The top three cybersecurity threats facing businesses today

1Password surveyed 1,500 North American white-collar employees – including 500 IT security professionals to better understand today’s security landscape. The survey found that security pros are most worried about external threats like phishing or ransomware (36%) and internal threats like shadow IT (36%).

In this post, we dive into the top three cybersecurity threats, how they manifest in a company, and what security professionals can do to combat these common but manageable threats. After all, what is cybersecurity for business if not the ongoing pursuit of staying one step ahead of an ever evolving security landscape?

Phishing

Phishing is a scam that tries to trick people into giving away sensitive information. Often appearing as a message from a trustworthy source, the sender attempts to fool the receiver into thinking they are sharing credentials, credit cards, or other information with a legitimate source.

In our 2024 State of Enterprise Security Report, we found that 61% of employees have been – or have seen a colleague be – the target of a phishing attack from someone posing as a CEO, manager, colleague, vendor, client, or other work associate. We also found that 18% of employees clicked a link in a suspicious email, showing that not all employees are capable of identifying suspicious emails.

With 23% of employees using passwords that follow a similar pattern or are identical, and 19% of employees using the same passwords across multiple work accounts, a single exposed password in a phishing scam can expose the business beyond a single account breach.

And those are the stats for the state of phishing right now. Phishing scams aren’t anything new, and in fact, they’ve been around since the early nineties. As AI continues to advance, phishing scams are taking on a new level of sophistication, making them harder to spot for those who are adept at security. And the speed at which AI can be deployed makes it cost effective for criminals to target companies of every size, not just enterprise businesses.

Implementing multi-factor authentication and increasing employee education about spotting suspicious emails are two of the best ways that businesses can help reduce the risk of phishing scams.

Ransomware

Ransomware has been around since the late eighties but took the spotlight in 2021 with a significant uptick in incidents. According to Malwarebytes' new 2024 ThreatDown State of Malware Report, ransomware attacks increased by 68% in 2023.

If you haven’t already come across it, ransomware is a form of malware that infects a digital system (servers, computers, phones, etc.), and deploys an encryption that effectively locks the owner out. The criminal will then request a ransom in exchange for the key to decrypt the files and return access.

There are many ways ransomware can make it into an organization, including phishing (45% of ransomware attacks involved phishing), compromised credentials, and criminals hacking into the business through software vulnerabilities.

Security professionals admit that they’re struggling to stay on top of the latest patch/update cycles, and often don’t have a way of monitoring if employees are following through with required updates. 1Password found that more than 45% of employees don’t update software immediately upon receiving an alert that they should. These unpatched vulnerabilities can leave companies exposed to a ransomware attack.

The best defense against ransomware is employing an access management solution that makes sure every identity, device, and application is secure.

Shadow IT

Employees are always looking for new tools to help them get the job done. Unfortunately, not all these tools are company approved. Shadow IT refers to the tools, technologies, and devices that are unmanaged by the company.

While 92% of security pros say their company policy requires IT approval to download and use software and apps for work, our survey found that one in three employees still chose to use unapproved apps – it’s no wonder shadow IT is in the top three risks worrying IT and security teams.

And part of that worry comes from knowing that they’re limited in what they can do about employees using shadow IT. More than 50% of security pros say they don’t control whether employees follow these policies. Whether it’s a lack of identifying what shadow IT is being used, or if the IT team has enforcement capabilities, the reality is that each new shadow IT app or tool is a potential new threat vector.

With the average number of shadow IT apps being used by each worker being five – that’s a lot of unmanaged risk. Implementing a password manager helps mitigate the shadow IT risk as it promotes strong password use across accounts that may fall out of the security team’s purview. It also means that employees will likely lose access to those shadow IT accounts when they’re deprovisioned.

To learn more about the security landscape and threats facing businesses, check out 1Password’s State of Access Report 2024.

Stacey Harris

Content Marketing Manager