Not to be outdone by the unprecedented cybercrime wave in the wake of 2020’s pandemic-driven shift to the cloud and remote work, 2021 managed to etch itself into the annals of cybersecurity history as an inflection point for reasons both good and, well, let's face it: not so good.
To be sure, the bad of 2021 has been really bad. We have never seen so many data breaches, ransomware attacks, and phishing attacks and the financial carnage of those attacks was record setting. For the first time, the cybersecurity insurance industry has buckled under the strain of so many payouts to customers as well as to their own ransomware attackers. Ah yes, ransomware: many experts, like Dan Lohrman, have called 2021 the Year of Ransomware what with the headline-grabbing attacks that have paralyzed critical infrastructure like oil and meat production at Colonial Pipeline and JBS, respectively.
To end 2021 on a decidedly bah-humbug note, hackers gave us a lump of coal in our stockings in the form of the Log4j vulnerability and its exploit, widely cited as the worst vulnerability in recent years. And yet, 2021 does offer reason for holiday cheer.
The good of 2021 is pretty good. Cybersecurity is entering the popular consciousness. CISOs are becoming rock stars. Cybersecurity has never received so much media attention, board-and-executive level focus, VC/PE investment, or spending; and that’s having a positive effect on innovation and risk management.
Security budgets and infosec teams are flourishing in response to the threat. Unprecedented Executive Orders to improve security standards have been issued from the President. And record-shattering private equity and venture capital investments continue to break new ground and drive innovation to new heights. And let’s not forget that in 2021, authorities had some big wins in taking down some major bad guys and getting some of that bitcoin loot back from their ransomware extortion schemes.
Indeed, 2021 has had some silver linings. And they point to light at the end of 2021’s dark cybercrime tunnel. Here is a rundown of the Cybersecurity Year in Review 2021.
How the Log4j vulnerability stole Christmas—but left some great memes. We wrote extensively on Log4j here, but repercussions from the vulnerability and its remote code execution exploit are anticipated to come in waves. The next wave is expected to be far worse than the relatively benign first wave of cryptomining exploits we’re seeing now. The cybersecurity and infrastructure security agency, CISA, ordered federal civilian agencies to apply patches before Christmas. Meanwhile, juggernaut tech companies like IBM, Cisco and VMware are burning the midnight oil to fix Log4j vulnerabilities in their products. The only upshot to the timing and seriousness of Log4j are the excellent memes that have flooded in to relive the tension and provide some gallows humor.
Cybercrime is a growth industry. While organized cybercrime syndicates and hostile state actors are advancing their illicit industry—sometimes working together to do so, and often masterminding the big attacks like Log4j--the tools of their trade are now so democratized that even tech-illiterate criminals can pull off sophisticated heists using phishing kits, ransomware-as-a-service, exploit kits, and so on. Cybercrime-as-a-service is like a home meth lab kit. It gives anyone anywhere with criminal intent, no matter how otherwise dumb they are, the means to pull off a complex lucrative robbery at little expense or risk.
The year of ransomware. Ransomware became the hottest topic for media, business, insurance, and government alike in 2021. Some estimates point to a doubling in ransomware attacks in 2021 over 2020. Many recall the Big 3 ransomware attacks of 2021: Colonial Pipeline, JBS, and the supply chain ransomware attack of Kaseya. The organized cybercrime group, REvil, demanded a record $70 million ransom from Kaseya (much of which the FBI retrieved), and they extorted $11 million out of JBS; they also demanded $50 million ransoms from Quanta and Acer computer manufacturers in April and May, respectively. One of the biggest US insurance groups, CNA, paid $40 million of a $60 million ransom demand in March. Final numbers aren’t available, but reported payouts have been so massive that they might actually top earlier projections by CyberVentures that ransomware will cost global businesses $20 billion in 2021, jumping 5-fold from $4 billion in 2017 (and 15-fold since 2015). They project the ransomware global toll will swell to $265 billion by 2031.
Don’t forget BEC. Because ransomware is far from the top cyber threat. According to the FBI, C-suite imposter attacks, usually known as BusinessEmail Compromise or CEO attacks, remain the kingpin of cybercrime. Other forms of phishing attacks, like spear phishing and credential harvesting, also top the FBI’s list, and have also flooded inboxes in record numbers in 2021.
Data breaches through the first nine months of 2021 already exceeded all of 2020 according to the Identity Theft Resource Center. According to a study by Coro, mid-sized businesses are as much as 490% more likely to experience a security breach by the end of 2021 than they were in 2019, as per a story in Venturebeat.
Email attacks. Remember that virtually all attacks, even ransomware, begin with an email. For example, the latest incarnation of the Emotet botnet, the undead king of malware, is potentially a ransomware super spreader.
Venture capital and private equity spending in the cybersecurity space has broken one record after another. Cybersecurity Ventures reported in December that they’ve tracked more than $23 billion in venture capital investment into cybersecurity companies in 2021, and the funding rounds are reaching new heights. More than 30 cybersecurity companies raised $200 million or more in 2021.
Cybersecurity startups in the first half of 2021, according to Momentum Cyber, got $11.5 billion in total venture capital financing, up from $4.7 billion during the same period in 2020.
The largest private equity IT transaction of 2021—not just cybersecurity, but IT-- was the private equity purchase of McAffee at $20.25 billion. That edged Microsoft Corp.'s $19.80 billion acquisition of Nuance Communications Inc. for IT activity, which was followed by private equity firm, Thoma Bravo LP's $12.37 billion addition of cybersecurity powerhouse, Proofpoint Inc. – SP Global
Global spending on cybersecurity is expected to exceed $150 billion in 2021. Cybersecurity companies' valuations are skyrocketing to $524.1 million on global average, and their stocks are smoking hot.
Security budgets are ballooning as well, as companies invest in their own cybersecurity capabilities. The Deloitte 2021 Future of Cyber Survey, 75% of respondents with over $30 billion in revenue said they’ll spend over $100 million on cybersecurity.
Booming job market. The skills gap and talent shortage in infosec jobs in the face of surging talent demand has raised salaries in the cybersecurity space rapidly. It’s also raised the profile of the CISO, who has gone from cloistered in the data room to widely accepted in the board room as a core voice in strategic business growth and risk management. IT professionals with cloud computing, cybersecurity, analytics and big data, and AI and machine learning skills are red hot commodities. According to VentureBeat, experienced IT professionals in these fields are commonly offered 25%-30% or more over their base salary, a signing bonus, and stock options.
The White House issued the Executive Order on Improving the Nation’s Cybersecurity in May, along with some heated confrontations with cyber-hostile state actors, as well as supported high profile initiatives with the private sector to raise the national security standard. Change leadership comes from the top down.
Zero-trust has been on the tip of everyone’s tongue following the Solar Winds supply chain attack that grabbed headlines in early 2021. This broad-sword approach to solving the human-error problem of data breaches contains appeal as a blanket solution and is evolving with new technology providers, but is not without controversy.
Cyber insurance was rocked to its core in 2021. Read our article here, but basically many of the big players are no longer taking on new insurance customers as the cyber insurance industry became no longer profitable due to escalating costs. Ransomware is cited as the biggest concern to the industry, which is getting double-barrel hits for paying off customer ransoms as well as paying off their own insanely high ransoms, as CAN did for $40 million.
Reports by Cyber Ventures say that total cybercrime costs global businesses and individuals $6 trillion (yes, trillion) annually. And the Ponemon Institute reported in October that their latest numbers show the cost of phishing has skyrocketed.
The most recent projections performed by the Ponemon Institute reports the average loss by companies to phishing in 2021 is $14.8 million, more than triple what it was in 2015. That translates to hundreds of billions of dollars in total losses from phishing attacks to global businesses. Read the top 10 costs of phishing in 2021 here, and be amazed at the effect it's cumulatively had on cyber insurance.
Threats will continue to worsen and develop. Good thing Hoxhunt is designed to evolve along with them.
The hybrid work environment is here to stay. So is the pandemic-accelerated global shift to the cloud. Those seismic digital shifts opened rifts through which legions of malicious actors have blasted innumerable cyber-attacks.
And yet somehow it keeps getting lost in the cybersecurity conversation that 90% of breaches start with an email.
Hackers target people. To stem the tide of breaches at their greatest point of risk, solutions must target people, too.
Hoxhunt worked overtime in 2021 to improve our training experience and lower enterprise risk of email breaches with updates and new products.