Cybersecurity refers to any technologies, practices and policies for preventing cyberattacks or mitigating their impact. Cybersecurity aims to protect computer systems, applications, devices, data, financial assets and people against ransomware and other malware, phishing scams, data theft and other cyberthreats.
At the enterprise level, cybersecurity is a key component of an organization’s overall risk management strategy. According to Cybersecurity Ventures, global spending on cybersecurity products and services will exceed USD 1.75 trillion total during the years 2021 through 2025.1
Cybersecurity job growth is also robust. The US Bureau of Labor Statistics projects that “employment of information security analysts is projected to grow 32% from 2022 to 2032, faster than the average for all occupations.”2
Industry newsletter
Stay up to date on the most important—and intriguing—industry trends on AI, automation, data and beyond with the Think newsletter. See the IBM Privacy Statement.
Your subscription will be delivered in English. You will find an unsubscribe link in every newsletter. You can manage your subscriptions or unsubscribe here. Refer to our IBM Privacy Statement for more information.
Cybersecurity is important because cyberattacks and cybercrime have the power to disrupt, damage or destroy businesses, communities and lives. Successful cyberattacks lead to identity theft, personal and corporate extortion, loss of sensitive information and business-critical data, temporary business outages, lost business and lost customers and sometimes, business closures.
Cyberattacks have an enormous and growing impact on businesses and the economy. By one estimate, cybercrime will cost the world economy USD 10.5 trillion per year by 2025.3 The cost of cyberattacks continues to rise as cybercriminals become more sophisticated.
According to IBM's latest Cost of a Data Breach Report:
Apart from the sheer volume of cyberattacks, one of the biggest challenges for cybersecurity professionals is the ever-evolving nature of the information technology (IT) landscape, and the way threats evolve with it. Many emerging technologies that offer tremendous new advantages for businesses and individuals also present new opportunities for threat actors and cybercriminals to launch increasingly sophisticated attacks. For example:
As the worldwide attack surface expands, the cybersecurity workforce is struggling to keep pace. A World Economic Forum study found that the global cybersecurity worker gap between cybersecurity workers and jobs that need to be filled, might reach 85 million workers by 2030.4
Closing this skills gap can have an impact. According to the Cost of a Data Breach 2024 Report, organizations suffering from a high-level shortage of security skills saw an average cost per breach of USD 5.74 million, compared to USD 3.98 million for organizations with lower-level skills shortages.
Resource-strained security teams will increasingly turn to security technologies featuring advanced analytics, artificial intelligence (AI) and automation to strengthen their cyberdefenses and minimize the impact of successful attacks.
Comprehensive cybersecurity strategies protect all of an organization’s IT infrastructure layers against cyberthreats and cybercrime. Some of the most important cybersecurity domains include:
AI security refers to measures and technology aimed at preventing or mitigating cyberthreats and cyberattacks that target AI applications or systems or that use AI in malicious ways.
Generative AI offers threat actors new attack vectors to exploit. Hackers can use malicious prompts to manipulate AI apps, poison data sources to distort AI outputs and even trick AI tools into sharing sensitive information. They can also use (and have already used) generative AI to create malicious code and phishing emails.
AI security uses specialized risk management frameworks and increasingly, AI-enabled cybersecurity tools to protect the AI attack surface. According to the Cost of a Data Breach 2024 Report, organizations that deployed AI-enabled security tools and automation extensively for cyberthreat prevention saw a USD 2.2 million lower average cost per breach compared to organizations with no AI deployed.
Critical infrastructure security protects the computer systems, applications, networks, data and digital assets that a society depends on for national security, economic health and public safety.
In the United States, the National Institute of Standards and Technology (NIST) offers a cybersecurity framework to help IT providers and stakeholders secure critical infrastructure.5 The US Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) also provides guidance.6
Network security focuses on preventing unauthorized access to networks and network resources. It also helps ensure that authorized users have secure and reliable access to the resources and assets they need to do their jobs.
Application security helps prevent unauthorized access to and use of apps and related data. It also helps identify and mitigate flaws or vulnerabilities in application design. Modern application development methods such as DevOps and DevSecOps build security and security testing into the development process.
Cloud security secures an organization’s cloud-based services and assets, including applications, data, virtual servers and other infrastructure.
Generally speaking, cloud security operates on the shared responsibility model. The cloud provider is responsible for securing the services that they deliver and the infrastructure that delivers them. The customer is responsible for protecting their data, code and other assets they store or run in the cloud.
Information security (InfoSec) protects an organization's important information digital files and data, paper documents, physical media against unauthorized access, use or alteration.
Data security, the protection of digital information, is a subset of information security and the focus of most cybersecurity-related InfoSec measures.
Mobile security encompasses cybersecurity tools and practices specific to smartphones and other mobile devices, including mobile application management (MAM) and enterprise mobility management (EMM).
More recently, organizations are adopting unified endpoint management (UEM) solutions that allow them to protect, configure and manage all endpoint devices, including mobile devices, from a single console.
Some of the most common types of cyberthreats include
Malware, short for "malicious software", is any software code or computer program that is intentionally written to harm a computer system or its users. Almost every modern cyberattack involves some type of malware.
Hackers and cybercriminals create and use malware to gain unauthorized access to computer systems and sensitive data, hijack computer systems and operate them remotely, disrupt or damage computer systems, or hold data or systems hostage for large sums of money (see "Ransomware").
Ransomware is a type of malware that encrypts a victim’s data or device and threatens to keep it encrypted or worse, unless the victim pays a ransom to the attacker.
The earliest ransomware attacks demanded a ransom in exchange for the encryption key required to unlock the victim’s data. Starting around 2019, almost all ransomware attacks were double extortion attacks that also threatened to publicly share victims’ data; some triple extortion attacks added the threat of a distributed denial-of-service (DDoS) attack.
More recently, ransomware attacks are on the decline. According to the IBM X-Force® Threat Intelligence Index 2024, ransomware attacks accounted for 20% of all attacks in 2023, down 11.5% from 2022. The decline is likely the result of improved ransomware prevention, more effective law enforcement intervention and data backup and protection practices that enable businesses to recover without paying the ransom.
In the meantime, ransomware attackers have repurposed their resources to start other types of cyberthreats, including infostealer malware that allows attackers to steal data and hold it hostage without locking down the victim’s systems and data destruction attacks that destroy or threaten to destroy data for specific purposes.
Phishing attacks are email, text or voice messages that trick users into downloading malware, sharing sensitive information or sending funds to the wrong people.
Most users are familiar with bulk phishing scams, mass-mailed fraudulent messages that appear to be from a large and trusted brand, asking recipients to reset their passwords or reenter credit card information. More sophisticated phishing scams, such as spear phishing and business email compromise (BEC), target-specific individuals or groups to steal especially valuable data or large sums of money.
Phishing is just one type of social engineering, a class of “human hacking” tactics and interactive attacks that use psychological manipulation to pressure people into taking unwise actions.
The X-Force Threat Intelligence Index found that identity-based attacks, which hijack legitimate user accounts and abuse their privileges, account for 30% of attacks. This makes identity-based attacks the most common entry point into corporate networks.
Hackers have many techniques for stealing credentials and taking over accounts. For example, Kerberoasting attacks manipulate the Kerberos authentication protocol commonly used in Microsoft Active Directory to seize privileged service accounts. In 2023, the IBM X-Force team experienced a 100% increase in Kerberoasting incidents.
Similarly, the X-Force team saw a 266% increase in the use of infostealer malware that secretly records user credentials and other sensitive data.
Insider threats are threats that originate with authorized users, employees, contractors, business partners, who intentionally or accidentally misuse their legitimate access or have their accounts hijacked by cybercriminals.
Insider threats can be harder to detect than external threats because they have the earmarks of authorized activity and are invisible to antivirus software, firewalls and other security solutions that block external attacks.
Much like cybersecurity professionals are using AI to strengthen their defenses, cybercriminals are using AI to conduct advanced attacks.
In generative AI fraud, scammers use generative AI to produce fake emails, applications and other business documents to fool people into sharing sensitive data or sending money.
The X-Force Threat Intelligence Index reports that scammers can use open source generative AI tools to craft convincing phishing emails in as little as five minutes. For comparison, it takes scammers 16 hours to come up with the same message manually.
Hackers are also using organizations’ AI tools as attack vectors. For example, in prompt injection attacks, threat actors use malicious inputs to manipulate generative AI systems into leaking sensitive data, spreading misinformation or worse.
Cryptojacking happens when hackers gain access to an endpoint device and secretly use its computing resources to mine cryptocurrencies such as bitcoin, ether or monero.
Security analysts identified cryptojacking as a cyberthreat around 2011, shortly after the introduction of cryptocurrency. According to the IBM X-Force Threat Intelligence Index, cryptojacking is now among the top three areas of operations for cybercriminals.
A DDoS attack attempts to crash a server, website or network by overloading it with traffic, usually from a botnet, a network of distributed systems that a cybercriminal hijacks by using malware and remote-controlled operations.
The global volume of DDoS attacks spiked during the COVID-19 pandemic. Increasingly, attackers are combining DDoS attacks with ransomware attacks, or simply threatening to launch DDoS attacks unless the target pays a ransom.
Despite an ever-increasing volume of cybersecurity incidents worldwide and the insights gleaned from resolving these incidents, some misconceptions persist. Some of the most dangerous include:
Strong passwords do make a difference; for example, a 12-character password takes 62 trillion times longer to crack than a 6-character password. But passwords are relatively easy to acquire in other ways, such as through social engineering, keylogging malware, buying them on the dark web or paying disgruntled insiders to steal them.
In fact, the cyberthreat landscape is constantly changing. Thousands of new vulnerabilities are reported in old and new applications and devices every year. Opportunities for human error, specifically by negligent employees or contractors who unintentionally cause a data breach, keep increasing.
Cybercriminals constantly find new attack vectors. The rise of AI technologies, operational technology (OT), Internet of Things (IoT) devices and cloud environments all give hackers new opportunities to cause trouble.
Every industry has its share of cybersecurity risks. For example, ransomware attacks are targeting more sectors than ever, including local governments, nonprofits and healthcare providers. Attacks on supply chains, ".gov" websites and critical infrastructure have also increased.
Yes, they do. The Hiscox Cyber Readiness Report found that almost half (41%) of small businesses in the US experienced a cyberattack in the last year.7
While each organization’s cybersecurity strategy differs, many use these tools and tactics to reduce vulnerabilities, prevent attacks and intercept attacks in progress:
Security awareness training helps users understand how seemingly harmless actions, from using the same simple password for multiple log-ins to oversharing on social media increase their own or their organization’s risk of attack.
Combined with thought-out data security policies, security awareness training can help employees protect sensitive personal and organizational data. It can also help them recognize and avoid phishing and malware attacks.
Data security tools, such as encryption and data loss prevention (DLP) solutions, can help stop security threats in progress or mitigate their effects. For example, DLP tools can detect and block attempted data theft, while encryption can make it so that any data that hackers steal is useless to them.
Identity and access management (IAM) refers to the tools and strategies that control how users access resources and what they can do with those resources.
IAM technologies can help protect against account theft. For example, multifactor authentication requires users to supply multiple credentials to log in, meaning threat actors need more than just a password to break into an account.
Likewise, adaptive authentication systems detect when users are engaging in risky behavior and raise extra authentication challenges before allowing them to proceed. Adaptive authentication can help limit the lateral movement of hackers who make it into the system.
A zero trust architecture is one way to enforce strict access controls by verifying all connection requests between users and devices, applications and data.
Attack surface management (ASM) is the continuous discovery, analysis, remediation and monitoring of the cybersecurity vulnerabilities and potential attack vectors that make up an organization’s attack surface.
Unlike other cyberdefense disciplines, ASM is conducted entirely from a hacker’s perspective rather than the perspective of the defender. It identifies targets and assesses risks based on the opportunities they present to a malicious attacker.
Analytics and AI-driven technologies can help identify and respond to attacks in progress. These technologies can include security information and event management (SIEM), security orchestration, automation and response (SOAR) and endpoint detection and response (EDR). Typically, organizations use these technologies as part of a formal incident response plan.
Disaster recovery capabilities can play a key role in maintaining business continuity and remediating threats in the event of a cyberattack. For example, the ability to fail over to a backup that is hosted in a remote location can help a business resume operations after a ransomware attack (sometimes without paying a ransom)