Verizon’s DBIR (Data Breach Investigations Report) has an interesting data point about the time to discover breaches. Up to 2019, DBIR has consistently reported that the majority of breaches took months or even years to detect. In the last couple of years, it became more likely to detect breaches within days than months. Before you get too excited, wait for the next piece of information. The top discovery method of breaches is ‘Actor Disclosure’, with more than 50%, as reported in the DBIR of last year (2022). So we’re discovering breaches faster because the bad actors are telling us about them, essentially to cash in quickly with data sales on underground forums for instance.
There’s nothing new in there really. There are issues with prevention and detection, which are also confirmed by some security controls’ evaluations. Mandiant’s ‘Deep Dive Into Cyber Reality’ report (published in 2020) has indicated that security controls did not prevent or detect infiltration within enterprise production environments 68% of the time. The report makes a case for validating controls’ effectiveness, which isn’t very reliable at the moment, IMHO, and is most in need of a major revamp. I have written a post about that in the past. Note that DBIR, that same year (2020), had reported that 56% of breaches went under the radar. We’re still not doing any better now compared to 2020.
This, I suspect, is even worse (the size of the unseen/undetected) but is something very hard to estimate. We don’t know what we don’t know! There are, however, proxy data that could help there, e.g., the size of the cybercrime economy vs. the cybersecurity market, some dark web stats, the estimated size of the unvended market opportunities, among others. Here are a few data points that I found particularly interesting, pointing to significant gaps, which could well be the difference between the seen and the unseen!
- According to Bromium and Dataprot, the cybercrime market per revenue was $1.5 trillion in 2022. The cybersecurity market, on the other hand, was $173.5 billion, according to MarketsandMarkets.
- According to McKinsey, today’s gap between the vended cybersecurity market and a fully addressable market is huge, at approximately only 10 percent penetration overall. The following link provides the penetration per market segment.
- While the global cybersecurity workforce grew to about 4.7 million people in 2022, there is still a need for more than 3.4 million security professionals, according to (ISC)².
- According to Positive Technologies, demand for malware on the dark web outstrips supply up to three times. That was back in 2018. The increasing demand since then has led to more readily available programs such as ‘malware-as-a-service’ and ‘randsomeware-as-a-service’.
- According to the FBI’s IC3 unit chief (interviewed in 2018), only 10 to 12% of cybercrime victims reach out for help. The vast majority of cyber crimes go unreported.
- According to CyberArk, only 8% of organizations continuously perform Red Team exercises.
- Adding fuel to the fire is the misconceptions about own vulnerabilities. According to Keeper’s SMB cyber threat study (published in 2019), 70% of SMBs are unprepared to deal with a cyber attack, partly because they think they are unappealing to be targeted by cybercriminals!
The industry is clearly lagging behind and needs some drastic changes, from culture to investments. ‘Appearances,’ wrote the philosopher Anaxagoras some 2500 years ago, ‘are but a glimpse of what is hidden.’
