Bugcrowd released its report to highlight key cybersecurity trends from 2021, including the rise in crowdsourced security adoption due to the global shift to hybrid and remote working models, and the rapid digital transformation associated with it.
The report reveals that the strategic focus of many organizations across industries has shifted, with the focus now shifting to clearing the residual security debt associated with this transformation. In particular, financial services companies on the Bugcrowd platform have seen a 185% increase over the past 12 months for priority one (P1) submissions, which refer to the most critical vulnerabilities.
According to recorded activity, high-level trends included an increase in ransomware and the reinvention of supply chains, leading to more complex attack surfaces over the course of the pandemic. Ransomware overtook personal data breaches as the threat that dominated cybersecurity news around the world in 2021.
Global lockdowns and remote working have caused a rush to bring more assets online, leading to increased vulnerabilities. In turn, security buyers invested heavily in enticing ethical hackers to find critical threats, resulting in P1 and P2 bugs accounting for 24% of all valid submissions for the year.
Nation-state attackers are now less concerned with stealth
In the past, Advanced Persistent Threats (APTs) were defined by highly advanced tactics and covert operations, but this approach began to evolve in 2021 towards more mainstream tactics such as so-called N-day exploits, which are attacks against known vulnerabilities. Diplomatic standards regarding hacking have weakened to the point that attackers of nation states are now less concerned with being stealthy than in the past.
“Significantly, we have seen a democratization of these threats due to the emergence of a ransomware economy and a continued blurring of lines between state actors and cybercrime organizations,” said Casey Ellis, CTO for Bugcrowd. “All of this, combined with growing and more lucrative attack surfaces, has created a highly combustible environment. In 2022, we expect more of the same.
Some of the main highlights include:
- Cross-site scripting was the most commonly identified type of vulnerability
- Exposing sensitive data moved from 9th place to 3rd place on the list of the 10 most commonly identified types of vulnerabilities
- Ransomware has gone mainstream and governments have responded
- Supply chains have become a primary attack surface
- Penetration testing has entered a renaissance
Cybersecurity industry trends from 2021
2021 was the year vulnerability disclosure became a major concern for government agencies in particular. The total number of valid bids in the government sector increased by 1,000% for the year. Most bids came in the third quarter, as government buyers invested in crowdsourced security in response to new guidance from federal civilian agencies that made vulnerability disclosure a key requirement.
In the financial services and software sectors, the report documents increased levels of ethical hacking activity based on clearing a long tail of security debt. It also shows increased severity levels and higher payouts to incent discoveries made by security researchers.
Accelerated digital transformation increased efforts to strengthen security postures as a greater share of revenue came from online transactions. Financial services companies have had to act quickly on this issue due to the critical importance of the sector to businesses and consumers. Valid submissions increased by 82% in the FinServ sector.
Additionally, researcher payments for discoveries increased by 106% in FinServ. In the software industry – an indicator for the cybersecurity ecosystem as a whole – total payments to researchers increased by 73%, reflecting the increasingly impactful nature of validated bugs.