GetApp offers objective, independent research and verified user reviews. We may earn a referral fee when you visit a vendor through our links. Learn more

Security

GetApp's 5th Annual Data Security Report: U.S. Businesses Gaining Ground Amid Ongoing Threats

Sep 26, 2023

Our 2023 report finds that companies are taking security more seriously by boosting resources and preparedness. Read on to find out what has changed over the last year.

AvatarImg
Zach CapersSr Specialist Analyst
GetApp's 5th Annual Data Security Report: U.S. Businesses Gaining Ground Amid Ongoing Threats

For several years, GetApp’s Annual Data Security Survey* has identified increasingly severe threats on nearly every possible front, from account takeovers to ransomware attacks. But this year, something has shifted as IT leaders appear to be turning a corner with data security. Only time will tell if this is the start of a reversal or just a temporary reprieve.

An influx of cyber threats stemming from pandemic-fueled digitization and the explosion of remote work has subsided and in its wake, companies have emerged more prepared and security-focused than ever before. 

Findings from our fifth annual Data Security Survey show that increasing priorities around security resources are starting to pay off in several ways. And while cybercriminals aren’t going anywhere, our data suggests they’re losing ground for the first time in years.

What is data security, and why is it important?

Data security refers to the controls and technology required to protect sensitive information, such as customer data, financial records, and intellectual property. Data is commonly a company’s most valuable resource, and the level of effort made to protect it often means the difference between success and failure.

1. Most security pros (59%) view AI more as friend than foe

As the prominence of artificial intelligence (AI) has exploded over the last year, so too has its impact on data security. The question is whether AI is doing more to help prevent attacks—or to launch them? According to 59% of IT security managers, it’s the former. AI’s use in cybersecurity is growing rapidly and enhancing security tools by improving anomaly detection, monitoring data access more effectively, and identifying false positives so that security staff spends more time on real threats.

GA_09272023_5thAnnualDataSecurityReport-AIenhancingdefense

This isn’t to say that AI is not also a security threat—it definitely is. In fact, AI-enhanced attacks ranked second only to advanced phishing attacks as the threat IT security managers are most concerned about over the next 12 months. This might not be a coincidence since a primary way that attackers can harness AI is to craft more convincing and effective phishing emails. But beyond phishing, AI has an array of uses for attackers, from testing malware to identifying software vulnerabilities.

GA_09272023_5thAnnualDataSecurityReport-phishingistopconcern

Despite a reduction in ransomware incidents (more on that later), attacks are no less targeted and destructive when they do occur, leaving them as the third most concerning threat on our list. Coming in at number four is software supply chain attacks, which have become more widespread in the years following the massive SolarWinds attack. Our recent Software Supply Chain Survey** found that 61% of businesses were affected by a supply chain threat in the last year, and that half of IT professionals consider the threat either high (35%) or extreme (15%).

Rounding out our top five most concerning threats heading into 2024 is business email compromise (BEC), an attack that the U.S. government estimates has cost businesses more than $50 billion over the last decade. [1] Also known as CEO fraud, BEC attacks are social engineering schemes whereby the attacker assumes the identity of a high-ranking superior, overseas supplier, or similar persona to trick an employee into performing an electronic funds transfer or divulging sensitive business information.

Despite the name, these attacks are not limited to email and often occur over the phone or via virtual meetings, and are increasingly augmented by deepfake technologies. Companies can avoid BEC schemes by requiring all funds transfers or sensitive data requests be confirmed via a secondary means of communication (such as a private message or face-to-face interaction).

2. IT security spending is up at 70% of businesses

U.S. businesses are taking security more seriously than ever before. The most obvious sign is a rise in security spending, mentioned by 70% of our respondents. This is up over last year (2022), which saw 63% of companies increasing security spend. Perhaps more convincing, the percent that say security spending is down dropped from an already paltry 6% in 2022 to a measly 1% in 2023.

This finding aligns with our 2023 Security Features Survey*** that found 50% of U.S. businesses consider security the most influential factor in the software purchase process, leading all other considerations. What’s more, the same survey found that 45% have stopped using a software platform due to security concerns.

Another indication that security is being taken more seriously is the steadily growing number of businesses that have formal protocols in place to report a suspected cyberattack, rising from 77% in 2021 to 83% in 2022, and now up 94% in 2023. 

And once a cyberattack is reported, it’s time to invoke your incident response plan, another factor showing promise among U.S. businesses. Only two in three companies (67%) had a formal cybersecurity incident response plan in 2021, but that number has jumped to 93% in 2023. Clearly, businesses are taking security more seriously, but there’s plenty of room for improvement.

GA_09272023_5thAnnualDataSecurityReport-formalattackreporting

3. Phishing is down—but the overall threat remains high

Last year, we reported that phishing effectiveness had reached a critical point with 89% of companies receiving phishing emails and 81% reporting that an employee had clicked a malicious link in one, a number that has dropped 20 points down to 61% this year. This is promising news that is likely due in part to increased phishing tests and security awareness training, which we’ll explore later in the report.

GA_09272023_5thAnnualDataSecurityReport-phishingandmaliciouslinks

Although these statistics are improved over the truly dreadful 2022 numbers, they’re still quite high and phishing remains the top threat for most businesses. To reiterate, IT security managers consider advanced phishing attacks the top threat heading into 2024 as the schemes are becoming increasingly targeted, use multiple messaging platforms, and leverage AI to improve messaging and distribution. If you’re looking for email security software to help mitigate phishing attacks, check out our Email Security Category Leaders.

4. Ransomware attacks decline as decryption rate nearly doubles

After years of increasing volume and severity, ransomware attacks have hit a wall. The ransomware rate appears to have peaked in 2022 at 53% of businesses and rebounded back to 37%, closer to 2021 levels (35%). Meanwhile, the rate of victims actually paying the ransom has plummeted, dropping from 67% just last year to only 36% this year.

Part of the reason is that more and more victims are able to decrypt ransomware using keys provided by security companies, government agencies, and sources such as the No More Ransomware Project. At the same time, companies are more prepared to respond to a ransomware attack (as evidenced by the rising adoption of incident response plans) and find themselves with options besides simply giving in to extortion.

GA_09272023_5thAnnualDataSecurityReport-ransomwareratereverses

During the last year, several prominent ransomware-as-a-service gangs such as Conti and Hive have been disrupted, disbanded, or broken into smaller groups as governments around the world have launched initiatives to take them on, including the Australian-led International Counter Ransomware Taskforce. This combined with fewer payouts means that many ransomware gangs are losing the funding they need to continue operations.

Another factor is that some ransomware gangs have likely pivoted their strategy. We’ve reported on ransomware’s evolution into a multi-pronged attack involving data theft, and it’s quite possible that many ransomware gangs have moved to simple data theft and extortion without the complications of data encryption. Whatever the case, it’s not unlikely that we’ll see a ransomware resurgence in one form or another in the near future.

5. Data access privileges becoming more restricted

For several years, our survey has seen the rate of companies restricting employee data access remain relatively steady, but this year’s results indicate a shift toward more data restriction. Only 16% of companies allow employees access to all company data, a drop of more than 50% from last year. This strategy is key to mitigating all security threats by ensuring that access to some of your network doesn’t mean access to all of it.

GA_09272023_5thAnnualDataSecurityReport-restrictionsofemployeedataaccess

To illustrate the difference this can make to your company's security, findings from GetApp’s 2023 Insider Threats Survey**** show the stark differences among companies that restrict data access appropriately vs. those that allow excessive employee data access (i.e., more access than needed for the role). Companies that restrict data are twice as likely to avoid insider attacks altogether.

GA_09272023_5thAnnualDataSecurityReport-dangerofexcessiveemployeeaccess

6. Security awareness training has never been more prevalent

All businesses should provide security awareness training on a regular basis, ideally twice each year. The number of businesses that provide security awareness training every six months has more than doubled over the last four years and continues to increase at a steady pace.

The number of businesses that perform training on an irregular basis has shrunk dramatically, dropping from 36% in 2019 to only 15% in 2023. Of course there is always going to be a small subset of companies that refuse to put in any security training efforts, typically around four to six percent.

GA_09272023_5thAnnualDataSecurityReport-securityawarenesstraining

Maintain momentum by bolstering your human defenses

As always, your weakest security link is your employees. While phishing effectiveness appears to have dipped, it’s still the top concern for IT security managers heading into 2024 and staying on top of emerging phishing threats and BEC schemes that are increasingly augmented by AI is critical. This means educating employees on social engineering techniques, something our survey finds is only done by one in three businesses (34%). 

Also concerning is that 59% of employees continue to reuse passwords, a number that has varied by only a percent or two over the years. Password reuse leads to numerous vulnerabilities and cyber attacks such as account takeovers and must be strongly discouraged. Focus on enforcing strong password policies and move toward replacing passwords with more secure options such as biometrics or physical security keys where possible.

To boost security, also remember to:

  • Confirm all funds transfers and sensitive data requests via a secondary means of communication.

  • Test your employees’ abilities to spot phishing schemes.

  • Ensure all staff know how to formally report a suspected cyberattack.

  • Develop an incident response plan to mitigate ransomware and other cyber attacks.

  • Regulate employee data access to prevent unnecessary vulnerabilities.

  • Schedule security awareness training every six months for all employees.

As our data shows, companies are putting more resources into data security and seeing results. But we’re not in the clear—if we’ve learned anything over the years, it’s that cybercriminals tend to regroup and come back stronger than ever, so now is not the time to let up.

Survey methodology

*GetApp’s 2023 Data Security Survey was conducted in August 2023 among 872 respondents to learn more about data security practices at U.S. businesses. All respondents were screened for full-time employment at U.S. businesses. 362 respondents identified as IT management professionals and 271 identified as IT security managers.

GetApp's 2022 Data Security Survey survey was conducted in August 2022 among 1006 U.S. respondents who reported full-time employment. Of these respondents, 289 identified themselves as their company's IT security manager.

GetApp’s 2021 Data Security Survey was conducted in August 2021 among 973 respondents to learn more about data security at U.S. businesses. Respondents were screened for full-time employment and 90 identified as their organization’s IT security manager.

GetApp’s 2020 Data Security Survey was conducted in September 2020 among 868 respondents who reported full-time employment. Of the 868 respondents, 267 identified as IT professionals and 83 identified as their organization’s IT security manager.

GetApp’s 2019 Data Security Survey was conducted in June 2019 among 714 respondents who reported full-time employment. Of the 714 respondents, 207 identified as IT professionals.

**GetApp’s Software Supply Chain Survey was conducted in April 2023 among 271 respondents to learn more about software supply chain threats at U.S. businesses. All respondents were screened for positions in IT or IT security within their company.

***GetApp’s 2023 Security Features Survey was conducted in January 2023 among 289 respondents to learn more about software security preferences among U.S. businesses. All respondents were screened for involvement in the software purchasing process at their company.

****GetApp’s 2023 Insider Threats Survey was conducted in March 2023 among 400 respondents to learn more about insider threats at U.S. businesses. All respondents were screened for leadership positions within their company.

Sources

  1. Business Email Compromise: The $50 Billion Scam, Internet Crime Complaint Center (IC3)

avatar
About the author

Zach Capers

Sr Specialist Analyst
Zach Capers is a senior analyst at GetApp, covering IT security, data privacy, and emerging technology trends. A former internal investigator for a Fortune 50 company and researcher for the Association of Certified Fraud Examiners (ACFE), his work has been featured in publications such as Forbes, Business Insider, and Journal of Accountancy.
Visit author's page