Security

GetApp’s 2021 Data Security Report—3 Alarming Themes Emerge

Sep 28, 2021

Increasingly severe ransomware attacks, more effective phishing schemes, and rampant password reuse are causing concern for U.S. businesses.

AvatarImg
Zach CapersSr Specialist Analyst
GetApp’s 2021 Data Security Report—3 Alarming Themes Emerge

What we'll cover

Note: This article, while intended to inform our clients about the current security challenges experienced by IT companies in the global marketplace, is in no way intended to provide legal advice or to endorse a specific course of action. For advice on your specific situation, consult your legal counsel.


Each year, GetApp surveys employees in various industries to better understand the data security threats and practices at U.S. businesses. This year’s survey reveals rising threats from phishing and ransomware, two threats that are often related. Magnifying these and other information security incidents is password reuse, a practice that our survey finds is happening at 60% of U.S. businesses. (See the full survey methodology at the end of this piece.)

In this report, we’ll explore these themes and help you with strategies to protect your business. We’ll also dive into key trends for seven different industries so you can see how your company stacks up.

Phishing emails nearly tripled in effectiveness in the last two years 

Since 2019, the percentage of respondents reporting that they received a phishing email at their organization has remained relatively stable overall. Meanwhile, the percentage of those saying someone at their organization has actually clicked a malicious link in a phishing email has steadily climbed.

2021-DSS-Phishing-emails-vs-clicks-YoYoY

In only the last two years, phishing emails have nearly tripled in effectiveness, and the gap is closing quickly. 

In 2019, our research found a 30-point difference between the percentage of respondents who reported phishing emails at their organization and those who say someone actually clicked a link in one. In 2020, the gap narrowed to 23 points and in 2021, the difference has shrunk to only 11. These numbers suggest that phishing emails are rapidly becoming more difficult to spot and thus far more effective.

Part of what’s happening here is that phishing emails have become more targeted. Modern phishing campaigns increasingly use professional emails with convincing logos. They are often aimed directly at the recipient, a scheme known as spear phishing, making them much more difficult to detect than the poorly written mass emails of the past.

It’s more important than ever to adopt email management software that offers phishing protection and email authentication features such as DKIM, SPF, and DMARC. You can check out our unbiased, data-driven Email Management Category Leaders report to compare tools.

And while email management platforms can certainly reduce the risk, they can’t prevent all phishing attacks. That’s why you need to train employees to recognize the social engineering tactics used in data security threats such as phishing and business email compromise.

Unfortunately, only 26% of businesses in our survey provide social engineering training for employees.

Ransomware incidents are up—and so are ransom demands

In the world of ransomware, there’s good news and bad—but mostly bad. The bad news is that the number of attacks went up significantly, from 28% of respondents reporting attacks in 2020 to 35% in 2021 (12% report multiple attacks). The good news is that fewer ransomware victims are paying the ransom—but that’s likely because ransom demands have skyrocketed over the last year.

2021 DSS - Ransomware Attacks

Displaced by higher dollar amounts, ransom demands of only $5,000 or less dropped by 9%. Those above $50,000 jumped by 6%. 

Our research also finds that ransom demands are significantly higher than average for businesses in banking and construction. Fifty-one percent of ransomware victims in the banking industry and 48% of those in construction report ransoms of $50,000 or above, each about 20 points above the survey average of 29%.

This data supports a clear trend: Ransomware is growing more targeted toward companies in specific industries, for higher payouts. For the largest companies, demands are now reaching into the millions. Take insurance giant CNA Financial, which reportedly paid a $40 million ransom back in March to regain access to its network after weeks of struggling through an attack.

2021 DSS - Ransom demands

One bright spot is that the percentage of companies that either removed the ransomware without payment or recovered using data backup software slightly increased year over year from 22% to 25%. 

All companies must prepare for the possibility of a ransomware attack or other severe cyberattack. Alarmingly, only 77% of the IT security managers we surveyed say their company has protocols in place to report a suspected cyberattack and even fewer (67%) have a formal cybersecurity incident response plan.

Ransomware entering a new era of notoriety

Ransomware is in an interesting place heading into 2022. The most fearsome ransomware gang on the planet for the last two years, REvil, suddenly vanished in July (only to resurface in September). REvil’s abrupt disappearance from the internet occurred only a few weeks after the Biden administration compared ransomware with terrorism following high-profile attacks on the Colonial Pipeline and JBS, the world’s leading meat producer.

And while other infamous ransomware groups such as DarkSide (the Colonial Pipeline attackers) and Ragnarok have also recently shut down amid growing scrutiny, plenty of other groups are already appearing on the scene to fill the void.

To learn more about ransomware and how it’s evolved from a minor annoyance to a global threat, read our guide: "Ransomware Statistics, Trends, and Tips You Need to Protect Your Business"

Password reuse strongly associated with higher incidences of security breaches

A full 60% of our respondents admit to reusing the same password for multiple accounts. That’s three out of five employees putting themselves and their company at unnecessary risk of account takeovers, data breaches, and myriad other online dangers.

2021 DSS - Password reuse

Keeping up with passwords is a task that weighs on everyone, and most of us have never had more to maintain. That’s why it’s no surprise that most people reuse passwords. But many people don’t understand the unique hazards of password reuse and how the practice magnifies nearly every cybersecurity risk. Unique passwords should be used for the same reason you wouldn’t want to use the same lock for your car, office, and home. If your key is stolen, the thief gains access to everything.

Password reuse is a key driver of account takeovers, a scheme wherein an attacker gains control of a victim’s online account, such as a bank account or social media profile. Typically, cybercriminals use credential stuffing attacks that use credentials stolen from one website to see if they work on other websites. Our research finds that account takeovers are three times as common among people who reuse passwords as those who don’t.

Learn more about account takeovers and credential stuffing

2021 DSS - Password Reuse Breaches

As you can see, password reuse is associated with an array of security threats. And while a clear connection can be made with account takeovers, the correlation with ransomware and clicking on phishing links is likely due in part to generally poor security hygiene by password reusers.

Making matters even worse, many employees are using questionable methods to keep up with their passwords. One in five (22%) confess to writing their passwords down on paper, 19% say they store passwords in a digital/online document such as Word or Google Docs, and 41% use personally meaningful information such as their date of birth or company name to make passwords easier to remember.

2021 DSS - Poor Password Practices

We recommend using a password manager that helps to create, store and organize strong passwords. Read our guide to finding the best password management software for your business.

Understanding how your peers are keeping up with data security helps to gauge your company’s progress. In this section, we take a look at data security trends in key industries.

(Note: More than 30 industries are represented in our survey. In this section, we cover the seven industries that individually made up 6% or more of the total sample. References to average values relate to the full sample of all industries.)

Banking and financial services (BFS)

As mentioned, BFS companies are being disproportionately targeted by high-payout ransomware attacks. BFS has among the highest use of two-factor authentication (2FA) with only 4% of respondents saying they don’t use it on any business applications—and that’s a very good thing because BFS have a much higher-than-average rate of clicking malicious links in phishing emails (70%).

Construction

Not only was construction highly targeted for costly ransomware attacks, but it was also the most targeted for multiple ransomware attacks (23%) compared to the average (12%). With all that practice, it makes sense that construction had the highest percentage of ransomware incidents resolved by decrypting or removing the malware without payment (35%). Also of note, a full third (34%) of construction respondents write their passwords down on paper, more than any other industry.

Marketing

Like last year, which found it lacking in many facets of data security, marketing again had poor results in our survey. Marketing respondents are most likely to experience an account takeover (60%), have full access to all company data (38%), and to report that their IT security is managed by nobody in particular (8%).

Education

Education has been through a lot in the last year, adapting to changes stemming from the pandemic, and IT security might not be top of mind. One in four (25%) education respondents don’t know how to report a suspected cyberattack, 75% reuse passwords, and only 28% always use 2FA (compared to the 39% average).

Retail

Retail has the lowest percentage of employees who know how to report a suspected cyberattack at only 69%, compared to the 81% average. A mere 7% of retail employees receive social engineering training and only 26% report that their company conducts phishing tests (less than half of the 54% average). More concerning, one in four retail employees (25%) report never receiving security awareness training.

Healthcare

Likely owing to heavy regulation, healthcare continues to be the data security example for other industries to follow. Healthcare is the most likely to report that IT security is run by a dedicated IT chief or security officer (75%). Healthcare organizations also have the lowest rate of password reuse (44%) and the highest percentage of employees who have access only to the data needed to do their job (67%), an admirable 26 points above the 41% average.

IT services

Companies in the IT services industry have generally high security standards. IT services companies are most likely to employ a dedicated IT security officer (44%), deploy a data classification system (91%), and conduct phishing tests (68%). One weak spot for IT services is that nearly a third (32%) store their passwords in a digital/online document, much higher than the 19% average.

Equip your employees to strengthen data security efforts

The best way to safeguard sensitive data, defend against cyberattacks, and give your security team a fighting chance is to get back to basics. Ensure your employees are equipped and emboldened to defend your company’s data by doing the following: 

Read last year's report

Click here to download GetApp’s 2020 Data Security Report: 10 Trends to Watch

Methodology

GetApp’s 2021 Data Security Survey was conducted from August 20 to August 24 among 973 respondents to learn more about data security at U.S. businesses. Respondents were screened for full-time employment and 90 identified as their organization’s IT security manager.

GetApp’s 2020 Data Security Survey was conducted from September 10 to September 11 among 868 respondents who reported full-time employment. Of the 868 respondents, 267 identified as IT professionals and 83 identified as their organization’s IT security manager.

GetApp’s 2019 Data Security Survey was conducted in June 2019 among 714 respondents who reported full-time employment. Of the 714 respondents, 207 identified as IT professionals.

avatar
About the author

Zach Capers

Sr Specialist Analyst
Zach Capers is a senior analyst at GetApp, covering IT security, data privacy, and emerging technology trends. A former internal investigator for a Fortune 50 company and researcher for the Association of Certified Fraud Examiners (ACFE), his work has been featured in publications such as Forbes, Business Insider, and Journal of Accountancy.
Visit author's page