Key Takeaways
An increasingly complex IT environment and growing sophistication of cyber criminals primed 2021 for a record-breaking year of cyber attacks.
Supply chain attacks, ransomware, and data breaches all had record years and grabbed headlines with major hacks.
Silver linings of the year include increased private equity and venture capital investment, increased security budgets, higher-paying infosec jobs, and government involvement.
The physical and digital worlds continued to merge in 2021, so much so that any barrier that had existed between them is now nearly gone. The growth of this merger and its associated increase in attack vectors was exacerbated by expansion of the growth of the Internet of Things (IoT), cloud migrations, and hybrid workforces. If there ever was a perfect storm for cyber disasters, 2021 comes pretty close. 2021 saw record-breaking numbers in attacks and ransom payments, yet the year had silver linings with increased cybersecurity exposure, investment and spending.
Changing cybercrime landscape
Sophisticated hacking groups and nation-state actors have certainly advanced their capabilities and reach in 2021—masterminding attacks like the Microsoft Exchange zero-day exploit. However, 2021 witnessed the democratization of cybercrime with phishing kits, ransomware-as-a-service, and exploit kits. Now anybody with criminal intent can pull off complex hacks without deep technical knowledge. This has grown the population of potential hackers to levels previously unimagined.
Supply chain attacks wreak havoc
Supply chain attacks are not common and 2021 saw two of the worst of all time. Supply chain attacks are especially destructive because breaching one software supplier leads to the potential exploit of all of their customers. First, SolarWinds introduced a backdoor to many organizations. The most recent figures say over 100 companies, including Microsoft, Cisco and Intel, and 9 government agencies were hit by the attack. Next came the Kaseya supply chain attack which quickly turned into the largest ransomware attack to date.
Ransomware on the Rise
Ransomware became the hottest cyber topic for media, business, insurance, and governments in 2021. Some estimates point to a doubling in ransomware attacks in 2021 over 2020. Many recall the Big 3 ransomware attacks of 2021: Colonial Pipeline, JBS, and the supply chain ransomware attack of Kaseya. The organized cybercrime group, REvil, demanded a record $70 million ransom from Kaseya (much of which the FBI retrieved), and they extorted $11 million out of JBS. One of the biggest US insurance groups, CNA, paid $40 million of a $60 million ransom demand in March. Final numbers aren’t available, but reported payouts have been so massive that they might actually top earlier projections by CyberVentures that ransomware will cost global businesses $20 billion in 2021, jumping 5-fold from $4 billion in 2017. They project the ransomware global toll will swell to $265 billion by 2031.
Data breaches didn’t take the year off either
2021 was a record-breaking year for data breaches. According to Identity Theft Resource Center (ITRC) research, the total number of data breaches through September 30, 2021 had already exceeded the total number of events in 2020 by 17%. The personal data of 700 million LinkedIn users, nearly 93% of the company’s members, was for sale online. A leaked database belonging to Facebook, containing 533 million accounts includes the personal information of Facebook users from 106 countries.
Log4j Vulnerability
As if 2021 hadn’t been enough for the cybersecurity world, the worst vulnerability in recent years surfaced just in time for Christmas. The vulnerability in Apache’s open source software allowed for remote code execution. Immediate exploits of this bug included crypto miners looking to make quick money, but the major repercussions from this vulnerability are anticipated to come in waves as APTs likely have infiltrated countless organizations. For more in-depth coverage of the Log4j vulnerability check out this previous blog.
Silver Linings
Venture capital and private equity spending in the cybersecurity space has broken one record after another. Cybersecurity Ventures reported in December that they’ve tracked more than $23 billion in venture capital investment into cybersecurity companies in 2021, and the funding rounds are reaching new heights. The largest private equity IT transaction of 2021—not just cybersecurity, but IT-- was the private equity purchase of McAfee at $20.25 billion.
Security budgets are ballooning as well, as companies invest in their own cybersecurity capabilities. The Deloitte 2021 Future of Cyber Survey, 75% of respondents with over $30 billion in revenue said they’ll spend over $100 million on cybersecurity.
Booming job market. The skills gap and talent shortage in infosec jobs in the face of surging talent demand has raised salaries in the cybersecurity space rapidly. It’s also raised the profile of the CISO, who has become a core voice in strategic business growth and risk management.
The White House issued the Executive Order on Improving the Nation’s Cybersecurity in May, along with some heated confrontations with cyber-hostile state actors, as well as supported high profile initiatives with the private sector to raise the national security standard.
2021 was a tough year for the cybersecurity industry, but the bad news pushed cybersecurity more into the mainstream. The increased investment will hopefully lead to more innovation and help us towards a safer future starting in 2022.