Vulnerabilities in cybersecurity undermine systems and provide access to cybercriminals. Find the most recent data and facts regarding cybersecurity vulnerabilities that you should consider in 2023.
As a CISO, it’s your job to protect your organization’s data and assets from cyber threats. With the constantly evolving landscape of cybersecurity, it’s important to stay up to date on the latest trends and statistics in order to effectively plan and implement security controls.
In this blog, we’ll delve into a list of statistics that you should consider when planning your security strategy in 2023. From the increasing prevalence of ransomware attacks to the importance of keeping abreast of your supply chain, these statistics will help you stay ahead of the curve and keep your organization secure. So, without further ado, let’s dive into the list of statistics that every CISO should know.
General Statistics
1. Over 25,000 vulnerabilities have been published in 2022.
The National Vulnerability Database (NVD) is tasked with analyzing each CVE once it has been published and provides CVSS scores for almost all known vulnerabilities. The number of vulnerabilities increases each year, 25,226 published in 2022. This is more than a 20% increase over the previous year.
Source: CVE Details
2. Insider threat incidents have risen 44% over the past two years.
External attackers aren’t the only threats organizations need to consider in their security planning. Malicious, negligent and compromised users are a serious and growing threat.
Source: Ponemon Institute, 2022 Cost of Insider Threats: Global Report
3. The average cost of a data breach in the United States is $9.44M.
For the 12th year in a row, the United States holds the title for the highest cost of a data breach, $5.09M USD more than the global average.
Source: 2022 IBM Cost of a Data Breach
4. Ransomware attacks grew and destructive attacks got costlier.
The share of breaches caused by ransomware grew 41% in the last year and took 49 days longer than average to identify and contain. Additionally, destructive attacks increased in cost by over $430,000 USD.
Source: 2022 IBM Cost of a Data Breach
Attack Surface Statistics
5. The number of connected devices is predicted to be over 75B worldwide by 2025.
Devices are everywhere and are shaping the way we work, talk, and engage with each other. Safeguarding corporate networks from the risks these devices may introduce has become increasingly difficult and complex for security teams.
Source: Statista 2022
6. The global attack surface grows every minute.
Every minute, 117,298 hosts and 613 domains are created, leading to a rapidly expanding global attack surface. Each of these contains a set of elements such as operating systems, frameworks, third-party applications, plugins, and tracking code – all potential entry points for an attacker.
Source: RiskIQ, Infographic – Evil Internet Minute 2021
7. Nearly 7 in 10 organizations admit they have experienced at least one cyber attack through an internet-facing asset.
Attack surface vulnerabilities allow cyber attacks. Nearly seven in ten (69%) firms have encountered a cyber-attack that originated with an unknown, unmanaged, or poorly managed internet-facing asset.
Source: ESG, Security Hygiene and Posture Management, 2021
8. The top assets impacted in breaches are web application and email servers.
Servers provide a useful venue for attackers to slip through an organization’s “perimeter” by using methods such as stolen credentials. Web application (56%) and mail (28%) servers account for the top two assets being impacted.
Source: 2022 Verizon DBIR
9. Supply chain was responsible for 62% of system intrusion incidents this year.
One key supply chain breach can lead to wide ranging consequences, for both the company that experiences the breach and the customers and other businesses that are affected by it. It is important for companies to take steps to protect their supply chain data and to have plans in place to respond to a breach if one occurs.
Source: 2022 Verizon DBIR
10. Three quarters of organizations breached claim the breach happened because third parties were granted excessive privileged access.
Researchers discovered that organizations to not perform the required security measures before granting third parties access to their data. 51% of firms said they did not thoroughly vet each third party’s security and privacy procedures before allowing them access to sensitive and personal data.
Source: Ponemon Institute, A Crisis in Third-Party Remote Access Security, 2021
11. Despite concerns about the security of the supply chain, comprehensive audits are conducted infrequently or never.
Auditing the supply chain for security risks is essential for protecting sensitive data, intellectual property, reputation, and meeting regulatory requirements. However, research shows 39% audits are conducted every two years or even less frequently. Another 22% say they have never conducted audits of their supply chain.
Source: Ponemon Institute, 2022 Applied Risk: Architecting the Next Generation for OT Security
12. The average security team is responsible for over 165K assets.
Security teams may be responsible for managing a wide variety of assets including servers, laptops, desktop computers, mobile devices, network devices (such as routers and switches), and specialized security devices (such as firewalls, intrusion detection systems, and intrusion prevention systems).
Source: 2022 JupiterOne SCAR
13. Less than 1% of companies have more than 95% visibility into all their assets.
Identifying and managing an attack surface is no easy task for security teams. New ways of visualizing and prioritizing an organization’s attack surface are needed as environments become more dispersed due to the expansion of public-facing digital assets and increased use of cloud infrastructure.
Source: Gartner, Innovation Insight for Attack Surface Management, 2022
14. Organizations often discover 40% more assets than they thought they had when using an automated scanner.
Nearly one-third discovered sensitive data in a previously unknown location and twenty-eight percent exposed previously unknown SaaS applications. Other exposed assets include misconfigured SSL certificates, weak encryption ciphers, code fragments, unknown third-party connections, and forgotten subdomains. All of these unknowns can add up to a lot of risk for an organization.
Source: ESG, Security Hygiene and Posture Management, 2021
15. 83% of organizations have experienced more than one breach in the cloud. 43% suffered 10 or more in the same time period.
Organizations struggle to obtain visibility into and control over access in their cloud architecture as their cloud footprint expands. As a result, there is also a higher chance of cloud data breaches.
Source: Ermetic, State of Cloud Security 2021
16. Misconfigurations, account hijacking, unauthorized access and insecure interfaces are the most commonly-cited cloud threats.
Organizations selected misconfiguration of the cloud platform as the top security threat to public clouds (68%)—an increase from third place in the study from the previous year. Unauthorized access (58%) unsecure user interfaces (52%), and account takeover (50%) follow.
Source: CheckPoint, 2020 Cloud Security Report
Risk Prioritization Statistics
17. Fifty-two percent of all 10.0 vulnerabilities reported in 2022 H1 are likely scored incorrectly.
Research showed that 52% of all 10.0 vulnerabilities reported by mid-year 2022 are likely scored wrongly, suggesting that security teams prioritizing utilizing only CVSSv2 scores may be misguided.
Source: Flashpoint, The State of Vulnerability Intelligence: 2022 Midyear Edition
18. Enterprises using risk-based vulnerability management will suffer 80 percent fewer breaches.
In order to decrease the likelihood of exploitation, risk-based vulnerability management evaluates the exact risk levels, prioritizes the vulnerabilities, and mitigates them. Businesses utilizing RBVM will experience 80% fewer breaches.
Source: Gartner, A Guide to Choosing a Vulnerability Management Solution
19. Only 2%-7% of published vulnerabilities are ever seen to be exploited in the wild.
Too many vulnerabilities exist for them to all be instantly fixed. Firms are able to patch between 5% and 20% of identified vulnerabilities per month, according to prior research. Second, only a small portion (2%–7%) of vulnerabilities that have been publicized have ever been exploited in the wild.
Source: FIRST
20. Threat feeds improve organizations’ security posture.
79 percent of respondents said threat data feeds are crucial to cybersecurity. 55% of respondents say their organizations’ threat feeds help identify cyber threats. Threat feeds can provide fast data to mitigate and prevent threats and malicious activity. They increase preventative blocking to ensure better defense (63%) and reduce the mean time to detect and remediate an attack (55%).
Source: Ponemon Institute, The State of Threat Feed Effectiveness in the United States and United Kingdom
Remediation & Validation Statistics
21. Unpatched vulnerabilities were involved in 60% of data breaches.
60% of breach victims said they were breached due to an unpatched known vulnerability where the patch was not applied. An even higher percentage (62%) claimed they were not aware of their organization’s vulnerabilities before a breach.
Source: Ponemon Institute, Vulnerability Survey 2019
22. 80% of CIOs and CISOs say they have been shocked to discover that a patch or update they thought had been deployed did not actually update all devices.
Business divisions sometimes lack IT visibility and management due to silos. 80% of CIOs and CISOs discovered that a crucial update or patch they thought had been issued had not been applied to all devices, leaving the business vulnerable.
Source: Tanium, Global Resilience Gap Study
23. Over 80% of security professionals claim they’ve postponed a patch to avoid disrupting the workplace.
More than eight out of ten (81%) respondents admitted that they had delayed implementing a critical security update or patch because they were worried about how it may affect their company’s day-to-day operations. In fact, more over half (52%) claimed to have done so more than once.
Source: Tanium, Global Resilience Gap Study
24. Only 38% of respondents claim their business is vigilant in assessing the efficiency of its security policies, despite 61% of respondents believing frequent testing is essential in an ever-changing threat landscape.
Continuous security validation or frequent security testing helps uncover security weaknesses caused by IT infrastructure changes and human errors and misconfigurations, according to 61% and 59% of respondents, respectively. However, only 38% say their organization is vigilant in testing the effectiveness of its security controls.
Documentation & Compliance Statistics
25. 73% of security professionals admit that security hygiene and posture management still depend on spreadsheets at their organization.
Security hygiene and posture management are essential elements of a robust security program. But that has become more challenging as the number of security tools has increased and environments have become more complex.
Source: ESG, Security Hygiene and Posture Management, 2021
26. 44% of firms say they are being asked for proof of cybersecurity as part of a request for proposal (RFP).
Cybersecurity practices among vendors are becoming an expectation, as 44% of firms say they are being asked for proof of cybersecurity as part of a request for proposal (RFP).
Source: ACA Key Trends and Forces Shaping Risk and Compliance Management in 2021
27. There has been a 45% increase in the cost of non-compliance since 2011.
While compliance with regulations like Payment Card Industry Data Security Standard (PCI DSS), Health Insurance Portability and Accountability Act (HIPAA), and General Data Protection Regulation (GDPR) come with hefty price tags, the alternative is far more costly. A recent report finds that the cost of non-compliance is 2.71 times higher than the cost of compliance. Organizations lose an average of $4M in revenue due to a single non-compliance event.
Source: GlobalScape, The True Cost of Compliance with Data Protection Regulations
28. 44% of organizations say their top compliance management challenges are handling compliance assessments and undergoing control testing.
Rapidly changing regulations, an increasingly complex risk landscape, and a shift to new ways of working are just some of the challenges facing the compliance function today. Given the high penalties of non-compliance, security teams are must stay abreast of regulatory changes, manage partner and vendor compliance and even ensure the frontline staff is aware of regulations.
Source: MetricStream, State of Compliance Survey Report 2021