Was 2022 a Cybersecurity Trendsetter for 2023 and Beyond: Lets Hope Not!
First, many of us know the 2022 data breach headlines (e.g Copper Mountain Mining, Mizuno, Intrado, Rackspace, T-Mobile, and a vast global list of public and private sector organizations). But what businesses need to ask is HOW do these attacks happen and what can we do to avoid this? This is where our job as business risk managers needs to clearly convey all the actions taken by cyber criminals to compromise digital assets and what we need to do to protect our organizations and be resilient (protect, detect and recover) from attack.
Let’s start out by using ransomware as the “Badness-o-meter” of Cybersecurity, that is using the pervasiveness and impact of this economic crime as the measure of improving or declining effectiveness in our industry. We often don’t know what, or if, a ransom was paid. There are many instances, as in Colonial Pipeline in 2021, where we know that the $4.4 million ransom was paid. Paying a ransom shows an extreme failure in your resilience, preparedness, and readiness. Let’s not forget top threat actors are very well funded and in many cases, attackers are doing significant research to understand what an organization is able to pay, in order to increase the likelihood of the payment amount demanded by the extortioner.
We do know this. That the number of organizations globally that were victimized by ransomware rose slightly to 66% in 2022 (an increase of 3% over 2021). 68% of those victims paid the ransom in 2022, a decrease of 19% from 2021. This is an important improvement but almost seven of every ten is still very high.
16% of organizations have been hit 3+ times with ransomware indicating a lack of cybersecurity fundamentals and hygiene in those organizations along with neglecting to take the remedial steps needed to not be a repeat victim. 56% of those attacked lost revenue, 50% lost customers and 43% had significant reputation and credibility loss.
What we clearly see in 2022 are larger individual attacks than ever before. 11% of ransomware attacks had their extortion dollar figures exceed $1 million in 2022 with an overall average ransom of $220,298 for the full year. However, the ransom payment amount is miniscule compared to the recovery and impact cost of $4.54 million in 2022, down just a bit from $4.62 million in 2021.
Global Ransomware damage costs (again, not the ransom amount itself) are expected to move to $265 billion by 2031 putting ransomware in the top 50 of Gross National Product sizes in the world.
Lastly, according to the World Economic Forum (WEF), “by 2025, it’s estimated that 463 exabytes of data will be created each day globally – that’s the equivalent of 212,765,957 DVDs per day!” But as more data is produced and the value of data (often categorized as “cost per record”) skyrockets, we can only expect that more bad actors will attempt to successfully exploit the emerging threat vector brought on by surging data volumes. As billionaire Warren Buffett once noted, data is clearly the new oil.
Though some of these statistics are moving in an improved direction, the increasing sophistication of cybercriminals adding Artificial Intelligence (AI) to their endless array of zero-day exploits and social engineering attacks is absolutely terrifying. Research firm Cybersecurity Ventures now predicts that there will be a new ransomware attack every 2 seconds (down from 11 seconds at the beginning of 2022) as ransomware perpetrators continue to refine their malware payloads and related extortion activities.
Furthermore, operational attack surfaces and privacy/PII targeted attacks are increasing mainly as millions more IoT, IoMT, IIoT devices come online, with some estimates at more than 50 billion devices globally by 2030, as well as countless organizations operating in hybrid fashion (cloud and on-prem) with a largely remote workforce in the aftermath of the pandemic.
In a future blog, we will discuss some common themes we see occurring with even more frequency or velocity in 2023, along with how to prepare for these developing trends and some proactive cyber strategies to implement this year that will help.
If you want to properly assess your cybersecurity program in 2023 against business risk, please contact us. Just email jvigorito@