A Spooky Tale of Cybersecurity

Note: Schellman published an updated version of this content in 2022.

It’s fitting that National Cybersecurity Awareness Month is in October—it may be vampires and zombies that spook us on neighborhood streets, but when it comes to cybersecurity, it’s the things we don’t know that can be the scariest.  Never fear, cybersecurity professionals are working as the good guys—the knights in shining armor, the superheroes—attempting to prevent and combat the villainous schemes of the malicious attackers, who represent the metaphorical ghosts and ghouls trying to abduct and steal our information.  But make no mistake, being one of the good guys can often be difficult--it’s like the saying, “the hardest thing to do is usually the right thing to do.” Because of how imperative it is to adapt to the innovation established by the evildoers seeking new ways to navigate around established defenses, the good guys must always be on their toes, anticipating the next jump scare.

Here are some spooky cybersecurity statistics to haunt you:

  • Nearly 230,000 malware samples are created each day by hackers. (SC Magazine)
  • It is estimated that hackers attack every 39 seconds. (University of Maryland) While an attack doesn’t always mean a breach, when a breach does occur, hackers steal an average of 75 records every second (Breach Level Index).
  • The average total cost per data breach worldwide in 2019 amounted to a total of $3.92 million, a 1.5% increase from a 2018 study, and a 12% growth between 2014 and 2019. (Security Intelligence)
  • Organizations are reporting phishing and social engineering attacks have increased 16% year over year (Accenture)
  • The majority of cybersecurity attacks are a result of human error. (Verizon 2019 Data Breach Investigations Report)
  • The average time to identify a breach in 2019 was 206 days (IBM).  This number has increased since a 2018 study performed by Ponemon Institute communicated it took companies an average of 197 days to identify a data breach.
  • By 2021 there will be an estimated 3.5 million unfilled cybersecurity jobs. (Cybersecurity Ventures)

Given how scary those points are, it’s unfortunate that we can’t just wake up from our nightmare, put down our book, or simply turn off the horror film to escape these cyber goblins.  However, hope isn’t lost—just as Captain America has his shield and Tony Stark uses his genius, organizations need to equip themselves with tools, utilities, and, most importantly, employee education in preparation against the evil villains of the Internet world.  While it’s still true that human error remains one of the biggest threats against security, employees can also serve as the biggest assets in identifying and reporting incidents in a timely manner—they just have to know what to look for while going about their work.  The better an organization’s security training and awareness, the higher the number of reported incidents should be among its employees, and the smaller the risk of a breach.

To determine what should be included in an organization’s training and awareness activities, one may evaluate applicable information from privacy and security policies before aligning the security training objectives with those of the firm’s mission and objectives.  For additional information in structuring a security awareness program for your organization, refer to our blog article from Avani Desai, “Building a Security Program to Fit Your Enterprise.

To help mitigate the nightmare risk of human error, it’s advantageous to go ahead and educate your employees on the number of social engineering techniques that include but are not limited to attacks such as phishing, pretexting, baiting, etc.



We’re all familiar with phishing attacks, whether they are presented through website ads or directly sent to your e-mail inbox.  According to Phishing.org, the term dates back to 1996, yet the attack is still a common threat with an elevated likelihood. Click on the wrong link at any given time and suddenly the horror movie has manifested itself, putting your company on display as an example of the importance of cybersecurity, as well as the price paid when it isn’t in place. Per the 2020 Data Breach Investigations Report, 94% of malware was delivered via e-mail.  As such, employee education becomes all the more important, especially since the majority of cyber insurance policies focus on attacks from the outside and do not cover phishing attacks, which are triggered internally. While tools such as firewalls, intrusion detection and prevention systems, antivirus software, and the like remain extremely important for full protection, education is likely the strongest strategy in combating these targeted phishing spells.  In order to be as shielded as possible, organizations should confirm what their insurance policy covers while applying mitigation strategies related to cybersecurity risks.


Social Media

Per a recent DataReportal report, 51% of the total world population uses social media networks, up from 45% as reported in January 2019 (DataReportal).  A Global Web Index report took it a step further and found that digital consumers spend over two hours a day either browsing social networks or using social messaging.  That creates masses of opportunity for an individual to inappropriately share sensitive information and once it’s out there, it can be hidden but never deleted.

Therefore, be cognizant of what information is being released on public sites, including personal identifiable information (PII), such as addresses, account numbers, birthdays, etc.


Mitigating Tactics

Internet connectivity has established itself everywhere, and with that has come several conveniences; however, with exponential amounts of convenience comes exponential amounts of responsibility.  Whether you’re looking to keep your own information private or ensure confidential work information remains confidential, you can help minimize the risk of leaked or stolen data by doing the following:

  • Educating your employees on how to spot phishing, baiting attempts and the like
  • Leveraging industry standards such as NIST or SANS while referencing compliance guidelines including PCI, ISO, HIPAA, and the like for industry best practices
  • Enabling multi-factor authentication, including biometric varieties
  • Encouraging the use of password management tools such as LastPass, Keepass, etc.
  • Applying patches and security updates to computer software

For more tips on personal accountability and security, the National Initiative for Cybersecurity Careers and Studies (NICCS) is a great resource that offers good details on how individuals should be cognizant of internet use from both a personal and professional standpoint.

About the Author

Collin Varner

Collin is a Senior Manager with Schellman Compliance, LLC based in Denver, Colorado. Collin is focused primarily on specializing in IT attestation, audit, and compliance activities as they relate to numerous standards including SOC, HIPAA, CMMC, and a suite of ISO standards. Prior to joining Schellman, Collin held roles tasked with planning, organizing, and managing multiple facets of information technology and security reviews including cybersecurity assessments, risk management, internal and external audit, system implementations, and customized attestation reporting.

More Content by Collin Varner
Previous Article
Transitioning into a Penetration Testing Role
Transitioning into a Penetration Testing Role

This has been the most rewarding and engaging work and continues to be my dream job, and yet, the transitio...

Next Video
Cloud Apps - Penetration Testing for Providers  and Customers
Cloud Apps - Penetration Testing for Providers and Customers

Please, join Matt Wilgus and Josh Tomkiel from Schellman's Threat and Vulnerability Assessment team, as the...