The top three cybersecurity threats facing businesses today

The top three cybersecurity threats facing businesses today

Stacey Harris by Stacey Harris on

With the global average cost of a data breach being 4.45 million USD in 2023, businesses can’t afford to ignore the biggest cybersecurity risks.

1Password surveyed 1,500 North American white-collar employees – including 500 IT security professionals to better understand today’s security landscape. The survey found that security pros are most worried about external threats like phishing or ransomware (36%) and internal threats like shadow IT (36%).

Four out of five figures highlighted in purple, with the caption 'Four in five security pros don't feel their security protections are adequate'.

In this post, we dive into the top three cybersecurity threats, how they manifest in a company, and what security professionals can do to combat these common but manageable threats. After all, what is cybersecurity for business if not the ongoing pursuit of staying one step ahead of an ever evolving security landscape?


Phishing is a scam that tries to trick people into giving away sensitive information. Often appearing as a message from a trustworthy source, the sender attempts to fool the receiver into thinking they are sharing credentials, credit cards, or other information with a legitimate source.

In our 2024 State of Enterprise Security Report, we found that 61% of employees have been – or have seen a colleague be – the target of a phishing attack from someone posing as a CEO, manager, colleague, vendor, client, or other work associate. We also found that 18% of employees clicked a link in a suspicious email, showing that not all employees are capable of identifying suspicious emails.

With 23% of employees using passwords that follow a similar pattern or are identical, and 19% of employees using the same passwords across multiple work accounts, a single exposed password in a phishing scam can expose the business beyond a single account breach.

And those are the stats for the state of phishing right now. Phishing scams aren’t anything new, and in fact, they’ve been around since the early nineties. As AI continues to advance, phishing scams are taking on a new level of sophistication, making them harder to spot for those who are adept at security. And the speed at which AI can be deployed makes it cost effective for criminals to target companies of every size, not just enterprise businesses.

Implementing multi-factor authentication and increasing employee education about spotting suspicious emails are two of the best ways that businesses can help reduce the risk of phishing scams.


Ransomware has been around since the late eighties but took the spotlight in 2021 with a significant uptick in incidents. According to Malwarebytes' new 2024 ThreatDown State of Malware Report, ransomware attacks increased by 68% in 2023.

If you haven’t already come across it, ransomware is a form of malware that infects a digital system (servers, computers, phones, etc.), and deploys an encryption that effectively locks the owner out. The criminal will then request a ransom in exchange for the key to decrypt the files and return access.

There are many ways ransomware can make it into an organization, including phishing (45% of ransomware attacks involved phishing), compromised credentials, and criminals hacking into the business through software vulnerabilities.

Security professionals admit that they’re struggling to stay on top of the latest patch/update cycles, and often don’t have a way of monitoring if employees are following through with required updates. 1Password found that more than 45% of employees don’t update software immediately upon receiving an alert that they should. These unpatched vulnerabilities can leave companies exposed to a ransomware attack.

A blue circle with the following statistic in the center: 92% of security pros have security concerns around AI.

The best defense against ransomware is employing an access management solution that makes sure every identity, device, and application is secure.

Shadow IT

Employees are always looking for new tools to help them get the job done. Unfortunately, not all these tools are company approved. Shadow IT refers to the tools, technologies, and devices that are unmanaged by the company.

While 92% of security pros say their company policy requires IT approval to download and use software and apps for work, our survey found that one in three employees still chose to use unapproved apps – it’s no wonder shadow IT is in the top three risks worrying IT and security teams.

A dial with the following statistic underneath: More than half of employees admit to being lax on their company's security policies.

And part of that worry comes from knowing that they’re limited in what they can do about employees using shadow IT. More than 50% of security pros say they don’t control whether employees follow these policies. Whether it’s a lack of identifying what shadow IT is being used, or if the IT team has enforcement capabilities, the reality is that each new shadow IT app or tool is a potential new threat vector.

With the average number of shadow IT apps being used by each worker being five – that’s a lot of unmanaged risk. Implementing a password manager helps mitigate the shadow IT risk as it promotes strong password use across accounts that may fall out of the security team’s purview. It also means that employees will likely lose access to those shadow IT accounts when they’re deprovisioned.

To learn more about the security landscape and threats facing businesses, check out 1Password’s State of Access Report 2024.

Balancing act: Security and productivity in the age of AI

Productivity and security are often in tension. Learn how today’s shifting landscape of hybrid work and AI has affected that tension, and how security professionals and workers are coping.
Download now

Content Marketing Manager

Stacey Harris - Content Marketing Manager Stacey Harris - Content Marketing Manager

Tweet about this post