CRD #18

On incident response engagements, ransomware payments, incident root causes, security careers, hybrid work, software security & global threat trends.

Henry Rõigas

Henry Rõigas

7 min read
CRD #18
Photo by Markus Spiske / Unsplash
The Cybersecurity Research Digest cuts through the marketing fluff and bias to bring you relevant and objective insights on cybersecurity stats and trends, all backed by empirical data.
The post features highlights from trustworthy research sources released between February 18 and March 3 followed by a list of all monitored reports.

IR engagements: ransom payments driven by speed of recovery, not system restoration

Surveys often suffer from biases that can distort findings, making real-world incident analysis valuable to understand cybersecurity realities. A recent report by Arctic Wolf based on hundreds of digital forensics and incident response (DFIR) engagements from October 2023 through September 2024 offers such insights into high-priority security incidents (i.e. those serious enough to warrant DFIR involvement).

The data shows that organizations most frequently seek DFIR assistance for ransomware cases (44%), followed by Business Email Compromise (BEC) (27%) and intrusions (24%). Notably, "intrusions" refer to threats detected before they escalate into ransomware or data extortion events.

Root causes of ransomware and dat extortion IR cases (Arctic Wolf)

These empirical findings confirm that as companies strengthen backup and restoration capabilities, double extortion has become the norm—96% of ransomware cases now involve data exfiltration to increase pressure on victims. The report also claims that professional negotiators can reduce ransom demands by 64%, though this is not compared to cases where organizations negotiate independently.

While only 30% of DFIR cases result in ransom payments (compared to 80% in broader survey data), a surprising observation is that companies now primarily pay to expedite recovery or prevent data leaks, rather than out of necessity to restore systems. The median aggregate demand has remained at the same level as previously, at $600,000.

Regarding root causes for ransomware, unsecured RDP and compromised VPN credentials remain the primary entry points for ransomware and data extortion cases. Interestingly, human risk factors seem to play a marginal role according to Arctic Wolf's experience, diverging from the dominant notion that social engineering and adjacent factors as main causes for breaches.

However, the second largest cause for IR cases gives a hint on this perceived difference in statistics:  BEC cases — defined via account takeovers or simply impersonation tactics (e.g. via using similar domains) — phishing (72.9%) and previously compromised credentials (18.8%) dominate as root causes, underscoring the need for robust employee training, credential management, and stronger authentication measures, such as biometric- or possession-based MFA, to mitigate risks effectively.

Security careers: broad responsibilities, high earning potential, but retention concerns persist

A survey of 500+ U.S. security professionals shows that most (60%+)  jobs require blending roles across different disciplines, including SecOps, risk management, GRC, AppSec, and/or product security. What is clear, however, is that most cybersecurity roles are built on technical experience in the IT domain, with over 70% of security engineers and more than half of analysts and architects credit their IT backgrounds as essential. Systems administration, network infrastructure, and general IT roles were the most cited foundational experiences, highlighting the strong technical prerequisites for cybersecurity careers.

Compensation varies significantly by role and region in the US, with security architects and engineers earning the highest average annual compensation at $206,000 and $191,000 (base + bonus), respectively, while mid-level security analysts with five years of experience earn around $133,000. Experts in the field reportedly often earn over twice as much as newcomers, underscoring the premium on deep expertise.

Compensation for US-based functional staff, by role (IANS and Artico Research)

Job satisfaction remains relatively low, with over 60% considering a job change within a year. Career stagnation is the leading concern, particularly among senior professionals, especially functional department heads, emphasizing the need for clearer growth pathways.

Meanwhile, return-to-office policies are at odds with workforce preferences—52% of cybersecurity professionals reportedly work remotely, 43% follow hybrid models, and only 1% favor on-site roles. Mandating office returns in a talent-scarce field risks attrition and hampers recruitment.

Unavoidable realities: hybrid work, BYOD, and SaaS

Another survey of over 500 respondents from organizations with more than 2,500 employees across the United States, United Kingdom, Canada, France, and Germany confirms that while return-to-office mandates are increasing, hybrid work remains the norm. An estimated 42% of employees are expected to continue working remotely in some capacity, reinforcing the need for organizations to adapt to a permanently hybrid workforce reliant on devices such as laptops and smartphones.

The shifting nature of the workforce (Source: Omdia and Palo Alto Networks)

Remote work has also entrenched the widespread use of personal devices—an ongoing challenge for security teams. Nearly all (98%) organizations report some level of BYOD policy violations, while 90% allow corporate data access from personal devices, amplifying related security risks.

Use of BYOD for laptops and smartphones (Source: Omdia and Palo Alto Networks)

Additionally, the study highlights the dominance of SaaS and cloud applications, with employees spending 80% of their workday on browser-based tools, underscoring the need for robust security measures around browser usage, particularly as behavior differs between managed and unmanaged devices.

CrowdStrike's yearly report highlights a surge in threat activity across multiple fronts, with China-linked operations increasing by 150% across sectors and up to 300% in key targeted industries.

The report also emphasizes the growing underground market for initial access, with access broker advertisements rising 50% year-over-year, underscoring the need for organizations to address attack vectors linked to compromised identities. In cloud security, valid account abuse accounted for 35% of incidents, while 52% of exploited vulnerabilities overall were tied to initial access. The shift toward stealthier tactics continues, with 79% of attacks in 2024 being malware-free—a sharp rise from 40% in 2019.

Additionally, vishing attacks (social engineering via phone calls) surged by 442% in the latter half of the year, reflecting an increasing reliance on this technique. The report also highlights the accelerating pace of cyber operations, with the average breakout time dropping to 48 minutes. Furthermore, CrowdStrike tracked 26 new adversaries, bringing the total number of identified threat actors to 257, illustrating the evolving and expanding global threat landscape.

State of software security: progress on critical risks, but fix times and security debt worsen

A yearly study by Veracode, an application security testing provider, has tracked software security trends since 2011, offering a long-term perspective on progress and challenges. The findings highlight a significant improvement in addressing most relevant issues, with the pass rate for OWASP’s most critical risks more than doubling from 23% to 52.3%. However, albeit trending positively, the number still shows that a substantial portion of code—and this data is reflecting applications tested by organizations actively investing in security—still contains critical vulnerabilities.

While vulnerability reduction has improved, the study underscores a persistent challenge: the increasing time required to remediate security flaws, with the average time to fix vulnerabilities increasing nearly fivefold over the past 15 years. The growing complexity of modern software ecosystems—particularly the rising dependence on difficult-to-manage third-party code—is identified as a key driver of this trend, exacerbating security debt and delaying patching efforts. Notably, the study reports that half of organizations carry critical security debt, defined as unresolved high-severity vulnerabilities with high exploitability.

Reports monitored: 18 February - 3 March

To take a deeper dive in the topics most relevant for you, find below a list of all the monitored research reports (32) that were published during the observed period.

Title Organisation(s) Topic(s)
2025 Venminder State of Third-Party Risk Management Survey ncontracts third party risk
Internet Security Report - Q3 2024 WatchGuard malware detections
2025 GenAI Data Security Report Fortanix GenAI security
Second Annual 2025 HITRUST Trust Report HITRUST security assurance
Annual Threat Report 2024 DarkTrace threat intel (general)
Karnataka Cyber Threat Report 2025 Seqrite Labs threat intel / Karnakata / India
QBE Hong Kong SME Survey QBE Insurance Hong Kong / insurance / SME
2025 Cybersecurity Staff Compensation Benchmark Report IANS Research and Artico Search salaries / HR
2025 Report on Top Risks Protiviti and North Carolina State University's ERM Initiative HR
UK Next-Gen Government IT: AI and Observability Insights SolarWinds AI / gov / UK
2025 Fortra State of Cybersecurity Survey Results Guide Fortra general / perspectives
2025 CISO Survey for Third-Party Cyber Risk Management Panorays third party risk
Secure manufacturing: The challenges of IT/OT convergence Telstra manufacturing / OT
2025 SME IT Trends Report: Simplifying IT in the Fast Lane of Change JumpCloud SMEs
Sweden DMARC & MTA-STS Adoption Report 2025 PowewDMARC Sweden / email security
Protecting Your Business from Cyber Attacks: The State of DDoS Attacks 2024 Q3 & Q4 Zayo Group DDoS
2025 SonicWall Cyber Threat Report SonicWall threat intel (general)
2025 OT/ICS Cybersecurity Report Dragos OT / ICS / threat intel
Vulnerability Forecast for 2025 FIRST vulerabilities / forecasting
The State of Workforce Security: Key Insights for IT and Security Leaders Palo Alto / Omdia Reserach workforce security
ReliaQuest’s 2025 Annual Threat Report ReliaQuest threat intel (general)
API Security Trends 2025 Salt Security API security
Ponemon Insider Threat Report 2025 DTEX / Ponemon Institute insider risk
2025 Threat Report Arctic Wolf IR experience / threat intel
2025 Global Threat Report Crowdstrike threat intel (general) / APTs
Q4 2024 Cyber Threat Landscape: Gone Phishing. Evolving Techniques Keep Organizations on the Hook Kroll threat intel (general)
2025 Global Threat Analysis Report Radware threat intel
Cybersecurity Barometer - Poland KMPG Poland Poland / national stats
"Mapping the UK SME Cyber Security Landscape in 2025 Six Degrees UK / SMEs
High-Tech Crime Trends Report 2025 IB-Group threat intel (general) / cybercrime
State of Software Security 2025: A New View of Maturity Veracode software security
2024 Threat Roundup Forescout Technologies threat intel (general)

About

evisec's Cybersecurity Research Digest provides security leaders verified strategic insights via a carefully curated weekly summary of evidence-led, unbiased and objective cybersecurity research publications. Read more about our service here.

✉️ Suggestions or want to collaborate? Get in touch via LinkedIn or email (henry@evisec.xyz)

Read more