According to the new Information Risk Insight Study by Cyentia Institute, the number of significant security incidents reported each quarter has risen by no less than 650% for the past 15 years. That’s an average increase of 43% every year, or roughly 10% per quarter.
It’s no wonder that the likelihood of experiencing a cyberattack has therefore quadrupled for large businesses since 2008, with small to mid-sized businesses experiencing over a 50% bump in probability.
These and other key risk insights prove by the numbers what many already know: without automated tools to combat a relentless onslaught of cybercriminal attacks, few companies—even big ones—can avoid a critical business hit in the future.
It also underscores the fleeting nature of risks over time; without staying present to the changing cadence, companies may plant their security flag on shifting ground.
Ransomware Spikes; Accidents Fall
Ransomware attacks have risen a surprising 35% in the past six years, going from roughly 5% in 2018 to right around 40% in 2024. In the meantime, rates of accidental disclosure have dropped precipitously, falling from one-in-five to one-in-twenty since 2010.
It isn’t hard to imagine the impact of RaaS gangs, generative AI, and bots on rising ransomware numbers—not to mention the widespread press attention, notoriety, and historic payout sums that have become part and parcel of the game. As for lower rates of human error, the report offers no explanation but assumes it won’t be long before “human nature will reassert itself” again.
As ransomware continues to climb, Fortra offers multi-layer ransomware defense: data protection, vulnerability management, digital risk protection, offensive security, and more. And reduced rates of human error can become reliable, not the products of serendipity, with Fortra Human Risk Management comprehensive, adult-centric modules on avoiding today’s latest attack trends like phishing, deepfakes, and social media scams.
Small Businesses Hit Harder Than Large Ones: Or Are They?
Companies with under $100 million in revenue now officially take home a larger share of the attack pie than their larger, corporate counterparts.
However, a closer look at the data reveals that those numbers might be deceiving. There are more SMEs than large corporations overall, so those figures are to be expected. However, as large institutions are still hugely lucrative targets, it stands to reason that they experience more attacks per company than smaller ones.
Critical Infrastructure Attacks are Climbing
Additionally, attacks on critical infrastructure entities are on the rise. Organizations in the energy and supply chain sectors are experiencing an increase in attacks, with Transportation, Manufacturing, Utilities, and Mining the targets of ever-more-frequent cybercriminal attempts.
Critical infrastructure is subject to myriad hazards, including “denial of service, negligence, forced malfunctioning of control systems (ICS), application testing practices that don’t predict vulnerabilities, terrorist attacks, [and] natural calamities...” Shoring up critical infrastructure software—including software from third parties—with dynamic application security testing (DAST) can provide needed visibility into security gaps that were missed in development.
Phishing and Valid Accounts: Top Intrusion Methods
Common sense indicates that attackers will never work harder than they have to. This is evidenced by the fact that most still opt to go around sophisticated cybersecurity defenses by leveraging low-tech methods like phishing and credential theft to do most of their dirty work.
According to the report, the top tactics, techniques, and procedures (TTPs) this year were:
Exploiting Valid Accounts via credential compromise
Exploiting Public-Facing Applications (APIs, cloud services, web applications)
Phishing (social engineering techniques via email)
Exploiting Trusted Relationships (via business email compromise (BEC), escalated privileges, and more)
Hardware Additions (malicious hardware resembling normal hardware)
Again, the trend here is that today’s adversaries find it easier to trick us than to circumvent advanced detection and response tools. To the extent they can, they avoid them.
For this reason, educating your employees on how to detect and avoid a social engineering ruse is paramount to avoid these types of attempts. Additionally, solutions like Fortra Cloud Email Protection provide AI-driven detection beyond what advanced email security platforms (secure email gateways included) can catch.
Fortra’s integrated cloud email security (ICES) solution scans content for context, picks out metadata and leverages global threat intelligence to catch spear phishing, BEC, and other advanced social engineering attacks.
Don’t Get Too Comfortable: Lessons from the 2010 Plateau and Beyond
Along with calling attention to the staggering sixfold increase in overall attacks since 2008, the report emphasizes the presence of macro, time-sensitive trends.
2008 to Mid-2010's: Large scale data breaches spiked statistics, leading to a large increase.
Mid-2010's plateau: Increasing sophistication from “smash and grab” to “low and slow” led to consistent high success rates in the middle of last decade.
Roaring ‘20s: Accelerating ransomware trends and the pandemic added to newly increasing attack figures. It is likely that RaaS, geopolitical tensions, and now AI have contributed to this new wave as well.
These trends may be news to no one who lived through them on the security side for the past 20 years, but a concluding point from Cyentia Institute Executive Fellow Jack Freund is worth mentioning: “Today’s dominant risk may be tomorrow’s footnote, and cyber risk models need to keep pace. Further, if your security strategy isn’t recalibrating with these changes in risk, you’re planning for a past that doesn’t exist.”
Staying Agile with Fortra
Recognizing the attack trends—those that are here to stay, and those that might reflect the circumstances of the moment—is critical to building a cybersecurity strategy that fits the times.
With a vast portfolio of industry-leading solutions—from offensive components like red teaming to defensive technologies like human risk management and XDR—Fortra helps teams upend emerging threats and break the attack chain.
Because the winds could shift and attackers could pick up a new battle cry tomorrow, building a relationship with a comprehensive security vendor like Fortra can help your organization weather future storms, no matter what shape they take.
To learn more, check out Fortra’s suite of advanced cybersecurity solutions.
Stay Ahead of Tomorrow’s Threats
The IRIS Report proves that cyber risk is rising fast—and shifting just as quickly. Discover how Fortra’s advanced cybersecurity solutions help organizations prepare for what’s next.