It’s Cybersecurity Awareness Month, and, as is tradition, Microsoft has moved to release their Digital Defense Report. This year, they’re reporting on the period between July 2022 and June 2023, crunching the numbers and attempting to solidify an ever-changing threat landscape.
The report, across 131 pages, touches on the state of cybercrime, nation-state threats, the crucial cybersecurity challenges that all companies face and more.
In this blog, we’ll pull together some of the highlights and showcase some of the cybersecurity learnings that businesses need to know.
Let’s get started.
The report reveals that over 99% of successful cyberattacks could be prevented by following basic cyber hygiene practices.
Measures like enabling multi-factor authentication (MFA), applying zero trust principles, keeping systems patched and up-to-date, using endpoint detection and response solutions, and protecting data form a robust first line of defence for organisations of any size.
However, human error remains a primary enabler of cyberattacks.
Despite increasingly widespread security awareness training, phishing click rates have remained relatively stable.
This is largely down to the methods of training deployed by organisations. For example, the report found that video-based training only reduces phishing susceptibility by around 3% at best. More personalised, tailored training focused on actual behavioural change, like that offered by Bob’s Business, is required.
The report warns that adversary-in-the-middle (AiTM) phishing campaigns are surging dramatically.
These attacks involve threat actors using reverse proxy servers to intercept and steal login credentials and session cookies, bypassing traditional protections.
Attackers are also refining social engineering by exploiting trusted third-party communications alongside sending specially crafted phishing messages based on reconnaissance of individual targets.
Ransomware continues to plague organisations, with human-operated ransomware attacks doubling over the past year.
These intrusions often exploit unpatched systems and unmanaged devices. The report observes attackers increasingly using remote monitoring tools to conceal activity and make attribution more difficult.
Business email compromise (BEC) attacks have also skyrocketed, reaching 156,000 daily attempts globally. Threat actors hijack communication threads and leverage cloud infrastructure to conduct more sophisticated invoice and payment fraud.
The report highlights a shift amongst nation-state groups away from high-volume destructive attacks towards stealthy cyber espionage campaigns.
Key targets include critical infrastructure organisations and policymakers, alongside governments and governmental bodies.
State-sponsored groups are exploiting vulnerabilities faster, enhancing cloud operations, and increasingly using custom malware and "living off the land" techniques to hide activity.
Facing this complex threat landscape, the report emphasises the importance of cyber awareness training and building organisational resilience through measures like:
In short, Microsoft asserts that organisations that take a strategic, resilience-focused approach to cybersecurity are best positioned to protect themselves against both commoditised attacks and sophisticated, targeted threats.
At Bob’s Business, we’ve helped millions of employees to take responsibility for their organisations' cybersecurity through effective, engaging and entertaining training.
With over 70 interactive and gamified courses, we give your team the knowledge they need to spot and stop attacks, alongside how to build good cyber hygiene.