Cybersecurity preparedness pays big dividends for businesses

Businesses are taking cybersecurity more seriously by boosting resources and preparedness, according to GetApp.

US businesses on the whole are gaining ground against cybercriminals after several years of increasingly severe threats, but the Las Vegas cyberattacks are a stark reminder of the cost of a breach.

GetApp’s report reveals that the ransomware rate remains alarmingly high at 37%, despite meaningful improvements over the last year. While there is still work to be done, increased investments and training are likely behind these impressive gains: the study shows that, since last year, phishing links clicked by workers decreased 25% while ransomware attacks dropped 30%.

However, the report finds that only 34% of businesses are training staff on social engineering techniques.

Phishing is down, but the overall threat remains high

A key question is whether AI is doing more to help prevent attacks—or to launch them. According to 59% of IT security leaders, AI is more likely to help security teams enhance their defenses than it is to strengthen cyber criminals. However, IT leaders still voice security concerns about AI.

Phishing effectiveness has cooled from last year’s critical high: 80% of businesses report receiving phishing emails this year (from 89% in 2022), and 61% say their employees clicked on a malicious link (from 81% in 2022). While this is promising news, IT security managers consider advanced phishing attacks as the top threat heading into 2024.

Ransomware attacks have dropped from 53% to 37% year over year, while the rate of victims paying the ransom has plummeted from 67% to 36%. This can be attributed to a sharp rise in businesses decrypting ransomware on their own, along with rising adoption of incident response plans.

In past years, the rate of companies restricting employee data access remained relatively steady, but this year’s report indicates a shift toward more data restriction. Only 16% of businesses allow employees access to all company data, a drop of more than 50% from 2022.

IT security spending is up at US businesses

Seven in ten businesses have increased their IT security budget this year, compared to 63% in 2022. Another indicator that businesses are taking security more seriously is the steadily growing number that have formal protocols in place to report a suspected cyberattack, rising from 77% in 2021 to 83% in 2022, and now up to 94% in 2023.

The number of businesses that provide security awareness training every six months has more than doubled over the last four years (42% in 2023 vs. 19% in 2019) and continues to increase at a steady pace.

An influx of cyber threats stemming from pandemic-fueled digitization and the explosion of remote work has subsided and in its wake, companies have emerged more prepared and security-focused than ever before.

“It’s encouraging to see businesses put more resources into data security and it appears to be paying off—but only time will tell if we’re witnessing the start of long-term reversal, or if cybercrime gangs are laying low amid increased scrutiny while readying for a resurgence,” says Zach Capers, senior security analyst at GetApp. “It’s critical that businesses maintain this newfound momentum, primarily by educating employees on social engineering techniques that cybercriminals are increasingly relying on as companies close off more and more attack vectors.”