‘Security Navigator 2023’ Shows Cyber Extortion Dominates Landscape

Orange Cyberdefense, a specialist arm of Orange Group, released its annual security research report, the Security Navigator 2023. In this year’s analysis 99,506 potential incidents were investigated, an increase of 5 percent from the 2022 report. While the report shows encouraging signs the pace of incidents is slowing, several factors remain a cause for global concern.

For example, the data show businesses take around 215 days to patch a reported vulnerability. Even for critical vulnerabilities, it generally takes more than six months to patch. The Orange Cyberdefense ethical hacking team reports a ‘Serious’ (critical or high) issue in almost 50 percent of all the tests conducted.

“We are seeing cyber extortion impact businesses of all sizes across the world. Eighty-two percent of observed Cy-X victims were small businesses, an increase from the 78 percent we measured last year,” the report states.

While a marked slowdown in cybercrime was noticed at the onset of the Ukraine war, the intensity increased again. “We see significant increases in cyber extortion also: over the last six months, for example, the number of Cy-X victims in East Asia and Southeast Asia grew by 30 percent and 33 percent respectively.”

Ransomware and cyber extortion attacks continue to prove a major threat to organizations globally, and as such featured regularly in Orange Cyberdefense’s World Watch threat advisories throughout the year.

Orange Cyberdefense also noted bad actors strike opportunistically. Almost 90 percent of them claimed victims in the United States. More than 50 percent hit the United Kingdom, and more than 20 percent hit Japan – a country with one of the smallest numbers of observed victims in the Orange dataset.

According to the report, small businesses are 4.5 times more likely to be targeted by cyber extortion than medium and large businesses combined. As a proportion, however, large businesses are more heavily affected.

The report notes the manufacturing sector remains No. 1 in terms of cyber extortion (Cy-X) victim count.

Drawing on a new dataset of vulnerability insights, researchers identified a persistence of serious vulnerabilities on business IT systems, with 47 percent of confirmed weaknesses identified as ‘critical’ or ‘high’ severity. Critical exposures took organizations more than half a year (184 days) to patch. Other vulnerabilities can persist longer, with data suggesting many attacks will never be patched.

Organizations’ employees remain at the frontline of a company’s defense but can also represent their weakest link. For example, the report shows that:

  • For public administration, most incidents were attributed to internal sources, whether deliberate or accidental.
  • In the manufacturing sector, 58 percent of the incidents were classified as originating internally. In the “transportation and warehousing” sector,64 percent of the incidents were internal.