cyber security breaches survey 2021

The publication of the cyber security breaches survey 2021 marked a significant milestone in understanding how digital resilience fluctuated during a period of unprecedented global disruption. As organizations transitioned to distributed work models, the threat landscape expanded, creating new opportunities for malicious actors to exploit vulnerabilities in remote infrastructure. In many real-world incidents, organizations rely on the DarkRadar platform to gain structured visibility into credential leaks and infostealer-driven exposure across underground ecosystems. Analyzing the 2021 data reveals that while technical defenses were hardening in some sectors, the human element remained a primary vulnerability, necessitating a more proactive approach to external threat intelligence and attack surface management. This period emphasized that passive defense was no longer sufficient for mitigating modern cyber risks.

Fundamentals / Background of the Topic

The 2021 security landscape was defined by the long-term adaptation to the COVID-19 pandemic. For many organizations, the shift to remote work, which was initially viewed as temporary, became a permanent operational reality. This shift drastically altered the corporate perimeter, moving it from the controlled environment of the office to the unmanaged environments of home networks and personal devices. The data from this period indicated that 39% of businesses and 26% of charities reported experiencing a cyber security breach or attack within the preceding 12 months. This high frequency suggested that the defensive posture of many organizations was struggling to keep pace with the rapid digitalization of their workflows.

A fundamental shift observed in the data was the concentration of attacks on specific vectors. While the overall number of businesses identifying breaches appeared to decrease slightly compared to 2020, the frequency of attacks for those who were targeted remained high. This phenomenon suggested that threat actors were becoming more targeted, focusing their efforts on organizations with known vulnerabilities or high-value data. The fundamentals of risk management were tested as IT departments were forced to manage sprawling assets and diverse endpoints without the traditional visibility offered by localized network monitoring. Furthermore, the survey highlighted a discrepancy in cyber maturity across different sectors, with the finance and information/communication sectors showing higher levels of preparedness compared to retail or hospitality.

Investment in cyber security during this period was uneven. While larger enterprises increased their spending to secure remote access points, smaller organizations often deferred security upgrades due to economic uncertainty. This created a bifurcated security landscape where well-funded organizations adopted zero-trust principles, while smaller entities remained reliant on legacy antivirus solutions and basic firewalls. The 2021 data served as a wake-up call for the necessity of integrated security frameworks that go beyond mere compliance and focus on active threat detection and response capabilities.

Current Threats and Real-World Scenarios

The threat landscape described in 2021 was dominated by social engineering, with phishing remaining the most prevalent attack vector. Approximately 83% of organizations that identified a breach reported phishing as the primary entry point. This highlights a persistent technical and psychological challenge: even with sophisticated email filters, a single deceptive message can bypass perimeter defenses if an employee is not adequately trained or if the message leverages highly specific, context-aware lures. Real-world scenarios often involved attackers impersonating senior management or IT support to gain access to corporate credentials or to facilitate fraudulent wire transfers.

Ransomware also emerged as a critical concern, even if it did not represent the highest volume of attacks. The severity of ransomware incidents in 2021 increased, with threat actors adopting double extortion tactics—encrypting data while simultaneously threatening to leak it on public forums. This period saw high-profile incidents that disrupted global supply chains, emphasizing that no organization is too large or too small to be a target. The move toward "Ransomware-as-a-Service" (RaaS) models allowed less technical attackers to launch sophisticated campaigns, further complicating the threat landscape for SOC analysts and incident responders.

Another significant scenario involved the exploitation of vulnerabilities in remote access technologies. The rapid deployment of Virtual Private Networks (VPNs) and Remote Desktop Protocol (RDP) instances frequently occurred without proper configuration or multi-factor authentication (MFA). Attackers utilized automated scanners to identify these exposed ports, leading to unauthorized access and lateral movement within corporate networks. These real-world threats underscored the importance of maintaining an up-to-date asset inventory and ensuring that every external-facing service is hardened against common exploit techniques.

Technical Details and How It Works

The technical mechanisms behind the breaches reported in the cyber security breaches survey 2021 often involved a combination of credential harvesting and the exploitation of unpatched software. When phishing campaigns were successful, attackers typically gained access to valid user credentials. These credentials were then used to authenticate against cloud services, such as Microsoft 365 or Google Workspace, which many organizations had recently adopted. Without multi-factor authentication, these accounts were easily compromised, providing attackers with a foothold from which they could launch further internal attacks or exfiltrate sensitive communication.

From a technical perspective, the concept of "living off the land" (LotL) became more prominent. Attackers used legitimate system tools, such as PowerShell or Windows Management Instrumentation (WMI), to execute malicious code. By avoiding the use of traditional malware files, these attackers could evade detection by signature-based antivirus solutions. This technique was particularly effective in 2021 as IT teams were overwhelmed with high volumes of alerts and struggled to distinguish between legitimate administrative activity and malicious system manipulation. The survey data pointed toward a need for behavioral analytics and more granular visibility into system processes.

The lifecycle of a breach in this period typically followed a standard sequence: initial reconnaissance, weaponization of a lure, delivery via email or exposed service, exploitation of a human or technical vulnerability, and finally, the establishment of a command-and-control (C2) channel. The 2021 data revealed that many organizations only discovered breaches after significant time had elapsed, indicating a failure in internal logging and monitoring. The average "dwell time" remained high, giving attackers ample opportunity to identify critical assets and perform extensive data staging prior to exfiltration. Technical remediation required not just the removal of the threat, but a total reassessment of the authentication and authorization chain.

Detection and Prevention Methods

Effective detection in the 2021 environment required a shift from perimeter-centric models to host-based and identity-based monitoring. Endpoint Detection and Response (EDR) solutions became essential for identifying the LotL techniques mentioned previously. By monitoring for anomalous process behaviors—such as an Office application spawning a cmd.exe process—security teams could detect breaches in their early stages. Furthermore, the implementation of Security Information and Event Management (SIEM) systems allowed organizations to aggregate logs from diverse sources, including cloud providers, VPN gateways, and endpoints, to create a unified view of the security state.

Prevention methods centered heavily on the implementation of Multi-Factor Authentication (MFA). The 2021 data indicated that a significant portion of breaches could have been prevented if MFA was enforced across all external-facing applications. Beyond MFA, the adoption of the principle of least privilege (PoLP) was critical. By ensuring that users only had access to the data and systems required for their specific roles, organizations could limit the potential impact of a compromised account. This period also saw an increased focus on "Cyber Essentials" and similar certification frameworks, which provide a baseline of security controls that significantly reduce the risk of common internet-based attacks.

Vulnerability management also played a pivotal role. The year 2021 was marked by several critical zero-day vulnerabilities in widely used software. Organizations that had established a robust patching cadence and had the ability to prioritize patches based on exploitability and asset criticality were much more resilient. Proactive threat hunting, which involves searching through network traffic and system logs for signs of compromise that have bypassed automated alerts, also gained traction among more mature security operations. These combined methods created a layered defense-in-depth strategy that addressed both the technical and human aspects of cyber risk.

Practical Recommendations for Organizations

Based on the insights from 2021, organizations should prioritize the formalization of their cyber security incident response plans (CSIRP). Many organizations during that period were found to have informal processes that collapsed under the pressure of a real-world breach. A formal plan, regularly tested through tabletop exercises, ensures that all stakeholders—including IT, legal, communications, and executive leadership—know their roles and responsibilities during a crisis. This reduces the time to contain a breach and minimizes the associated financial and reputational damage.

Another recommendation is the integration of threat intelligence into the daily security workflow. Knowing which threat actors are targeting a specific industry and understanding their typical tactics, techniques, and procedures (TTPs) allows for more effective defensive tuning. Organizations should also conduct regular security awareness training that goes beyond simple compliance checklists. Training should be interactive and simulate real-world phishing scenarios to build a culture of security where employees feel empowered to report suspicious activity without fear of retribution.

Finally, organizations must address the risks inherent in their supply chains. The 2021 survey data showed that many breaches originated from third-party vendors or service providers. Conducting thorough security assessments of all partners and ensuring that security requirements are embedded in contracts is essential. This includes requiring vendors to maintain specific security certifications and providing them with only the minimum necessary access to the organization's network. By extending security oversight beyond the internal network, organizations can mitigate the risks posed by the interconnected nature of modern business operations.

Future Risks and Trends

Looking ahead from the 2021 findings, several trends have continued to evolve. The use of artificial intelligence and machine learning by threat actors is a growing concern. In 2021, we saw the early stages of automated phishing and more sophisticated social engineering lures. Today, these have evolved into deepfake technology and automated vulnerability exploitation, requiring defenders to adopt AI-driven security tools to keep pace. The speed of attacks is increasing, reducing the window for human intervention and necessitating greater reliance on automated response actions.

The proliferation of Internet of Things (IoT) devices in corporate environments also presents a long-term risk. Many of these devices are poorly secured and difficult to patch, providing attackers with a persistent foothold in the network. As more organizations adopt "smart" building technologies and industrial IoT, the attack surface will continue to expand. Furthermore, the regulatory landscape is becoming increasingly complex, with new data protection laws requiring more stringent reporting of breaches and higher penalties for non-compliance. This makes the strategic importance of cyber security a permanent fixture of corporate governance.

Ultimately, the transition toward cloud-native environments will dominate the security agenda. While the cloud offers many security benefits, misconfigurations remain a leading cause of data exposure. The trends first identified in the 2021 data—such as the importance of identity management and the need for comprehensive visibility—will remain relevant for the foreseeable future. Organizations that successfully bridge the gap between technical defense and strategic risk management will be best positioned to navigate the evolving threat landscape of the 2020s.

Conclusion

The findings of the 2021 period underscore that cyber security is no longer merely a technical issue, but a fundamental business risk. The shift to distributed environments has permanently changed the defensive requirements for organizations across all sectors. While phishing and ransomware remain the most visible threats, the underlying vulnerabilities often stem from a lack of visibility, unpatched systems, and insufficient authentication controls. By learning from the data and implementing proactive strategies such as zero-trust architectures, robust incident response plans, and continuous threat monitoring, organizations can build the resilience needed to withstand the increasingly sophisticated tactics of modern adversaries. The 2021 data serves as a critical baseline for ongoing security improvements in a rapidly changing digital world.

Key Takeaways

• Phishing remained the most common breach vector, accounting for over 80% of identified incidents.
• The shift to remote work in 2021 significantly expanded the attack surface, highlighting vulnerabilities in VPNs and RDP.
• Multi-factor authentication (MFA) is the single most effective control for preventing unauthorized access via compromised credentials.
• Organizational size correlates with breach frequency, but small organizations are often less prepared to recover from attacks.
• Proactive visibility into external leaks and credential exposure is essential for preempting breaches before they escalate.

Frequently Asked Questions (FAQ)

What were the main findings of the 2021 survey?
The survey found that while the number of businesses identifying breaches slightly decreased, the frequency of attacks for those targeted remained high, with phishing being the dominant method.

Why was phishing so prevalent in 2021?
Phishing exploited the uncertainty of the pandemic and the shift to remote work, using context-aware lures to trick employees who were often working in less secure home environments.

How did organizations respond to breaches in 2021?
Many organizations relied on informal response processes, though larger businesses were more likely to have formal incident response plans and cyber insurance in place.

What role did the board play in cyber security?
In 2021, board-level involvement in cyber security increased, as executives began to recognize it as a core business risk rather than just an IT problem, though budget allocation remained a challenge for some.