This is the eleventh year that Scale has produced this research (in collaboration with Everclear Marketing, we’ve helped over the past three years). The survey and report look at evolving threats and solutions, investment priorities for cybersecurity technologies and strategies (make sure you see the top 10 chart for this year and the changes from last year), and funding and buying patterns. The data is from senior-level decision-makers at organizations with 500 or more employees. AI has an increasing focus in this year’s research – as you would expect. 

Key findings:

• Data breaches increased, led by phishing and third-party attacks.
• CISOs prioritised cloud infrastructure and data center security.
• Attackers targeted AI models while security played catch up.
• Security budget growth showed signs of slowing.
• Market gaps found in software supply chain security and ADX. 

For details on how to get yourself a copy, please check out our portfolio. 

Governance, risk, and compliance is a team sport — in a league where no two teams look alike. This diversity in team structures, responsibilities, and program resources makes GRC benchmarking across organizations and industries challenging — and objectively evaluating your program strategy even more difficult.

To better enable GRC leaders with a clear understanding of what “good” GRC looks like, we surveyed 350 risk, cybersecurity, and compliance leaders worldwide about their program objectives, team structures, processes, and technology investments — and aligned responses to a maturity model to gauge their GRC program maturity and success. 

Key findings:

• GRC is a collaborative undertaking across multiple teams.
• All organizations have work to do to improve their GRC program maturity.
• Organizations spend an average of 1% of annual revenue on their GRC program.
• People and talent expenses represent 46% of the GRC budget.
• Budgets are staying the same or increasing for 80% of organizations.
• Using a single GRC software tool best helps with proactively managing risk. 

For details on how to get yourself a copy, please check out our portfolio. 

There are some useful data points in the report. These stood out:

• 20% illegitimacy rate
  1 in 5 emails are not legitimate. That is, 80% make good business sense within the work flow of a given individual. 20% don’t.
• 70% of attacks are phishing; huge increase in BEC attacks
  Phishing attacks remain the most frequently observed threat type, at 70% within the Perception Point data. In the FBI’s data from 2023 – based on a different data set of incidents reported to the FBI’s IC3 unit – it was 34% phishing (299K phishing out of 880K total incidents). Perception Point also reported a massive increase in the number of BEC attacks it identified, to 18.6% of all attacks. Per the FBI data, BEC occurs less frequently but is significantly more costly than plain phishing attacks.
• AI in email attacks
  “2023 was defined by the advances and widespread usability of generative AI … and its use in more intricate and deceptive malicious campaigns.” They even quote our report on The Role of AI in Email Security (which they co-sponsored).
• Details on attacks against SaaS apps, such as Zendesk and Salesforce
  Perception Point protects users from threats, irrespective of where they come from. Email was the starting point. Collaboration and SaaS apps followed. The report dives into some of the forms that attacks against Zendesk and Salesforce take (among others), and why organizations need security protections over uploaded content and shared URLs via these services.
• Hospitality sector under attack
  “Phishing attacks against the hospitality sector are often focused on stealing the Booking.com login credentials for a given hotel – so they can then access hotel profiles and acquire guest information, including emails, phone numbers, and financial details – for use in large-scale phishing campaigns.”

Key takeaways from the 2023 report:

• 40% of lifetime complaints in the past four years (out of 23 total)
  IC3 was established in May 2000 – so it has collected crime statistics for 23 years. Over those 23 years, the IC3 has received over 8 million complaints. In each of the last four years, the average annual number of complaints was around 800,000, meaning that 40% of total complaints over 23 years were received in the last four years. There was a significant jump from the year pre-covid (2019, 467K complaints) to the first year of covid (2020, 792K complaints).
• $50 million BEC (business email compromise) incident
  The report includes an anonymized case study of a New York firm that suffered a $50 million BEC incident. Due to the rapid intervention of the FBI and its various units, $46 million of that was recovered. Overall, BEC incidents were the second most costly incident type reported to the FBI, at $2.9 billion.
• Hardly anyone is reporting costly ransomware incidents to the FBI
  Only 2,825 complaints were reported, with losses pegged at $59.6 million, or just over $20,000 per incident. I thought the loss numbers would be higher. This is either due to underreporting of costly incidents or the non-existence of costly incidents (which seems out of place with other reporting).
• Phishing incidents remain the most commonly reported crime type …
  Out of 880,418 complaints in 2023, 298,878 were of the phishing / spoofing type (34% of total). This is a consistent pattern in the data reported to the FBI.
• … but it’s not the most costly crime type that’s reported
  That title belongs to investment fraud (1st place, $4.6 billion), business email compromise (2nd place, $2.9 billion), and tech support scams (3rd place, $0.9 billion).

Headline findings:

• Malicious phishing messages have increased 1,265% in the 12 months from Q4 2022 to Q3 2023, with ChatGPT and malicious generative AI services a significant contributing factor.
• SlashNext detected an average of 31,000 phishing attacks each day. This is an average number across the 12 months under investigation. What’s not disclosed is the baseline number of email messages sent each day that were subjected to SlashNext’s analysis. Globally, the number is around 350 billion emails sent each day, which makes 31,000 a mere 0.00000886% of the global total. But that’s an unfair calculation, because SlashNext doesn’t see all of those. If we assume that SlashNext has the optics to assess 1% of the total email traffic volume (3.5 billion emails), then it’s 0.000886%. However you cut it, phishing is a dangerous needle in a very, very, very, very large haystack, and the high percentage of phishing messages being BEC threats (68%) in that needle is very, very, very expensive to get wrong.
• Key point – “AI chatbots (like ChatGPT) lowered the barriers to creating sophisticated BEC attacks and improved malware.” Be warned.
• SlashNext explores the rise of multi-stage attacks, cross-channel attacks, the use of trusted services to host malicious content (e.g., SharePoint – and why that’s a problem), and dark web hi jinx with jailbreak prompts and anonymizing wrappers for generative AI services.

Request the full report from SlashNext (25 content pages). Registration is required.

Among many other things, respondents were asked if they’d experienced one or more security incidents involving their OT/ICS environment over the previous 12 months. 15.1% said yes. See the graph on page 8. On the next page, there are two additional graphs – the number of incidents in the past 12 months (with 42.9% saying “less than 10”) and an assessment of how disruptive the incidents were (with only 9.5% saying “no impact/disruption”).

We often use something we call “midpoint analysis” in creating averages. This means looking at the distribution of answers for the various answer options, and multiplying the midpoint of each answer option (e.g., the midpoint of “1 to 5 hours” is 3 hours) by the frequency with which the respondent said “that’s me.” If 25% chose the 1-5 hours answer option, then the contribution to the overall midpoint is 3 hours x 25%, or 0.75 hours. Once we’ve done this for the remaining 75% of respondents, we sum the contribution of each answer option to get the overall midpoint.

We ran this with the numbers for incidents and disruption in the SANS report – see below.

From the above, we’d state the following. For the 15.1% of respondents that suffered at least one security incident in the previous 12 months:

• The midpoint number of incidents was 64.3 per organization.
• The midpoint percentage of disruption was 32.1%, meaning that around one third of the affected process was disrupted or disabled.
• This is equivalent to 20.65 incidents per year that are fully disruptive for some amount of time.

For anyone responsible for an OT/ICS environment, those are not numbers you want to see.

Key data points:

• Overall, irrespective of the question asked by Abnormal, the vast majority of the security stakeholders who responded to the survey were concerned / worried / aware of and about the issues. Aside from a small minority of outliers, the threat of generative AI across multiple dimensions is widely felt.
• Bad actors are already taking advantage of generative AI to create and disseminate large volumes of seemingly realistic email messages – but which are actually attacks. Beware.
• “Email was the most common first step in data breaches even before generative AI came onto the scene, but this technology has clear potential to increase the volume, sophistication, and resulting effectiveness of email-based attacks” (page 6). As an alternative POV, it also has the potential to decrease the volume but increase the sophistication and resulting effectiveness by using greater targeting and choosing ‘the precisely best message thread to compromise.’ Under this scenario, messages become more pernicious because they are fewer and better hidden in normal message flows, as opposed to more voluminous because every cybercriminal and their hound dog decide to generate an avalanche of AI-refined attacks.
• If AI is being used in a malicious way against your organization, you’re going to have to respond with “good AI” and fight AI with AI. This is the next mega theme in the cybersecurity arms race. Organizations without AI-powered email security solutions are playing a losing game – a theme we also highlighted in our report on AI in email security.
• Respondents using an integrated cloud email security (ICES) solution were almost twice as confident as those using a secure email gateway (SEG) in the ability of their email security to detect if an attack is generated by AI. While Abnormal likes the directionality of the answer, they point out that given the capabilities of currently deployed ICES solutions, the percentages should be lower than they are.

Abnormal’s research on this topic is profiled in:

• The press release from October 24
• A blog post from October 25
• The report itself – and you’ll need to register

Key findings:

• Ransomware (as a category of malware) tops the nastiest list in 2023, driven by ransomware-as-a-service (RaaS) business models. This aligns with our 2022 report on ransomware, in which we profiled the growing prevalence of RaaS as driving increases in ransomware attackers, attacks, and variants. In 2023, Cl0p has been particularly active.
• Double / triple extortion designs are highly devastating to organizations, because even if there is a backup to restore data, the threat of the ransomware gang publishing stolen data forces many organizations to pay the ransom.
• The press release says that “only 34% of businesses pay ransom, an all-time low.” In light of the double / triple extortion comment above, we had to think this one through. For it to be so low, the 71% of organizations that are not paying the ransom must do two things very well – firstly, have data backups to enable rapid and error-free restoration, and secondly, use strong data protection methods such as encryption so that any exfiltrated data is unreadable and won’t trigger “crisis communications and data compliance fines” (see the report for that line). With the way ransomware is going, organizations not doing both are asking for trouble.
• The average ransom payment, when one is made, skyrocketed to $740K (in Q2 2023). In late 2021, the average was $167K. That’s a big change, and one that OpenText attributes to the wild success of Cl0p’s exploitation of customers using MOVEit Transfer.

SonicWall’s cyber threat report – mid February to mid March

• 2021 – March 16, cyber arms race at tipping point
• 2022 – February 17, attacks rising across the board
• 2023 – February 28, shifting front lines, threat actor behavior

Crowdstrike’s global threat report – mid to late February

• 2021 – February 22, analyzing a year of chaos and courage
• 2022 – February 15, a year of adaptability and perseverance
• 2023 – February 28, resilient businesses fight relentless adversaries

Verizon’s data breach investigations report – mid May to early June

• 2021 – May 13, cybercrime thrives during pandemic
• 2022 – May 24, ransomware threat rises
• 2023 – June 6, frequency and cost of social engineering attacks skyrocket

IBM Security’s cost of a data breach – last week of July

• 2021 – July 28, Cost of a Data Breach Hits Record High During Pandemic
• 2022 – July 27, Consumers Pay the Price as Data Breach Costs Reach All-Time High
• 2023 – July 24, Half of Breached Organizations Unwilling to Increase Security Spend Despite Soaring Breach Costs

Trend Micro’s midyear cybersecurity report – increasingly in August

• 2021 – September 14, attacks from all angles
• 2022 – August 31, defending the expanding attack surface
• 2023 – August 8, stepping ahead of risk