GetApp's 5th Annual Data Security Report: U.S. Businesses Gaining Ground Amid Ongoing Threats

For several years, GetApp’s Annual Data Security Survey* has identified increasingly severe threats on nearly every possible front, from account takeovers to ransomware attacks. But this year, something has shifted as IT leaders appear to be turning a corner with data security. Only time will tell if this is the start of a reversal or just a temporary reprieve.

An influx of cyber threats stemming from pandemic-fueled digitization and the explosion of remote work has subsided and in its wake, companies have emerged more prepared and security-focused than ever before. 

Findings from our fifth annual Data Security Survey show that increasing priorities around security resources are starting to pay off in several ways. And while cybercriminals aren’t going anywhere, our data suggests they’re losing ground for the first time in years.

As the prominence of artificial intelligence (AI) has exploded over the last year, so too has its impact on data security. The question is whether AI is doing more to help prevent attacks—or to launch them? According to 59% of IT security managers, it’s the former. AI’s use in cybersecurity is growing rapidly and enhancing security tools by improving anomaly detection, monitoring data access more effectively, and identifying false positives so that security staff spends more time on real threats.

This isn’t to say that AI is not also a security threat—it definitely is. In fact, AI-enhanced attacks ranked second only to advanced phishing attacks as the threat IT security managers are most concerned about over the next 12 months. This might not be a coincidence since a primary way that attackers can harness AI is to craft more convincing and effective phishing emails. But beyond phishing, AI has an array of uses for attackers, from testing malware to identifying software vulnerabilities.

Despite a reduction in ransomware incidents (more on that later), attacks are no less targeted and destructive when they do occur, leaving them as the third most concerning threat on our list. Coming in at number four is software supply chain attacks, which have become more widespread in the years following the massive SolarWinds attack. Our recent Software Supply Chain Survey** found that 61% of businesses were affected by a supply chain threat in the last year, and that half of IT professionals consider the threat either high (35%) or extreme (15%).

Rounding out our top five most concerning threats heading into 2024 is business email compromise (BEC), an attack that the U.S. government estimates has cost businesses more than $50 billion over the last decade. [1] Also known as CEO fraud, BEC attacks are social engineering schemes whereby the attacker assumes the identity of a high-ranking superior, overseas supplier, or similar persona to trick an employee into performing an electronic funds transfer or divulging sensitive business information.

Despite the name, these attacks are not limited to email and often occur over the phone or via virtual meetings, and are increasingly augmented by deepfake technologies. Companies can avoid BEC schemes by requiring all funds transfers or sensitive data requests be confirmed via a secondary means of communication (such as a private message or face-to-face interaction).

U.S. businesses are taking security more seriously than ever before. The most obvious sign is a rise in security spending, mentioned by 70% of our respondents. This is up over last year (2022), which saw 63% of companies increasing security spend. Perhaps more convincing, the percent that say security spending is down dropped from an already paltry 6% in 2022 to a measly 1% in 2023.

This finding aligns with our 2023 Security Features Survey*** that found 50% of U.S. businesses consider security the most influential factor in the software purchase process, leading all other considerations. What’s more, the same survey found that 45% have stopped using a software platform due to security concerns.

Another indication that security is being taken more seriously is the steadily growing number of businesses that have formal protocols in place to report a suspected cyberattack, rising from 77% in 2021 to 83% in 2022, and now up 94% in 2023. 

And once a cyberattack is reported, it’s time to invoke your incident response plan, another factor showing promise among U.S. businesses. Only two in three companies (67%) had a formal cybersecurity incident response plan in 2021, but that number has jumped to 93% in 2023. Clearly, businesses are taking security more seriously, but there’s plenty of room for improvement.

Last year, we reported that phishing effectiveness had reached a critical point with 89% of companies receiving phishing emails and 81% reporting that an employee had clicked a malicious link in one, a number that has dropped 20 points down to 61% this year. This is promising news that is likely due in part to increased phishing tests and security awareness training, which we’ll explore later in the report.

Although these statistics are improved over the truly dreadful 2022 numbers, they’re still quite high and phishing remains the top threat for most businesses. To reiterate, IT security managers consider advanced phishing attacks the top threat heading into 2024 as the schemes are becoming increasingly targeted, use multiple messaging platforms, and leverage AI to improve messaging and distribution. If you’re looking for email security software to help mitigate phishing attacks, check out our Email Security Category Leaders.

After years of increasing volume and severity, ransomware attacks have hit a wall. The ransomware rate appears to have peaked in 2022 at 53% of businesses and rebounded back to 37%, closer to 2021 levels (35%). Meanwhile, the rate of victims actually paying the ransom has plummeted, dropping from 67% just last year to only 36% this year.

Part of the reason is that more and more victims are able to decrypt ransomware using keys provided by security companies, government agencies, and sources such as the No More Ransomware Project. At the same time, companies are more prepared to respond to a ransomware attack (as evidenced by the rising adoption of incident response plans) and find themselves with options besides simply giving in to extortion.

During the last year, several prominent ransomware-as-a-service gangs such as Conti and Hive have been disrupted, disbanded, or broken into smaller groups as governments around the world have launched initiatives to take them on, including the Australian-led International Counter Ransomware Taskforce. This combined with fewer payouts means that many ransomware gangs are losing the funding they need to continue operations.

Another factor is that some ransomware gangs have likely pivoted their strategy. We’ve reported on ransomware’s evolution into a multi-pronged attack involving data theft, and it’s quite possible that many ransomware gangs have moved to simple data theft and extortion without the complications of data encryption. Whatever the case, it’s not unlikely that we’ll see a ransomware resurgence in one form or another in the near future.

For several years, our survey has seen the rate of companies restricting employee data access remain relatively steady, but this year’s results indicate a shift toward more data restriction. Only 16% of companies allow employees access to all company data, a drop of more than 50% from last year. This strategy is key to mitigating all security threats by ensuring that access to some of your network doesn’t mean access to all of it.

To illustrate the difference this can make to your company's security, findings from GetApp’s 2023 Insider Threats Survey**** show the stark differences among companies that restrict data access appropriately vs. those that allow excessive employee data access (i.e., more access than needed for the role). Companies that restrict data are twice as likely to avoid insider attacks altogether.

All businesses should provide security awareness training on a regular basis, ideally twice each year. The number of businesses that provide security awareness training every six months has more than doubled over the last four years and continues to increase at a steady pace.

The number of businesses that perform training on an irregular basis has shrunk dramatically, dropping from 36% in 2019 to only 15% in 2023. Of course there is always going to be a small subset of companies that refuse to put in any security training efforts, typically around four to six percent.

As always, your weakest security link is your employees. While phishing effectiveness appears to have dipped, it’s still the top concern for IT security managers heading into 2024 and staying on top of emerging phishing threats and BEC schemes that are increasingly augmented by AI is critical. This means educating employees on social engineering techniques, something our survey finds is only done by one in three businesses (34%). 

Also concerning is that 59% of employees continue to reuse passwords, a number that has varied by only a percent or two over the years. Password reuse leads to numerous vulnerabilities and cyber attacks such as account takeovers and must be strongly discouraged. Focus on enforcing strong password policies and move toward replacing passwords with more secure options such as biometrics or physical security keys where possible.

As our data shows, companies are putting more resources into data security and seeing results. But we’re not in the clear—if we’ve learned anything over the years, it’s that cybercriminals tend to regroup and come back stronger than ever, so now is not the time to let up.