ISACA® recently published State of Cybersecurity 2021, Part 2: Threat Landscape, Security and Cybersecurity Maturity, the second part of its annual cybersecurity report. Now in its seventh year, the report enables ISACA to poll its target audience and report the survey findings. Admittedly, I expected greater fluctuations in this year’s reports, given data collection occurred amid a global pandemic. That was hardly the case, however, with findings largely representative of years past. Whenever appropriate, ISACA continues to showcase multiyear data to aid trending—a feature I hope readers also find useful.
As with any product, the output is only as good as its input, and readability is especially important when the target audience is global. And while questions are reviewed, honed and/or culled as necessary, report findings may reveal conflicting data, as was the case in State of Cybersecurity 2021, Part 1: Global Update on Workforce Efforts, Resources and Budgets.1 Part 1 indicated that prior hands-on cybersecurity experience is the single greatest factor in determining whether a cybersecurity candidate is qualified, yet the largest specific gap reported within the workforce is not technical, but rather soft skills (figure 1).2
Figure 1—Candidate Qualifications
Source: ISACA®, State of Cybersecurity 2021, Part 1: Global Update on Workforce Efforts, Resources and Budgets, USA, 2021.
The use of artificial intelligence (AI) continues to permeate enterprise operations year after year, with ISACA reporting a 4% increase from the previous year. Additionally, a higher percentage of survey respondents answered the AI questions substantively (i.e., did not answer with “not applicable” or “don’t know”). The declining number of those who chose not to answer AI questions offers promise and indicates that calls for better cooperation and information sharing across the cybersecurity industry are being taken seriously. Enterprises are cautioned against falling into the trap that any form of AI will solve all enterprise human resource woes. After all, technologies often do not replace personnel, but rather shift the types of skill sets that are needed in the workplace, which, in this case, would necessitate skills in algorithm design, monitoring and audit.
The 2021 report data highlighted a significant course change with regard to cyberattacks. Specifically, after 3 years of consecutive decline in respondents experiencing more attacks, those who reported their enterprise experienced more cyberattacks as compared to the previous year increased by 10%—its highest increase since 2018. It is noteworthy that more than 4 in 10 respondents signified that threat actors did not take advantage of the pandemic to disrupt organizational activities. Acknowledging that survey respondents’ confidence in their abilities to detect and respond to cyberthreats remained consistent between 2020 and 2021, a lingering question remains: What happened?
One plausible explanation is that respondents have become increasingly open about their security operations, reinforced by several declines in those who prefer not to answer certain questions in this year’s survey. This, coupled with a 44% increase 3 in responses, increases reporting confidence. Alternatively, 2020 saw a major rise in ransomware attacks. To say it was prolific is an understatement; ransomware attacks skyrocketed 485% between 2019 and 2020.4 More intriguing in many regards is the finding that more than 64% of 2020 ransomware attacks occurred in the first half of the year.5 Further, between the fourth quarter of 2020 and first quarter of 2021, the average ransom payment jumped 43%.6
Ransomware incidents have only escalated in 2021. Colonial Pipeline lingered in the headlines for the ransomware attack it suffered, its corporate decision to shut down fuel operations and payment of a US$4.4 million ransom. US law enforcement officials later recovered roughly half the ransom payment.7, 8
No enterprise or industry is immune to a ransomware attack and the ill-advised practice of paying the ransom demands may simply be fueling the cycle and encouraging larger-scale attacks. Damage is no longer isolated to the enterprise alone, as ransomware attacks increasingly sever supply chains and disrupt economic prosperity.
Cybercriminals have historically prospered in low risk-high reward behaviors in cyberspace in large part due to gaps in detection capabilities and, at least in the United States, shortfalls in legislation. If anything, the onslaught of cybersecurity incidents has heightened awareness and action by lawmakers.
When it comes to cybersecurity incidents, industry reporting affirms ISACA respondent survey data pertaining to detection and response confidence. For a reporting period that largely overlaps the data collection period of ISACA’s 2021 State of Cybersecurity report, FireEye Mandiant analysis revealed improvement in incident detection rates.9 The time it takes to recognize an attacker in your network is shrinking. This metric, also called dwell time, is reportedly 24 days globally.10 Dwell time for ransomware attacks was much less than that of non-ransomware attacks, which makes sense since inaccessible files tend to gain employee awareness and in a ransomware attack, the perpetrators usually notify the attacked enterprise quickly to demand the ransom.
BlackFog expects cybercrime damages to reach US$6 trillion11 by year’s end—which is double what it was in 2015. This amount does not address human capital costs for employee turnover caused by burnout of those charged with incident response and recovery efforts. As security operation costs increase as a result of increased incident and recovery efforts, consumers are likely already paying for cybercrime indirectly as the increased costs get passed along via increased prices of goods and services.
Conclusion
While no digital asset is impervious to vulnerabilities, enterprises can no longer be passive. When was the last time your enterprise communicated its risk appetite? How often does it conduct risk assessments? Are data classified and protected accordingly? Is your backup strategy appropriate? Do you really test disaster recovery plans? Behavioral changes are most likely to be successfully implemented when modelled by senior leadership. Words and action must align.
Endnotes
1 ISACA®,State of Cybersecurity 2021, Part 1: Global Update on Workforce Efforts, Resources and Budgets, USA, 2021
2 Ibid.
3 State of Cybersecurity 2020 survey received 2,051 responses, compared to 3,659 responses to the 2021 survey.
4 Bitdefender, 2020 Consumer Threat Landscape Report, Romania, 2020
5 Ibid.
6 Freedman, L.; “Coveware Q1 2021 Report Shows Increase in Ransomware Payments Over Q4 2020,” The National Law Review, 6 May 2021
7 Bogage, J.; “Colonial Pipeline CEO Says Paying $4.4 Million Ransom Was ‘the Right Thing to do for the Country’,” The Washington Post, 19 May 2021
8 Macias, A.; C. Wilke; “U.S. Recovers $2.3 Million in Bitcoin Paid in the Colonial Pipeline Ransom,” CNBC, 7 June 2021
9 FireEye, M-Trends 2021 Report, USA, 2021
10 Schwartz, M.; “Attackers' Dwell Time Plummets as Ransomware Hits Continue,” BankInfoSecurity, 3 May 2021
11 BlackFog, The State of Ransomware in 2021, USA, 5 July 2021
Jonathan Brandt, CISM, CDPSE, CCISO, CISSP, CPI, CySA+, PMP
Is a senior information security practice manager in ISACA’s Content Development department. In this role, he contributes thought leadership by generating ideas and deliverables relevant to ISACA’s constituents. He serves ISACA® departments as a subject matter expert on information security projects and leads author management teams whenever external resources are necessary. Brandt is a highly accomplished US Navy veteran with more than 25 years of experience spanning multidisciplinary security, cyberoperations and technical workforce development. Prior to joining ISACA, Brandt was a project manager for classified critical infrastructure projects across the globe.