Top cyber security stats you need to know for 2021

Forewarned is forearmed

Bulletproof has released its Annual Cyber Security Industry Report 2021, where we look at the security challenges facing businesses in 2021 and discover what organisations can do to stay ahead of the hackers. In this blog we highlight 4 key findings from the report and explore what they mean for business’ security in 2021 and beyond.

What this stat really shows is that 14% of organisations don’t understand the very real risks their business will face in 2021. And with 33% of UK business admitting to losing customers after a data breach, it pays to take these risks seriously. It should be noted that the real figure will be much higher than 33%, as our experience shows that many businesses are unwilling to admit the full extent of a data breach, even in anonymous polls.

Hackers never stand still, and as we’ve seen in previous years, cyber threats will continue to increase in 2021 as technology naturally evolves. But there are additional challenges to factor in. The technological advances implemented in 2020 have provided boosts to remote working and productivity, but they’ve also introduced new vulnerabilities for hackers to exploit.

There’s also the human element to consider, as new technology and new ways of working introduce uncertainty and doubt into people’s security knowledge. Security awareness has already come on leaps and bounds in the past 5 years or so thanks to high-profile breaches, security vulnerabilities as their own brands (think Heartbleed, etc), and increased compliance – most notably the GDPR and Cyber Essentials. The 2020 refresh of Cyber Essentials has made the scheme more accessible, which should not only help raise awareness, but also help raise the bar of cyber security across the board. That doesn’t mean, however, that the battle is over. Getting cyber security spending on the agenda for people, processes and technology is an on-going struggle – something which we’ve talked about before.

As ever, the threat landscape never stands still – cyber security is an arms race of sorts, as proven by the fact that only 1.5% of malicious IPs we detected were in the top commercial and open-source threat intel feeds. Cyber criminals pivot around different IP addresses as new hacked machines become available for them to launch attacks from. Whilst commercial threat intel feeds remain a useful resource, it shows that they can’t be relied upon on their own. The solution for businesses looking to proactively block attacks and /or have helpful oversight of the threat landscape is to find a trusted security partner and build a collaborative working relationship. For example, Bulletproof has set up a large honeypot network that allows us to get real-world intelligence on the tools and methods hackers are using in the wild, which we use to enhance our MDR service, managed SIEM.

This alarming stat shows one thing: hackers continue to try these attacks because they continue to work for them. The use of default credentials is a theme that is sadly ever-present: organisations aren’t getting the basics right. The lack of simple – and I do mean simple – best practices like changing default credentials shows that it’s the fundamental basics that aren’t being met. This leaves an open door in your business for even the most casual, opportunistic hacker. Schemes like Cyber Essentials and more rigorous certification such as ISO 27001 can help – but compliance is only truly useful when you’re, well, compliant.

Our data shows that nearly 1 in 3 critical flaws found during penetration testing are down to outdated components. That’s down from being around 1 in 2 last year. So why the drop? Increased cloud adoption and homogenisation of underlying web technologies are the primary drivers behind this trend – something we cover in more detail in our 2021 annual report.

The fact that 1 in 3 critical vulnerabilities are still down to outdated components also paints another picture: one that’s a recurring theme right across the board, from our penetration testing engagements, to our Cyber Essentials compliance audits, to our MDR service managed SIEM. And that is a lack of patching. Software and hardware vendors regularly release patches – fixes for security flaws that are inherent and, so it seems, unavoidable in all modern technology. Yet thanks to a combination of lack of process, lack of resources and lack of awareness, patching is still hard for any organisation to get right. And in a world where an unpatched Adobe product is just as critical as unpatched Windows OS, this makes for varied opportunities for cyber criminals.