As the world's attention was focused elsewhere, cyber criminals went on a major offensive, keeping enterprise security teams around the world on their toes.
According to a recent McAfee report, cybercrime will cost the global economy more than $1 trillion this year: $945 billion in monetary losses and $145 billion in cybersecurity spending. Insurance giant Allianz estimates that 2020 is on track to hit record highs for the number of cybercrime-related insurance claims.
Cybercrime is now at or near the top of every risk poll conducted: up from 15th place seven years ago.
According to Risk Based Security, 2020 was a record year for the number of records exposed in enterprise security breaches. The previous record high was broken in the first half of the year, and the climb continued to in a hurry. A total of 36 billion records were exposed, between January 1 and the end of October. For comparison, there were 15 billion records exposed in 2019, and 5 billion in 2018.
In 44 percent of data breaches this year, the total number of exposed records was not released, up from 24 percent in 2019. That means the actual number of records exposed was even higher.
News headlines about massive data breaches have become so commonplace, these numbers haven't been getting the attention they deserve. Though, to be fair, 2020 has been a horrible year in most other respects.
COVID-19 Hurt Enterprise Security
Employees switching to working from home put a lot of additional stress on enterprise IT teams. New systems had to be rolled out in a hurry to support the newly distributed workforce, while data centers struggled to meet the higher demand for VPNs, other connectivity services, and a rise in traffic to Web-based applications.
Security sometimes fell by the wayside.
According to Risk Based Security, misconfigured databases and services were the leading cause behind the high number of records exposed. Many cybersecurity events could have been prevented with basic security hygiene, said Inga Goddijn, executive VP at the company.
Organizations have to invest in security, she said, as well as provide their enterprise security teams with the tools and resources that they need.
"There are a variety of actions an organization can take to help minimize the likelihood of a damaging event, but by far the most impactful actions come about when senior leadership is committed to building and maintaining a successful security operation," she told DCK.
Attackers took advantage of employees' appetite for pandemic-related information and unfamiliarity with new work-from-home procedures to step up phishing attacks and other scams.
Worst of all, they went after health care organizations. They went as far as launching targeted ransomware attacks to shut down entire hospitals.
Ransomware Is on the Rise
In its 2020 cybercrime report, Europol named ransomware as "one of the, if not the, most dominant threats" to organizations within and outside Europe.
Cybersecurity Ventures reports that damage from ransomware attacks, the fastest-growing type of cybercrime, will cost victims $20 billion in 2021. Those are just ransom costs.
Cybersecurity firm Emsisoft estimated that ransomware ransom demands this year will total $25 billion, globally. However, the attacks total cost to companies, including the cost of downtime, could reach as high as $170 billion.
"Ransomware has become a part of doing business," said Israel Barak, CISO at Cybereason, a Boston-based cybersecurity vendor.
About one in every five breaches this year involved ransomware, according to Risk Based Security.
"Ransomware operators can be sophisticated adversaries, capable of inflicting significant pain on their targets," Goddijn said.
Research firm Vanson Bourne found in a survey sponsored by the cybersecurity firm CrowdStrike that 56 percent of organizations were hit by ransomware this year, up from 42 percent last year.
In November, Coverware, which represents organizations in negotiations with ransomware attackers, said the average ransom payouts have increased dramatically over the past year.
In the fourth quarter of 2019, the average ransom payout was a little over $84,000. That went up to more than $111,000 in the first quarter of the year, more than $178,000 in the second quarter, and more than $233,000 in the third quarter of 2020.
Ransomware attackers have been upping the pressure on their victims. Instead of just encrypting the victim’s data and making key systems inaccessible, an attacker might also go after the victim’s backups. They may exfiltrate sensitive data and threaten to release it and publicly shame the victim if the ransom isn’t paid.
According to a recent report by the cybersecurity firm Sophos, the ransom groups have been innovating at an accelerating pace, putting more effort into their attacks against larger organizations and collaborating more often, resembling behavior of crime cartels.
New Critical Vulnerabilities, New Attack Vectors
This year, malware learned to jump air-gapped networks, sneak into data centers while buried inside virtual machines, and evade detection by hiding in Java code.
The Department of Homeland Security's Cybersecurity and Infrastructure Security Agency issued a record 37 cybersecurity alerts so far this year – up from five in 2019, 14 in 2018, and 10 in 2017.
The agency also issued five emergency directives this year, also a record.
The most recent was issued December 13, warning federal agencies and their contractors about the SolarWinds Orion platform, used for IT monitoring. Malicious actors exploited a vulnerability in the product to gain access to network management systems, and the only mitigation strategy is to disconnect all affected devices.
Several agencies have already been breached as a result of this vulnerability, and the actual impact could be much bigger.
SolarWinds claims to have over 300,000 customers, including more than 425 of the Fortune 500 companies, the ten largest US telcos, the top five US accounting firms, all branches of the US military, the State Department, the NSA, the Department of Justice, and the White House.
According to news reports, the US Treasury and Commerce departments both confirmed they had been breached.
SolarWinds confirmed that it was a supply chain attack conducted by a nation state and released security upgrades for its software.
In an SEC disclosure on Monday, the company said up to 18,000 of its 33,000 Orion customers may be affected by the vulnerability.
Chris Krebs, who was fired from his position as CISA director just last month, said in a Tweet that supply chain attacks using trusted relationships are hard to stop. "I suspect this has been underway for many months," he wrote.
One of the confirmed victims of the SolarWinds attack was FireEye, a high-profile cybersecurity firm.
FireEye CEO Kevin Mandia said that his company identified a global campaign that has been active since spring 2020.
Because of course it was.