The Week in Breach: How much is the average ransom? $130K? Really? Really.

Money Makes the World Go Round

Cybercriminals love ransomware because it’s got a stellar risk/reward ratio, and everyone involved in the scheme gets paid handsomely – even a freelancer in a ransomware attack will profit. Major gangs like REvil actively solicit smaller gangs, referred to as affiliates, to do their dirty work. Those affiliates pay on average 20% of their take to the parent gang.  They’ll be responsible for running everything about the operation from planning to execution, while the parent gang typically supplies the tech and can assist in obtaining introductions and resources if needed. The affiliates hire freelancers through dark web forums and gather resources from dark web data markets and dumps.

How Much Money Are We Talking About?

• Ransomware demands are up by more than 40% in 2021
• On average, social engineering attacks cost $130,000 
• The average ransomware payment in the third quarter of 2020 was $233,817
• The cost of ransomware incidents worldwide is expected exceed $265 billion by 2031.
•  Pricing for cyber insurance is up by 56% in the US and 35% in the UK. 

At the root of many damaging cybersecurity incidents, you’ll find phishing. In fact, 90% of incidents that end in a data breach start with a phishing email. Researchers at leading organizations have been sounding the alarm about phishing forever, but many organizations still fail to really take the threat seriously to their detriment. As phishing rates worldwide continue to climb, escalating risk for devastating cyberattacks like ransomware and business email compromise, there’s a new impetus for businesses to fight back against phishing.

While it may not seem like it on the surface, phishing is a complex hazard for businesses to navigate. One reason for that complexity is that phishing is a rapidly evolving area of cybercrime. The bad guys are always trotting out new scams. In fact, researchers at the University of Maryland estimate that cybercriminals launch a new cyberattack like phishing every 39 seconds. These statistics offer a starting point when considering the way that phishing impacts the business world right now.

Phishing Quick Hits 

• 94% of malware is delivered by email.
• More than 80 % of reported security incidents are phishing-related
• 40% of phishing messages aren’t caught by conventional security or a SEG
• One-fifth of employees in a 2020 survey fell for phishing tricks and interacted with spurious emails
• 45% of employees click emails they consider to be suspicious “just in case it’s important.” 

Social Engineering Powered by Abundant Dark Web Data 

Bad actors use all sorts of psychological tricks to lure their victims into the number one type of social engineering attack: phishing. These attacks are typically powered by abundant dark web data. About 60% of the data on the dark web at the beginning of 2020 could be used to harm businesses and more than 22 billion new records have been added including 103 GB in this year’s RockYou2021 dump. Socially engineered phishing attacks use that data to lure employees into opening dodgy emails, clicking suspicious links, handing over passwords, downloading sketchy attachments and engaging in other unsafe behaviors that can put your business at risk of damaging disasters.

• Socially engineered cyberattacks are just under 80% effective.
• Over 90% of successful data breaches are rooted in social engineering.
• More than 70% of IT professionals say they’ve experienced employees falling for a social engineering attack.

How Can Businesses Reduce Data Breach Risk from Phishing?

With the world operating remotely during the pandemic lockdowns last year, email volume skyrocketed. An estimated 306.4 billion emails were sent and received each day in 2020, triple the average increase of past years. That figure is expected to continue to grow steadily as companies continue to grapple with the implications of the ongoing pandemic and virus variants that could lead to long-term remote work becoming the norm. If email volume continues to trend the way that experts expect, it is estimated to reach over 376.4 billion daily messages by 2025. How to mitigate?

Step Up Security Awareness Training  

In a UK study on companies running phishing simulations, researchers discovered that 40 – 60% of their employees are likely to open malicious links or attachments. However, after about 6 months of training, the percentage of employees who took the bait dropped 20% to 25% – and after 6 months more training, the percentage of employees who opened phishing messages dropped to only 10% to 18%. A solution like BullPhish ID empowers companies to choose either expert-crafted plug-and-play security awareness training campaigns or fully customized lessons to fit their unique industry needs.

Strip the Power from a Phished Password

Even the best trained and most aware employees make mistakes – the single biggest cause of all cybersecurity incidents including data breaches will always be human error. But you can prevent an employee’s mistake in giving up their password to a scam from unleashing an expensive disaster for your business just by adding multifactor authentication, which stops 99% of password-based cyberattacks, using a dynamic identity and access management multitool.

Get More Help in the Fight Against Phishing

No business needs to go it alone in the fight against phishing-related cybercrime.  An estimated 34% of business IT leaders in an employee behavior survey admitted that a simple lack of employee understanding of today’s sophisticated phishing threats was their biggest problem. We can help. Get the power of smart, award-winning defense including top-notch security awareness training that meets your employees where they are on your side when you choose IntegraMSP. Contact Us and let’s get started on your improving your protection right away.