CRD #9

On DDoS trends, SMB issues, SaaS risks, training programs & more.

Henry Rõigas

Henry Rõigas

4 min read
CRD #9
Photo by Martin Martz / Unsplash
The Cybersecurity Research Digest cuts through the bias and marketing fluff to bring you relevant and objective insights backed by data.
Featuring validated research highlights from sources released between 22-28 October 2024, followed by a list of all monitored reports.

Canada reports fewer breaches, but intensifying severity

Vendor-commissioned reports often tell the same story – more attacks, more problems, all to give clients more reasons to invest in their offerings. This is why research by public sector entities can be valuable to balance the FUD-led (fear, uncertainty, doubt) messaging.

Statistics Canada’s analysis of 2023 data shows that the proportion of Canadian businesses impacted by cybersecurity incidents has declined since 2019, dropping from 21% to 16%, a trend also observed in the UK. Among the impactful cases, 13% involved ransomware, with nearly 90% of victims opting not to pay. For those who did pay, the majority paid less than $10,000, and only 4% paid over $500,000. This data provides a refreshing contrast to private sector surveys, which often report that over 50% of victims pay, with average payments exceeding $200,000.

However, Statistics Canada also reports a steady rise in total incident recovery costs, suggesting that, although fewer businesses are affected, the severity of impacts may be increasing. This aligns with a trend known as "big-game hunting," where attackers focus on high-value targets.

DDoS patterns: high-traffic, short attacks as ransom motives grow

Cloudflare observed a 55% year-over-year spike in DDoS attacks during Q3 2024. Notably, 90% of monitored attacks—growing steadily in traffic volume—are short-lived, lasting only minutes, with just 3% extending beyond an hour.

In cases where victims could attribute the attacker or identify the attack's motivation, 32% reported extortionists , 25% identified a competitor, and 21% pointed to a disgruntled customer or user, followed by only 14% attributing the attack to state-level actors.

As extortionists drive the trend, ransom-motivated DDoS attacks have surged by 17% year-over-year, reflecting ransomware actors’ expanded tactics to include more than just encryption and data leaks.

SMBs most affected by cybersecurity hiring issues

A survey of over 5,000 organizations reveals that small and medium-sized businesses (100-500 employees) rank the cyber skills shortage as one of their top risks, while larger organizations (500+ employees) clearly perceive it as less pressing. Supporting the case for managed services, the study also highlights the possible effects as SMBs appear to be experiencing a higher rate of ransomware incidents leading to data encryption compared to large organizations (74% versus 66%).

Explaining the rapid growth of the MSSP market, in-house security professionals in SMBs—who inherently operate with limited budgets—report significant difficulties in managing security operations due to constraints in tools, time, and personnel. As a telling observation, the survey shows that one-third of SMBs simply have no one monitoring and investigating security alerts.

SaaS risk creep: dealing with the explosive growth of unmanaged services

An analysis of SaaS application adoption trends shows a steady rise in tools used per employee, increasing from an average of 5 managed SaaS apps per person in 2022 to 13 in 2024. Another survey reveals that a third of organizations lack visibility into the total number of SaaS apps deployed, and only half have strict policies governing SaaS usage.

The rapid adoption of new SaaS solutions—particularly GenAI—is clearly outpacing security teams' ability to maintain oversight, let alone manage security, identities, and data exposure across the organization. Data indicates that most (over 85%) of SaaS apps in use are unmanaged or unmonitored, contributing to what is termed "SaaS risk creep": a gradual buildup of vulnerabilities from unmanaged apps and the user accounts tied to them.

Global insights: how organisations run awareness and training programs

A global survey of over 1,800 organizations with active security awareness and training programs provides insight into how these initiatives are currently structured. The study reveals a growing dissatisfaction among leaders, with nearly 70% expressing concerns about critical gaps in employee cybersecurity knowledge—a significant increase from 56% in 2023.

Interestingly, organizations report that employee attitudes toward awareness training have improved, largely due to the increasing use of AI by malicious actors. However, adoption and interest in training remains reactive, with past security breaches (or the threat of one) driving program adoption in 52% of cases, followed by corporate sponsorship (21%) and compliance or regulatory requirements (13%).

Most organizations (81%) believe that at least three hours of training are needed to effectively raise cyber awareness. Training modules typically last between 5 and 15 minutes for most topics, extending up to 30 minutes for complex subjects, allowing up to 12 topics to be covered annually.

Reports monitored: 22-28 October 2024

To take a deeper dive in the topics most relevant for you, we've listed all the research reports that were published during the observed period.

Title Organisation(s) Topic(s)
2025 Healthcare Compliance Outlook Report Barnes & Thornburg healthcare / compliance
Security State of Identity Security Report (2024) Permisco identity
Addressing the cybersecurity skills shortage in SMBs: Insights from frontline professionals Sophos skills / SMBs
OSFI’s Annual Risk Outlook – Fiscal Year 2024-2025 SOFI banking / risk
AI Organizational Responsibilities - Governance, Risk Management, Compliance and Cultural Aspect Cloud Security Alliance AI security risks
Digital threats now as concerning as home burglaries Allianz consumer behavior
AI Integration and its Outlook in Industrial Cybersecurity – Industry Survey Report Takepoint AI / manufacturing / security
Manufacturing: Maintaining Stability As Cyber Threats Explode in Volume and Sophistication KnowBe4 manufacturing
A Quantitative Analysis of Cyber Risks in the U.S. Energy Supply Chain SecurityScorecard & KPMG energy / supply chain
The State of SaaS Security 2024 Report AppOmni SaaS
CIO Insights Report: Priorities and Investment Plans in the Era of Platformization Extreme Networks CIO perspectives
Impact of cybercrime on Canadian businesses, 2023 Statistics Canada Canada / statistics / incident impact
2024 Security Awareness and Training Global Research Report Fortinet awareness / training
Nationwide Cybersecurity Survey Report Nationwide general / risks
Cyber Gauge 2024: Navigating the complex cybersecurity landscape kyndryl general / cybersecruity threat
SaaS Security Risks Report Grip Security SaaS
The 2024 State of Infrastructure Access Security Report Teleport access controls
Vanta State of Trust Report 2024 Vanta general / security / compliance
Bitwarden 2024 Cybersecurity Pulse Survey Bitwarden w/ Researchscape International general / passwords / AI
NAB Consumer Insights - Cyber Security: Understanding Australians’ experiences – and how consumers are responding NAB Australia / consumers
KPMG global tech report 2024 - Beyond the hype: Balancing speed, security and value KPMG CIO perspectives
Q3 DDoS report Cloudflare DDoS
The Global Cyber Resilience Study 2024-25 HCLTech w/ Ponemon Institute general / CISO perspectives / investments

About

evisec's Cybersecurity Research Digest provides security leaders verified strategic insights via a carefully curated weekly summary of evidence-led, unbiased and objective cybersecurity research publications. Read more about our service here.

✉️ Suggestions or want to collaborate? Get in touch via LinkedIn or email (henry@evisec.xyz)

Read more