STAMFORD, Conn. -- U.S. businesses on the whole are gaining ground against cyber criminals after several years of increasingly severe threats, but the Las Vegas cyberattacks are a stark reminder of the cost of a breach.
GetApp’s 5th Annual Data Security Report reveals that the ransomware rate remains alarmingly high at 37%, despite meaningful improvements over the last year. While there is still work to be done, increased investments and training are likely behind these impressive gains: the study shows that, since last year, phishing links clicked by workers decreased 25% while ransomware attacks dropped 30%. Alarmingly, however, the report finds that only one in three businesses (34%) are training staff on social engineering techniques.
This survey of 872 workers including IT professionals and IT security managers uncovers six key trends on the cyber threat landscape as U.S. businesses turn a corner with data security:
1. Most security leaders view AI as more friend than foe.
A key question is whether AI is doing more to help prevent attacks—or to launch them. According to 59% of IT security leaders, AI is more likely to help security teams enhance their defenses than it is to strengthen cyber criminals. However, IT leaders still voice security concerns about AI.
2. Phishing is down, but the overall threat remains high.
Phishing effectiveness has cooled from last year’s critical high: 80% of businesses report receiving phishing emails this year (from 89% in 2022), and 61% say their employees clicked on a malicious link (from 81% in 2022). While this is promising news, IT security managers consider advanced phishing attacks as the top threat heading into 2024.
3. Ransomware attacks decline as decryption rate nearly doubles.
Ransomware attacks have dropped from 53% to 37% year over year, while the rate of victims paying the ransom has plummeted from 67% to 36%. This can be attributed to a sharp rise in businesses decrypting ransomware on their own, along with rising adoption of incident response plans.
4. Data access privileges are becoming more restricted.
In past years, the rate of companies restricting employee data access remained relatively steady, but this year’s report indicates a shift toward more data restriction. Only 16% of businesses allow employees access to all company data, a drop of more than 50% from 2022.
5. IT security spending is up at U.S. businesses.
Seven in ten businesses have increased their IT security budget this year, compared to 63% in 2022. Another indicator that businesses are taking security more seriously is the steadily growing number that have formal protocols in place to report a suspected cyberattack, rising from 77% in 2021 to 83% in 2022, and now up to 94% in 2023.
6. Security awareness training has never been more prevalent.
The number of businesses that provide security awareness training every six months has more than doubled over the last four years (42% in 2023 vs. 19% in 2019) and continues to increase at a steady pace.
An influx of cyber threats stemming from pandemic-fueled digitization and the explosion of remote work has subsided, and in its wake, companies have emerged more prepared and security-focused than ever before.
“It’s encouraging to see businesses put more resources into data security and it appears to be paying off—but only time will tell if we’re witnessing the start of long-term reversal, or if cybercrime gangs are laying low amid increased scrutiny while readying for a resurgence,” says Zach Capers, senior security analyst at GetApp. “It’s critical that businesses maintain this newfound momentum, primarily by educating employees on social engineering techniques that cyber criminals are increasingly relying on as companies close off more and more attack vectors.”
Read GetApp’s 5th Annual Data Security Report for more survey insights and recommendations on how businesses can boost their security through tools, security awareness training, and stronger processes.