allocate some of their budget to security / privacy, more often before an incident and not as a reaction to it

Disclaimer: parts of this article are our subjective, experience based opinion, does not fit all company types and sizes and it’s not meant to represent our existing customers.

Örs Apor Horváth
Founder, CEO of OR Security

You may also like: