The cybercrime landscape underwent several changes in 2016 with malicious actors taking a more “corporate” approach to their craft, which helped lead to even greater losses by business hit with a cyberattack.
The damage inflicted on organizations victimized by data breaches and other cyberattacks last year included losing customers, revenue and potential business opportunities, according to the "Cisco 2017 Annual Cybersecurity Report." This year's version marks the report's 10th anniversary. These incursions were due to a combination of using new methodology, along with bringing back some old favorites like spam.
The report, which is based on a survey of 3,000 chief security officers and security operations leaders from 13 countries, found that 22 percent of breached organizations lost at least some customers with 40 percent of that group losing at least 20 percent of their customer base.
Another 29 percent said their firms lost revenues due to a cyberattack – with 38 percent of that group saying losses exceeded 20 percent. Although somewhat harder to define, 23 percent reported losing business opportunities.
The Cisco report also found that cybercriminals are acting with a new level of professionalism that, ironically, mirrors the companies they are attacking.
“New attack methods model corporate hierarchies: Certain malvertising campaigns employed brokers (or “gates”) that act as middle managers, masking malicious activity. Adversaries can then move with greater speed, maintain their operational space, and evade detection,” the report stated.
At the same time, new methods are being implemented and older attack vectors, like spam, are being used at levels not seen in years. The report noted that spam is at its highest usage rate since 2010, accounting for nearly two-thirds (65 percent) of email with eight percent to 10 percent cited as malicious.
Aligning and operating their criminal enterprises like a legitimate operation has helped the bad actors roll out new methods of attack, such as turning employees into insider threats. This could be seen with workers attempting to make themselves and their company more efficient by downloading non-vetted, third-party cloud applications. In 27 percent of these cases, the cloud app was, in fact, rated as high risk, capable of introducing significant security concerns into the company.
Staffers also proved quite adept at downloading adware, with 75 percent of the corporations surveyed having been infected.