U.S. businesses on the whole are gaining ground against cyber criminals after several years of increasingly severe threats, but the Las Vegas cyberattacks are a stark reminder of the cost of a breach. 

GetApp’s 5th Annual Data Security Report reveals that the ransomware rate remains high at 37%, despite meaningful improvements over the last year. While there is still work to be done, increased investments and training are likely behind these gains with the study showing that, since last year, phishing links clicked by workers decreased 25% while ransomware attacks dropped 30%. However, the report finds that only one in three businesses (34%) are training staff on social engineering techniques.

This survey of 872 workers including IT professionals and IT security managers uncovers six key trends on the cyber threat landscape as U.S. businesses turn a corner with data security:

  1. Most security leaders view AI as more friend than foe.  According to 59% of IT security leaders, AI is more likely to help security teams enhance their defenses than it is to strengthen cyber criminals. However, IT leaders still voice security concerns about AI. 
  2. Phishing is down, but the overall threat remains high. 80% of businesses report receiving phishing emails this year (from 89% in 2022), and 61% say their employees clicked on a malicious link (from 81% in 2022). While this is promising news, IT security managers consider advanced phishing attacks as the top threat heading into 2024. 
  3. Ransomware attacks decline as decryption rate nearly doubles. Ransomware attacks have dropped from 53% to 37% year-over-year, while the rate of victims paying the ransom has decreased from 67% to 36%. This can be attributed to a rise in businesses decrypting ransomware on their own, along with rising adoption of incident response plans. 
  4. Data access privileges are becoming more restricted. Only 16% of businesses allow employees access to all company data, a drop of more than 50% from 2022. 
  5.  IT security spending is up at U.S. businesses. Seven in 10 businesses have increased their IT security budget this year, compared to 63% in 2022. Another indicator that businesses are taking security more seriously is the steadily growing number that have formal protocols in place to report a suspected cyberattack, rising from 77% in 2021 to 83% in 2022, and now up to 94% in 2023. 
  6. Security awareness training has never been more prevalent. The number of businesses that provide security awareness training every six months has more than doubled over the last four years (42% in 2023 vs. 19% in 2019) and continues to increase at a steady pace.

 An influx of cyber threats stemming from pandemic-fueled digitization and the explosion of remote work has subsided and in its wake, companies have emerged more prepared and security-focused than ever before.