Reports / Surveys

The average data breach costs $1.41M, firms with SOCs lose less

A new Kaspersky report indicates that enterprises suffering a data breach can expect losses of at least $1.41 million. That number represents the average cost per incident in 2018 and marks a significant increase compared to the 2017 average of $1.23 million per breach. Surprisingly, the average data breach cost for small to mid-sized businesses (SMBs) decreased in the same period from $120,000 to $108,000. The study also found that having an internal security operations center (SOC) lowers expected breach losses for enterprises to just $675,000 per incident.

57% of organizations have been breached since 2017

If your company has not suffered a breach in the past few years, luck has been on your side, because 57% of firms were breached in 2017, 2018 and/or 2019, a recent survey[pdf] by Bitdefender found. And that number will likely be much higher by the end of the year, since 24% of organizations experienced a data breach in the first six months of 2019 alone. Moreover, 36% of the firms that haven’t been breached, acknowledge that they may be under attack right now without realizing it. According to cybersecurity professionals, the top cyber threats to companies are:

  • Phishing (36%)
  • Trojans (29%)
  • Ransomware (28%)
  • Legal/compliance risks (28%)
  • Unpatched software (24%)
  • Distributed denial-of-service (DDoS) attacks (24%)
  • Social medial threats (22%)
  • Cyber espionage (20%)

Phishing is the no. 1 threat to firms, awareness training falls short

Professionals in charge of security decisions in their company consider phishing to be the most worrisome cyber threat, a new CybReady study[pdf] shows. The top five threats identified by the survey are:

  • Phishing (74%)
  • Malware (68%)
  • Data breaches (68%)
  • Ransomware (67%)
  • CEO Fraud / business email compromise (BEC) attacks (63%)

While 95% of organizations say they provide security awareness training to prevent employees from falling for phishing attacks, only 39% conduct company-wide phishing simulations on a regular basis. Instead, many firms opt for less effective strategies, such as carrying out phishing simulations on a limited number of staff members (12%), letting employees watch security training videos (33%), or merely informing employees about phishing risks by means of a dedicated meeting (11%).

Targeted cybercrime surged in H1 2019

New research by CrowdStrike shows that the number of targeted cybercrime campaigns skyrocketed in the first 6 months of this year, resulting in criminal groups (61%) overtaking state-backed hackers (39%) as the main perpetrators of targeted intrusions. Last year, cybercriminals only accounted for 25% of such campaigns, but since then these adversaries have “escalate[d] their activities in pursuit of more and larger payouts.” The most targeted industries in the first half of 2019 included:

  • Technology
  • Telecommunications
  • Non-governmental organizations (NGOs)
  • Retail
  • Finance

Companies of all sizes list cyber threats as their top business risk

Cyber threats are the top risk to organizations of all sizes, according to a recent Travelers survey conducted among business leaders. One-third (33%) of large businesses experienced a cyberattack this year, as did 20% of mid-sized firms and 12% of small companies. While more and more businesses are beginning to acknowledge cyber threats, a quarter of firms still believe they won’t be targeted.

Freaky Infosec Fact of the Week

Employees are three times more likely to spread a malicious email to their colleagues than to transmit the flu to their partner.

A recent report by Wire found that while someone sick with the flu has a 20 to 25% chance of infecting someone else in their household, 71% of companies suffered an email-based cyberattack in the past year as the result of an employee spreading a malicious message to colleagues.

What You Can Do

Considering that many organizations are unaware if they are actually breached, this indicates that visibility is a significant problem. There are many assessments where simple attacks such as password-spraying, relay, and even man-in-the-middle attacks are not detected by organizations. The lack of awareness within the environment can result in your organization being the next data breach victim.

In cases where organizations have tools in place to monitor for attacks, a test should be conducted to ensure they are properly working... today, and not during your next annual penetration test. Without testing these controls, just having assurance based on an implemented configuration may provide a false sense of security. Consider performing a penetration test or even just very specific tasks to validate your detection and monitoring controls.

Lastly, consider conducting a phishing assessment against all of your employees. Many organizations limit the scope of phishing assessments to just employees, and not management or C-level employees due to potential conflicts. However, this is what an attacker will do, and, unless you're targeting everyone within your organization, your phishing assessments may not be providing a true evaluation of your risk to phishing attacks.

About Vonahi Security
Vonahi Security is a cybersecurity consulting firm that offers modern consulting services to help organizations achieve both compliance and security best practices. With over 30 years of combined industry experience in both offensive and defensive security operations, our team of certified consultants have experience working with a significant number of organizations, industries, networks, and technologies. Our service expertise includes Managed Security, Adversary Simulations, Strategy & Review, and User Education & Awareness. Vonahi Security is headquartered in Atlanta, GA. To learn more, visit

Stay Informed

  • Connect with us on LinkedIn for Professional Security Tips
  • Like us on Facebook for Personal Security Tips
  • Follow us on Twitter for News & Threat Updates