Don’t Get Spooked! Cybersecurity Awareness Month Tricks & Treats
With high-level cybersecurity breaches in the news, such as Change Healthcare, AT&T, Dell, and Avis Rent-a-Car, this Cybersecurity Awareness Month has gotten a little too spooky for businesses. To keep cyber attackers away, we’ve compiled a list of real-world cybersecurity statistics (Tricks) along with recommendations (Treats) on how your business can avoid getting spooked this Halloween.
Trick: 69% of employees intentionally bypassed cybersecurity guidance in the last 12 months.
(Gartner)
- Treat: Entity-wide cybersecurity awareness training programs and anti-phishing campaigns are essential. Regular education on vigilance against warning signs is key in preventing human-enabled vulnerabilities. Update and distribute detailed information security-related policies and procedures annually for all employees to review and acknowledge. In mature control environments, a top-down enforcement approach instills user awareness and less risky decision-making. These training programs are so essential that EY recently terminated dozens of employees for bypassing training exercises.
Trick: 74% of CEOs are concerned about their organization’s ability to avert or minimize damage to the business from a cybersecurity attack.
(Accenture)
- Treat: A cybersecurity risk assessment should be performed at least annually to keep up with the evolving threat landscape and help identify new or unmitigated risk areas. In addition, cyber risk assessments are a great way to identify any gaps in incident response efforts, which greatly minimize the impact of an attack. A significant number of organizations do not perform cyber risk assessments regularly or at all and, as a result, are unaware of their critical vulnerability risk areas that need addressing. For publicly traded companies, performing a cyber risk assessment is no longer suggested. It is required per the SEC Cybersecurity Disclosure Rules.
Trick: 43% of cyber-attacks target small and medium-sized businesses (SMBs), of which 60% will go under 6 months after a cyber-attack.
(National Cyber Security Alliance)
- Treat: Many SMBs often have the mentality of “they won’t come after us; they want the big fish.” But cybercriminals are looking for the easiest targets. SMBs are less likely to dedicate adequate resources toward cybersecurity risk management, which makes them easy targets for attackers to wreak havoc.
Trick: The average ransomware payment continues to rise, estimated at $800,000, and the average cost of a ransomware recovery is nearly $2,000,000. Ransomware damage costs are expected to exceed $265 billion USD annually by 2031.
(IBM)
- Treat: Ransomware attackers typically penetrate information systems by tricking users into clicking phishing links, compromising user credentials, or exploiting known system vulnerabilities. Research has found that nearly a third of all malware (which is approximately 94% distributed via e-mail) being discovered is ransomware-intended, which can cause significant disruption in key infrastructure. The best ways to help combat these attack vectors are through stringent access controls, security awareness training programs, and formalized patch management programs to ensure that information systems are running on the most up-to-date supported versions.
Trick: 43% of cyber-attacks target small and medium-sized businesses (SMBs), of which 60% will go under 6 months after a cyber-attack.
(National Cyber Security Alliance)
- Treat: Many SMBs often have the mentality of “they won’t come after us; they want the big fish.” But cybercriminals are looking for the easiest targets. SMBs are less likely to dedicate adequate resources toward cybersecurity risk management, which makes them easy targets for attackers to wreak havoc.
Trick: In 2024, it is expected that nearly 74% of cyberattacks involve AI-powered threats.
(Dark Trace)
- Treat: Investing in cutting-edge data loss protection systems with AI capabilities (DLP) and implementing comprehensive cybersecurity training to prevent human-enabled vulnerabilities will significantly enhance your organization’s resilience against cyber threats. Conducting regular workshops will help organizations detect more sophisticated business e-mail compromise attacks and social engineering attacks by training employees to spot red flags more effectively.
Trick: 32% share of cyber incidents involved data theft and leak, indicating that more attackers are favoring stealing and selling data rather than encrypting it for extortion.
(IBM)
- Treat: Ransomware attackers typically penetrate information systems by tricking users into clicking phishing links, compromising user credentials, or exploiting known system vulnerabilities. Research has found that nearly a third of all malware (which is approximately 94% distributed via e-mail) being discovered is ransomware-intended, which can cause significant disruption in key infrastructure. In the event of an intrusion and threat actors threatening to release data, organizations should engage in data mining activities to help determine the extent to which data has been exfiltrated. The best ways to combat these attack vectors are through stringent access controls, security awareness training programs, and storing backups offline so backup data is immutable and can be restored in the event that files are maliciously encrypted. Additionally, it is vital that organizations formalize patch management programs to ensure that information systems are running on the most up-to-date supported versions free of vulnerabilities.
Trick: Around 24% of companies that pay the ransom were not able to recover their data after the payment was made.
(Sophos)
- Treat: Companies should keep in mind that it’s not always worth it to pay the ransom. Companies should invest in strong data backup practices, including testing the recoverability of data and maintaining immutable backups (offline). It may be cheaper in the long run to rebuild than paying the ransom. Disaster recovery plans should include recovery point objectives (RPO) – the amount of data that companies are willing to lose, and recovery time objectives (RTO) – the maximum amount of time for restoring information systems after a disaster or attack. Organizations should be mindful not to ‘reinfect’ their environment with a compromised restoration. Backups should be restored within a sandbox or test environment prior to pushing to production to make sure the backup data was not infected by the attack (using the latest backup may include malware or other infected data). Additionally, organizations should ensure they’re equipped with cyber liability insurance that includes coverage for ransomware payments in the event that a payment has to be made.
Trick: The annual cost of cybercrime will likely increase by 15% every year until it hits $10.5 trillion in 2025.
(World Economic Forum)
- Treat: : It is projected that there will be 343 million cybercrime victims in 2024, or 11 victims per second. Every individual and organization is a potential cybercrime victim, but you can mitigate the risk and impact of a cyber-attack by understanding your threat landscape and having detailed incident response and disaster recovery plans, in addition to robust access and monitoring controls. Performing regular assessments against industry standards and frameworks like NIST-CSF 2.0, MITRE ATT&CK, and CIS will aid in defining your identification and response plan and hardening security configurations currently in place
Trick: 54% of SMBs do not use multi-factor authentication (MFA) for their business. Of those with the option to use MFA, only 28% of SMBs require its use. More than half of super admins don’t have MFA enabled.
(Cyber Readiness Institute)
- Treat: MFA drastically mitigates the risk of unauthorized access via compromised user credentials. However, due to the increased sophistication of cybercriminals, organizations should now avoid using SMS (i.e., text messaging) as a one-time code authentication factor when utilizing MFA to access information systems. If MFA is currently not required to access your information systems, it is strongly recommended to implement this immediately.
Trick: More than 77% of organizations do not have an Incident Response Plan.
(cybinsolutions)
- Treat: An Incident Response Plan (IRP) is one of three critical pillars within the Crisis Management suite of policies, with the other two being Disaster Recovery (DR) and Business Continuity plans (BCP). While DR and BCP help get systems back and running and help continue operations in the event of an outage, the IRP should be established as a plan to respond to and limit the risk of negative consequences. Testing the IRP with the necessary stakeholders is often an overlooked step and can be the difference between the IRP being effective or ineffective when put into use during a crisis.
Trick: 53% of organizations have experienced a third-party data breach in the past year. 50% of organizations don’t monitor third-parties with access to sensitive and confidential information.
(Ponemon Institute)
- Treat: Establishing and maintaining a robust vendor management program is a key consideration for mitigating vendor-related risks. This should include the establishment of a vendor risk management policy for onboarding and monitoring vendors, vendor risk ratings, compliance with internal control reports and SLAs, and requirements for the completion of cybersecurity validations. Assigning an “owner” of the vendor management program is also a key differentiator between successful and ineffective vendor risk management functions. Organizations should conduct regular security audits, review SOC 2 reports and other security compliance standards, perform an annual performance review of their third-party vendors, and require vendors to maintain comprehensive security measures to protect sensitive data.
Trick: 44% of CEOs don’t view cybersecurity as a strategic business matter.
(Accenture)
- Treat: Failing to recognize cybersecurity as a strategic business matter may leave organizations vulnerable to significant risks, such as severe financial loss, reputational damage, and legal consequences. Integrating cybersecurity into the organization’s strategy helps ensure that the business has the appropriate safeguards in place to reach its goals, fostering resilience and long-term success
How Centri Can Help
At Centri, our IT risk and cybersecurity advisory services are designed with your greatest assets in mind — your people. We’re here to offer you the support, resources, and expertise you need, exactly when you need it most. Our cybersecurity advisory experts collaborate with your senior management to:
- Assess cybersecurity threats and vulnerabilities to your organization via a comprehensive risk-based approach.
- Align your internal controls with recognized industry frameworks.
- Provide valuable insight and actionable takeaways & implementation plans.
- Serve as trusted risk advisors, including developing roadmaps to address the cybersecurity challenges that are unique to your organization.
You can’t predict what will happen, but you can protect your business. Contact us to learn how we can set your business up for success.
Editor’s note: This article was originally published on October 22, 2023. It was updated on October 31, 2024.
Managing Director | IT Risk & Cybersecurity Practice Leader | CISA
Rich is a Managing Director at Centri Business Consulting and the leader of the firm’s IT Risk & Cybersecurity Practice. He has more than 14 years of combined experience in internal control consulting, IT risk, cybersecurity advisory, and risk-based internal audits and accounting. View Rich Sowalsky's Full Bio
Managing Director | CPA, PMP, CISA, CFE
Karyn is a Managing Director in the IT Risk & Cybersecurity Practice at Centri Business Consulting. She has more than 13 years of combined experience in internal IT audit and external audit support (IT controls), third-party assurance (SOC 1 and SOC 2 reporting), internal controls consulting, project management, IT risk and cybersecurity, and system implementation support. View Karyn DiMassa's Full Bio
Manager | IT Risk & Cybersecurity
Ian is a Manager in the IT Risk & Cybersecurity practice at Centri Business Consulting. He has more than 7 years of combined experience in internal control consulting, IT risk, cybersecurity advisory, and risk-based internal audits and accounting. View Ian O’Connor's Full Bio
About Centri Business Consulting, LLC
Centri Business Consulting provides the highest quality advisory consulting services to its clients by being reliable and responsive to their needs. Centri provides companies with the expertise they need to meet their reporting demands. Centri specializes in financial reporting, internal controls, technical accounting research, valuation, mergers & acquisitions, and tax, CFO and HR advisory services for companies of various sizes and industries. From complex technical accounting transactions to monthly financial reporting, our professionals can offer any organization the specialized expertise and multilayered skillsets to ensure the project is completed timely and accurately.
Centri’s Capital Conference
The Centri Capital Conference is a one-day event held at Nasdaq on April 22, 2025. This platform will connect investors with executives from presenting companies in various emerging and rapid-growth sectors, including disruptive technology, life sciences, healthcare, and more. The conference will feature industry panels, dynamic speakers, and networking opportunities and will give growth-oriented private and public companies a place to showcase their innovations.
For more details, contact us at capitalconference@centristage.wpengine.com.
Eight Penn Center
1628 John F Kennedy Boulevard
Suite 500
Philadelphia, PA 19103
530 Seventh Avenue
Suite 2201
New York, NY 10018
4509 Creedmoor Rd
Suite 206
Raleigh, NC 27612
615 Channelside Drive
Suite 207
Tampa, FL 33602
1175 Peachtree St. NE
Suite 1000
Atlanta, GA 30361
50 Milk St.
18th Floor
Boston, MA 02109
1775 Tysons Blvd
Suite 4131
McLean, VA 22102
One Tabor Center
1200 17th St.
Floor 26
Denver, CO 80202
1-855-CENTRI1
virtual@CentriConsulting.com