It will come as a surprise to virtually no one that the recently released FBI Internet Crime Report for 2023 documents an increase in reported cybercrimes (up 10%) as well as associated financial losses (up 22%). In 2023, according to the FBI, financial losses totaled a staggering $12.5 billion.
What may be surprising, however, is viewing these figures in the context of a recent Wall Street Journal article that forecast a one year jump in global cybersecurity spending of almost 15%: from $188 billion in 2023 to $215 billion in 2024. How is it that, amid a surge in cyberdefense spending, the number of attacks has continued to grow at an alarming pace? One answer is that threat actors have continued to sharpen their skills, modifying their attacks to circumvent the steps taken to harden IT networks. Cyber threat actors have also developed new ways to monetize their attacks, ratcheting up the pressure on victims to pay the ransom for data being held hostage. Another observation in the article is how threat actors increasingly attack the IT networks of third-party vendors, using them as a pathways to the intended victims. Simply put: if you harden your cyber defenses to the point that threat actors cannot find a way in, they will move to one of your vendors, typically a small company that may not spend as much as you do on cyberdefense, and enter your IT environment through the access you have granted that vendor.
Let this highlight the fact that third-party vendors holding your data may provide a tunnel into your network. It is up to you to establish a strong vendor management program, conducting due diligence on their cybersecurity practices and learning how they store and transfer data.
As cybercrime losses grow despite increased cybersecurity spending, due diligence to assess and manage third party risk is money well spent.