More data records have been compromised in 2020 alone than in the past 15 years combined, in what is described as a mounting "data breach crisis" in the latest study from analysis firm Canalys.
Over the past 12 months, 31 billion data records have been compromised, found Canalys. This is up 171% from the previous year, and constitutes well over half of the 55 billion data records that have been compromised in total since 2005.
Cases of ransomware – a specific type of attack that encrypts servers and data to block access to a computer system until a sum of money is paid – have been on the rise, with the number of reported incidents up 60% compared to 2019.
According to Canalys, this unprecedented boom in attacks can be in part attributed to the COVID-19 pandemic, which forced organizations across the world to digitize at pace, without putting enough thought into the new security requirements that come with doing business online.
Retailers had to switch to online selling, while the hospitality sector turned to new platforms for home delivery, and manufacturers digitized supply chains to improve the accuracy of production lines. Meanwhile, organizations across the globe switched entire workforces to WFH almost overnight: the number of employees working remotely, in fact, has jumped from 31 million before the pandemic, to just under 500 million.
To keep businesses afloat, money was invested in digital technologies and the cloud, to move processes online and adapt to new ways of working. Cybersecurity concerns, however, were all too often put on hold, noted Canalys.
"Organizations had to implement business continuity measures quickly in response to the COVID-19 pandemic or risk going out of business," reads the report. "These measures were often at the expense of cybersecurity and bypassed longstanding corporate policies, leaving many exposed to exploitation by highly organized and sophisticated threat actors, as well as other more opportunistic hackers.
"For many, cybersecurity was an afterthought, as they had to focus primarily on staying in business."
The fast-paced digitization of business, in effect, has opened up many new attack vectors for threat actors to exploit. With employees now accessing company information from many different locations, and more data being stored and processed outside of traditional, office-based IT environments, new security measures are needed.
Yet businesses do not seem to have taken this seriously enough. While investment in cybersecurity did grow by up to 10% compared to the previous year, other priorities took precedence: for example, cloud services grew 33%, while cloud software services grew 20% during the same period. Investment in cybersecurity also compares poorly to the growth of collaboration tools, remote desktops, notebook PCs and even home printing.
In other words, the pace of digital transformation was not matched by sufficient safeguarding of networks against cyber threats. A similar observation was recently made by the head of the UK's national cyber security centre (NCSC) Lindy Cameron, who reiterated that cybersecurity should be viewed with the same importance to CEOs as finance, legal, or any other important department of the company.
But although the global health crisis largely contributed to the rise of such attacks, Canalys notes that the trend is not limited to the pandemic. COVID-19 only accelerated a worrying pattern that was already emerging in previous years: in 2019, for instance, the number of compromised data records had already increased by 200% compared to the previous year.
Datasets are getting larger, and organizations are collecting increasingly sensitive information about their customers, either as part of their digital transformation process or to personalize products and services. At the same time, threat actors are becoming ever-more successful, for example using automated bots to drive sophisticated attacks.
Canalys, as a result, called for business executives to change their mindset from "if" a breach will affect their company to "when". "Prioritize cybersecurity and invest in broadening protection, detection and response measures or face disaster," concludes the report. "This is the stark reality for organization in 2021. For many, it is too late."