Cyberattacks on enterprises rose 13% in 2021, according to the Orange Cyberdefense, Security Navigator 2022 report (registration required). Unsurprisingly, it calls out ransomware as the biggest challenge for enterprises. However, it also says that there has been a “noticeable wave of attacks against mobile devices.”
The report runs to a meaty 96 pages and is drawn from the security events the company has recorded in the past year. Importantly, the company separates the number of security events (50 billion per day) from the number of potential incidents (94,806 across the year). It is an essential distinction as it gives a realistic view of the threats to businesses. Of the 94,806 potential incidents, only 36% were confirmed by analysts as being legitimate. However, that is 13% more than in the previous year.
Dominic Trott, UK product manager at Orange Cyberdefense, said: “After a challenging couple of years, with high-profile cyberattacks hitting the headlines like never before, we hope that this year’s Security Navigator can act as a guiding light for UK businesses working to enhance their security.
“Despite the number of unique cyber extortion threat actors growing by 12.5% this year, the number of UK-headquartered cyber extortion victims dropped by 8% over the same period. This can likely be attributed to the improvement and broader take-up of detection-centric security tools such as EDP, stopping potential cyber extortion incidents from becoming full incidents.
“However, security teams should by no means be letting their guard down as cybercriminals focus their efforts on exploiting vulnerabilities elsewhere. We’re proud to be able to share our deep knowledge and data-driven insights with business and security leaders to help them inform their investment decisions and make the choices that will best bolster their defences going into 2022 and beyond.”
Key numbers on the cyberattacks
Like many reports of this nature, it is full of numbers and statistics. The challenge is working out what they really mean for businesses. The most important one is that the billions of daily events came down to an average of just 94 legitimate incidents per day. It’s important because the numbers often used in these reports create fear rather than understanding.
So what were those confirmed cyberattacks? According to the report, they were categorised as follows:
- Malware: Ransomware and other malicious programs (38%)
- Networks and applications anomalies: IDS/IPS alerts and any attack on network traffic and applications (22%)
- Account anomalies: Brute force attacks, reused credentials, privilege escalation and living off the land (13%)
- System Anomalies: OS and driver issues (9%)
- Policy violations: Installing unsupported software or connecting unauthorised devices to the network (8%)
- Social engineering: Phishing, spoofing and other attempts to fool users (6%)
What is especially interesting about these verified incidents is the breadth of alerts that they are drawn from. Like all reports, they come from the vendor’s view across the industry. It means that it sees the wider attack chain and not just phishing attacks or certain types of malware.
It is also important to note that Orange Cyberdefense says it increased its customer base from last year and has included 48% more customers in this report. The report is unclear as to whether it has adjusted the number of incidents year on year to reflect that customer growth. If not, the number of cyberattacks has actually declined.
A deeper dive into the numbers
Some of the changes in the numbers can be explained by the shift to remote working. For example, the increase in policy violations has affected small and large organisations. It is likely to be down to people using personal devices for work and the sudden shift to adopting cloud-based applications.
Another change Orange Cyberdefense noted in this report is the increase in social engineering attacks. It has been highlighted in reports from most security vendors. It is seen as being cybercriminals looking to exploit the disconnect between employees now that they are all remote.
Of more interest is how malware has changed. The company reports that ransomware is up by 18% to 38% of all malware attacks. Other key trends include:
- A decrease in confirmed downloader activity (malware that downloads and runs other malware on affected systems) in November and December 2020 after the Trickbot botnet was taken down by law enforcement, and in January and February 2021, directly after Emotet was taken down;
- An inverse correlation between the stringency of Covid-19 lockdowns and the volumes of downloader and ransomware activity: the more stringent the lockdowns, the less of this activity, running contrary to the prevailing narrative that attacks increase when users work from home;
- Large organizations see more than double (43%) the amount of confirmed malware incidents than medium-sized businesses.
Size of business and industry sector
Unsurprisingly, the size of a business determines the number of the different types of attacks that are seen. The report shows the significant surge in malware directed at large enterprises and small organisations compared to medium-sized businesses. They have been less impacted by malware but have been subjected to other cyberattacks.
The primary attack on a medium-sized enterprise is focused on network and applications and account anomalies. The latter may well be linked to the surge in supply chain attacks that have become prevalent over the last two years. Medium-sized organisations are likely to be well connected to their larger customers and suppliers. Compromising them gives a cybercriminal a way into better-defended organisations.
There are also distinct differences in how attacks unfold in different industry sectors. For example, malware (33%) was the greatest risk in manufacturing. It is not alone. Retail and trade (23%) and hospitality (89%) also suffered a constant barrage of malware attacks.
In other industries, network and application anomalies rose to the fore. Healthcare and social assistance (66%), finance and business (39%), transport and warehousing (40%) were among the worst-hit here.
What else is in the report
As already noted, this is not a small report and has a lot of information. One sector that will interest many in IT security teams is the section on signals. It is a list of signals or advisories that Orange Cyberdefense has published over the last year. In all, there were 558 advisories issued to customers, and the majority were about vulnerabilities.
Only 10 of the 558 advisories were classified critical. That’s a surprise and also good news. Over classification is a real problem in the security industry. This low number will make it easier for customers to dedicate resources to deal with the advisory. It also increases the trust that the advisory is a risk for the organisation rather than it might be a risk.
- Microsoft and Cisco are the two vendors around whom the most advisories have been issued
- Security vendors make up 10% of the advisories issued in 2021
- Advisories around Apple iOS have doubled in 2021, driven by highly skilled commercial and cybercrime groups
- The most common vulnerability in security products is remote code execution
- Mobile device attacks are on the rise across all OS
In a shot at the industry, the report looks at the problems created by the way vendors deal with vulnerabilities and patching. It says: “As a major product and services provider, we believe that we have an obligation to work with our vendor partners to improve this situation for ourselves and our customers. It is a moral and commercial imperative to us as an industry to show leadership and fundamentally contribute to a safer digital society.”
Enterprise Times: What does this mean?
The rise in cyberattacks is of little surprise. While a 13% increase year over year seems low compared to other reports, it is backed up by a very large number of events and incidents. That gives this report some authority compared to others. It also raises some interesting questions.
For example, why are so many vendors focused on phishing as the biggest issue rather than malware? Why are medium-sized organisations less likely to be targeted by malware? Why are vendors still not adopting a standardised approach to vulnerability reporting and patching? When will governments stop private companies offering to buy exploits and then hoard them?
This is an interesting report that deserves a good read.