Top cyber security stats you need to know for 2021

Written by Oliver Pinson-Roxburgh on 26/11/2020

Forewarned is forearmed

Bulletproof has released its Annual Cyber Security Industry Report 2021, where we look at the security challenges facing businesses in 2021 and discover what organisations can do to stay ahead of the hackers. In this blog we highlight 4 key findings from the report and explore what they mean for business’ security in 2021 and beyond.

Many businesses are unwilling to admit the full extent of a data breach, even in anonymous polls.
Attacks Increase Graphic

What this stat really shows is that 14% of organisations don’t understand the very real risks their business will face in 2021. And with 33% of UK business admitting to losing customers after a data breach, it pays to take these risks seriously. It should be noted that the real figure will be much higher than 33%, as our experience shows that many businesses are unwilling to admit the full extent of a data breach, even in anonymous polls.

Hackers never stand still, and as we’ve seen in previous years, cyber threats will continue to increase in 2021 as technology naturally evolves. But there are additional challenges to factor in. The technological advances implemented in 2020 have provided boosts to remote working and productivity, but they’ve also introduced new vulnerabilities for hackers to exploit.

There’s also the human element to consider, as new technology and new ways of working introduce uncertainty and doubt into people’s security knowledge. Security awareness has already come on leaps and bounds in the past 5 years or so thanks to high-profile breaches, security vulnerabilities as their own brands (think Heartbleed, etc), and increased compliance – most notably the GDPR and Cyber Essentials. The 2020 refresh of Cyber Essentials has made the scheme more accessible, which should not only help raise awareness, but also help raise the bar of cyber security across the board. That doesn’t mean, however, that the battle is over. Getting cyber security spending on the agenda for people, processes and technology is an on-going struggle – something which we’ve talked about before.

Threat Intel Graphic

As ever, the threat landscape never stands still – cyber security is an arms race of sorts, as proven by the fact that only 1.5% of malicious IPs we detected were in the top commercial and open-source threat intel feeds. Cyber criminals pivot around different IP addresses as new hacked machines become available for them to launch attacks from. Whilst commercial threat intel feeds remain a useful resource, it shows that they can’t be relied upon on their own. The solution for businesses looking to proactively block attacks and /or have helpful oversight of the threat landscape is to find a trusted security partner and build a collaborative working relationship. For example, Bulletproof has set up a large honeypot network that allows us to get real-world intelligence on the tools and methods hackers are using in the wild, which we use to enhance our MDR service, S.W.A.T. Defence®.

The use of default credentials is a theme that is sadly ever-present: organisations aren’t getting the basics right.
Default Credentials Graphic

This alarming stat shows one thing: hackers continue to try these attacks because they continue to work for them. The use of default credentials is a theme that is sadly ever-present: organisations aren’t getting the basics right. The lack of simple – and I do mean simple – best practices like changing default credentials shows that it’s the fundamental basics that aren’t being met. This leaves an open door in your business for even the most casual, opportunistic hacker. Schemes like Cyber Essentials and more rigorous certification such as ISO 27001 can help – but compliance is only truly useful when you’re, well, compliant.

Critical Vulnerabilities Graphic

Our data shows that nearly 1 in 3 critical flaws found during penetration testing are down to outdated components. That’s down from being around 1 in 2 last year. So why the drop? Increased cloud adoption and homogenisation of underlying web technologies are the primary drivers behind this trend – something we cover in more detail in our 2021 annual report.

The fact that 1 in 3 critical vulnerabilities are still down to outdated components also paints another picture: one that’s a recurring theme right across the board, from our penetration testing engagements, to our compliance audits, to our MDR service S.W.A.T. Defence®. And that is a lack of patching. Software and hardware vendors regularly release patches – fixes for security flaws that are inherent and, so it seems, unavoidable in all modern technology. Yet thanks to a combination of lack of process, lack of resources and lack of awareness, patching is still hard for any organisation to get right. And in a world where an unpatched Adobe product is just as critical as unpatched Windows OS, this makes for varied opportunities for cyber criminals.

Summary card header

Be prepared

These stats point to a very clear instruction for staying secure in 2021: be prepared. Cyber attacks are only ever going to increase. The more you prepare, the easier it will be when (and it is a when, not an if) you’re attacked.

  • Pen test regularly

    Carry out full penetration tests at least annually, and run vulnerability scans every month

  • Follow industry best practices

    There’s no excuse for not getting the basics right – they’re best practices for a reason

  • Lean on a trusted security partner

    Work collaboratively and leverage their experience to help you get maximum security for minimum cost

  • Don’t treat compliance as a tick-box exercise

    Make compliance standards work for you by embedding security as a culture within the business

Stats as cited in the Bulletproof Annual Cyber Security Industry Report 2021


Our experts are the ones to trust when it comes to your cyber security

  • Bulletproof are CREST approved

    CREST approved

  • Bulletproof are ISO 27001 and 9001 certified

    ISO 27001 and 9001 certified

  • Bulletproof are Tigerscheme qualified testers

    Tigerscheme qualified testers

  • Bulletproof are a PCI DSS v3.2 Level 1 service provider

    PCI DSS v3.2 Level 1
    service provider

  • Bulletproof have 24/7 on-site Security Operations Centre

    24/7 on-site Security
    Operations Centre

Get a quote today

If you’re interested in our services, get a free, no obligation quote today by filling out the form below.

By submitting this form, I agree to the Bulletproof privacy policy.