// TES Special Report

2023 State of Digital Resilient Transformation for Cyber Disruption Risk

A paradox event has taken shape over the last half decade:  As organisations invest in Digital Transformation (DX) initiatives to be more agile, productive, and efficient, the risk of a Black Swan-like digital disruption event like a successful Ransomware attack or major cloud vendor outage has inadvertently been created.

The headlines for disruption often center around Cyber Incidents or Cyber-attacks in the form of data breaches, espionage, and ransomware. The list continues to grow for disruptions related to human error and cloud vendor multi-day outages.

There is positive momentum on deflecting these disruptions though. Organisations that are digital resilient-mature can deflect these Black Swan events with ease. This is made possible by developing both a Digital Resilient strategy and using a Secure-by-Design decision lens that places cyber executives at the strategy table during DX discussions. The duality of this strategy keeps Bad Actors from accessing their data while ensuring these same Bad Actors can’t prevent access to their data if a breach occurs, among its many benefits.

Unfortunately, the research landscape shows that most organisations have a long journey ahead towards becoming Digitally Resilient. Many are simply not executing their plans and are distracted from executing. The good news is that there is an existing blueprint, so commitment and determination could be the only factors holding organisations back from getting it done.

Digital Resilience and Cyber Risk on the Corporate Agenda

Organisational Perceptions of the Threat

  • 34%: UK CEOs feel a Cyber Incident is the top risk to the organisation. 34% of global CEOs feel the same. (2023 Allianz Risk Barometer Report)
  • First time:  Cyber Incidents ranked as the top risk with the Allianz Risk Barometer report 
  • 34%: UK CEOs feel Business Disruption is the top risk (ranked second in the 2023 Allianz Risk Barometer Report)
    Cyber disruption is the top subset of that disruption.
  • 81%: Believe ‘staying ahead of attackers’ is a constant battle and the cost is unsustainable (2022 WEF Cyber Outlook)

Resiliency is on the Agenda, yet Execution Lags

  • 41% of Business Executives believe that cyber resilience is an established business priority (2022 WEF Cyber Outlook Report)
  • 13% of Security-focused Executives believe cyber resilience is an established business priority (2022 WEF Cyber Outlook)
  • 55% of Security Executives believe cyber resiliency is integrated into Enterprise Risk Management

Confidence in ‘Am I Resilient?’ Eroding with Business Leaders

  • 27% of Business Executives are confident their organisation will be Cyber Resilient in 2023. Was 32% in 2022 (2023 WEF Cyber Outlook)
  • 27% of Business Executives are now either concerned or stating their organisation is not Resilient in 2023. Was only 11% in 2022.

Yet, Cyber Executives are Cautiously Positive

  • 17%: Confident their organisation is Cyber Resilient in 2023. Was 16% in 2022. (203 WEF Cyber Outlook)

The Need for Ecosystem Resiliency Maturing

  • 90% of Business Executives are concerned about the cyber resiliency capabilities with 3rd party supply chains. (2023 WEF Cyber Outlook)

2023 Profile of the Cyber Threat and Risk

Today’s Cyber Criminal is Organised, no longer the ‘Lone Hacker’

  • 97% of threat actors are criminal. 2% represent a Nation state (2022 X-Force Threat Intelligence Report)
  • Financial Gain is the top motive for cybercrime. Espionage is second. (2022 Verizon Data Breach Investigation Report)


Cybercrime Continues to be an Attractive Business for Criminals

Cybercrime is a numbers game. Criminals gamble on access, and ‘hit’ the lottery about 40% of the time, though some successful incidents lead to no initial payments. Revenues from incidents can range from a few thousands upwards in the millions when landing ‘big fish. (source: 2022 Verizon Data Breach Investigation Report).

Cybercrime is a relatively low risk, high reward venture. Ransomware payments made in crypto currencies are still hard to trace and recover. Cyber syndicates often disband and reform elsewhere before getting caught by authorities.


  • $40/Month is the startup investment to become a cybercriminal. This initial investment allows criminals to purchase attack software on a subscription basis on the dark web. Executing the software requires minimal technical knowledge. The Licensors and Developers of the software (known as Ransome-as-a-Service) receive license fees and a portion of the bounty collected from cyberattack victims. For syndicates, the operating costs are much higher, as overhead costs includes a team of negotiators, researchers, developers, attackers and mangers. (2022 Verizon Data Breach Investigation Report)
  • Median Income: $178,465. Verizon simulated the actions of 500 ransomware actors and found the median profit after 300 incidents was $178,465, with the top simulated earner making $3,572,211. (2022 Verizon Data Breach Investigation Report)
  • 4% of ransomware actors simulated showed a loss

Revenues from Cybercrime Continue to Grow

  • $1.5T to $4T: The exact size of the cybercrime ‘market’ is hard to estimate, with valuation estimates ranging from $1.5T to $4T (in 2022). If Cybercrime is a standalone National economy, its GDP would place it within G10 (link)
  • 15% Growth Rate: Proceeds from cybercrime are growing at a compound rate of 15% annually


The Prime Target for the Cybercrime Syndicates

The Playbook. Cybercriminals have a playbook, complete with the ideal victim profile (Link). The typical target is:

  • United States based
  • $100 million or more in annual revenues
  • Industries
    • Education and healthcare: Due to the prevalence of old/out-of-date technology and lack of resources to upgrade
    • Manufacturing: Due to the scope of the supply chain and the number of small suppliers who may not have the same cyber security controls and preventive measures
  • Technology
    • Access to Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) services


Barriers and Challenges Impeding the Progress of Becoming Digital Resilient

Organisations are facing several trends and barriers that may hinder efforts towards becoming Digital Resilient.  Some factors are external and hard to control, others internally self-inflicted through poor decision making and a lack of execution of cyber resiliency initiatives that reduce disruption risk.

Internally Produced Risks

  • The Expanding Attack Surface: 67% of organisations have expanded their attack surface over the past 12 months. Digital Transformation is the primary cause

  • Difficult to Manage: 52% of security environments have become more difficult to manage over the last 2 years. Top 4 drivers are:
      1. ➝ ongoing digital transformation efforts
      2. ➝ higher data volumes
      3. ➝ rapid evolution of cybersecurity landscape
      4. ➝ efforts to adhere to new data security and privacy regulations
  • 34% of Cyber leaders rank gaining Leadership support as the most challenging aspect of managing cyber resilience goals

External Risks and Trends

  • Shortage of Talent: 76% of organisations cannot achieve their security goals due to staffing concerns (link)
  • Data Not Secured in Cloud: 70% of organisations are unable to secure data across multiple clouds and on-premises environments (Link: getting started with zero trust security, ibm institute of business value)
  • Geopolitical Tensions: 86% of Business Executives and 93% of Cyber Executives believe it is moderately likely to very likely that global geopolitical instability will lead to a far-reaching catastrophic cyber event in the next two years (2023 Allianz Risk Barometer Report)
  • Increased Systemic Risk: 61% of cyber incidents in 2022 involved attacks through the supply chain. (Link) 
  • Discovered Vulnerabilities Continue to Grow (Not Shrink): The number of vulnerabilities have increased every year since 2011 (2022 X-Force Threat Intelligence Report)
    1. 2011: 7,380
    2. 2021: 19,649 ( 266% increase in 10 years)

2023 Cyber Attack Methods

Cybercriminals continue to rely on human error and weak controls (process and technology) to gain access to organisations. Highly-mature organisations have a multi-layered approached designed to mitigate human mistakes as it pertains to cyber incidents and disruptions. See the last section for the Digital Resilient blueprint.

  • 93% of systems can be penetrated by cyber criminals (Link)
  • 75% of cyberattacks are either phishing or exploiting vulnerabilities (2022 X-Force Threat Intelligence Report)
    1. 41% of cyberattacks use phishing for initial access 
      1. 3x the success rate when adding a phone call to the phishing attack 
      2. 64% of organisations list phishing as their primary vector of concern.
    2. 34% of cyberattacks involve exploiting vulnerabilities (2022 X-Force Threat Intelligence Report)
      1. 33%: The increase in number of incidents caused by vulnerability exploitations from 2020 to 2021 (2022 X-Force Threat Intelligence Report)
    3. 9% of cyberattacks involve compromised credentials
      1. Stolen or compromised credentials took the longest time to identify at 327 days. (2022 Cost of a Data Breach report, IBM) 

  • 80% of organisations breached using compromised Business email (BEC) did not have multi-factor authentication (“MFA”) in place
  • 70%: of organisations have experienced at least one cyber-attack through the exploit of an unknown, unmanaged, or poorly managed internet-facing asset (2022 State of Attack Surface Management report)
  • 61% of successful breaches came through third parties (2022 WEF Cyber Outlook)
  • 79% have experienced some form of ransomware attack (ESG Group: The Long Road ahead to Ransomware Preparedness)

Typical Stages of a Ransomware Attack

IBM X-Force has found a pattern to a ransomware attack, a pattern compromising of a 5 stage attack (2023 X-Force Threat Intelligence Report)

Stage 1: Initial Access

The most common access vectors for ransomware attacks continue to be phishing, vulnerability exploitation, and remote services such as remote desktop protocol.


Stage 2: Post Exploitation

Depending on the initial access vector, the second stage may involve an intermediary remote access tool (RAT) or malware prior to establishing interactive access with an offensive security tool such as Cobalt Strike or Metasploit.


Stage 3: Understand and Expand

During the third stage of the attack, attackers have consistently focused on understanding the local system and domain that they currently have access to and acquiring additional credentials to enable lateral movement.


Stage 4: Data collection and Exfiltration

Almost every ransomware incident X-Force IR has responded to since 2019 has involved the “double  extortion” tactic of data theft and ransomware. During stage 4 of the cybattack, the focus of the  ransomware operators switched primarily to identifying valuable data and exfiltrating it.


Stage 5: Ransomware Deployment

In almost every single ransomware incident X-Force IR has responded to, the ransomware operators targeted a domain controller as the distribution point for the ransomware payload.

The Evolving Data Breach Profile

  • 277 Days: The average length of time to detect and contain a breach. (2022 Cost of a Data Breach report, IBM)
  • 4 hours or less: The length of time for ransomware infections to take, in 88% of the cases (Link)
  • 81% of breaches being caused by those external to the organisation. (2022 WEF Cyber Outlook Report)
  • Roughly 4 in 5 breaches can be attributed to organised crime (2022 Data Breach Investigation Report, Verizon)
  • 45% of breaches were cloud-based
  • 83% of organisations studied have had more than one data breach

Paying the Ransom Tends to Lead to More Pain for the Unprepared

First the good news. The percentage of those paying the ransom declined in 2022. Two reasons attributed to the decrease are:

  1. Victims have realized that paying the ransom does not guarantee they will get all their files back and that the threat actors will delete the stolen data, and
  2. Organisations are following better backup strategies at the urging and insistence of ransomware coverage insurers

Those that do pay often pay again when remediation plans are not completed – a sad result that can be such as easy fix.

  • 76% paid the ransom in 2019
  • 41% paid in ransom in 2022 (Link)

Profiling Ransomware and Extortion Demands

  • 2x: Extortion demands have more than doubled in 2022
  • 77% included a data leak threat in 2021. Up 10% from 2020 (Link)
  • The Triple Extortion Demands: Encrypt data, leak the data and unleash a DDoS attack, if the ransom is not paid
  • 87% faced additional extortion attempts to pay additional fees beyond the initial demand
  • $570,000: Average ransomware payment made in 2021. (link)
  • 518%. Increase in ransomware demands (Link)
  • $40M: The largest ransom sum paid out (Link

Data Recovery Success Rates from Paying the Ransom

  • 8-14% of organisations got all (100%) of their data back after paying the ransom. (ESG: The Role of Storage in Addressing the Challenges of Ensuring Cyber Resilience, 2021 Sophos State of Ransomware Report)
  • 65% is the average data volume recovered after paying a ransom (2021 Sophos State of Ransomware Report)

Direct Costs to Remedy a Data Breach

  • $4.67M: UK average cost of a data breach, not including the ransom demand. (2022 Cost of a Data Breach report, IBM).
    Breakdown Includes:
      1. Detection and escalation (29%),
      2. Lost business (38%) from downtime,
      3. Post breach response (27%), and
      4. Notification (6%)
  • 1,100: Number of cyber-related claims seen by corporate insurer Allianz Global Corporate & Specialty in 2020
  • USD$401M: Average cost of a mega breach when 50 million to 65 million records are involved (2022 Cost of Data Breach Report, IBM)
  • 23: The average number of days to recover from an attack, once detected (2022 Cost of a Data Breach Report, IBM)
  • 57% of organisations are successful in recovering their data using a cloud backup (2021 Sophos State of Ransomware Report)
  • 95% of ransomware attacks also attempted to infect backup repositories

The Consequences Suffered from a Breach

  • 66%: of organisations suffered significant revenue loss following the ransomware attack (2021 Cyberreason Ransomware report)
  • 80%: of organisation experienced another attack after paying the ransom (2021 Cyberreason Ransomware report)
  • -3.0% Stock Performance: NASDAQ found that, 14 market days after a breach becomes public, the average share price bottoms out and underperforms the NASDAQ by -3.5%. After 6 months, the average share price performance falls -3.0% against the overall NASDAQ performance (2022 WEF Cyber Outlook Report)
  • 25% of ransomware victims are forced into a short-term period of closure (2021 Cyberreason Ransomware report)
  • 34% of UK organisations are forced to permanently close after a ransomware attack (2021 Cyberreason Ransomware report)
  • 32% of organisations removed members of their C-Suite after a breach, either by dismissal or resignation (2021 Cyberreason Ransomware report)
  • Investor Interest: 60% of organisations, along with investors and venture capitalists, will use cybersecurity risk as a key factor in assessing new business opportunities by 2025. (Gartner)

State of Cyber Insurance and other Preventative Measures

Over the last three years, Cyber Insurers have tighten their policy language to reduce their risk. Evidence of a Nation-State sponsored attack is viewed a ‘Act of War’ by some insurers and could lead to non-payment. Many insurers are insisting a data resiliency plan be in place and evidence of implementation before offering coverage to an organisation.

  • 42% of cyber insurance claims did not cover all the losses (link)
  • 21% is the expected compound annual rate for direct cyber insurance premiums (McKinsey)
  • Self-Insure by Paying to Stay Away. One interesting tactic surfaced in 2021 – Paying Cyber Gangs to ‘stay away’, the self-insured insurance policy of not being hit by an attack. Little details as to the ‘success’ of this tactic has been made public, but the fact that it was even discussed is alarming (Boulevard)

The Blueprint for the Highly Mature
‘Secure-by-Design’ Organisation

  • Secure by Design
    Embed into the DNA for a frictionless experience while safeguarding access and integrity of data, digital assets and IP. A multi-layered security approach is adopted.
    1. Aligned Decision Making and Strategy Design
      • Alignment between Business and Cyber Executives on cyber resilience on strategy, execution
  • Alignment and Integration: 95% Business and 93% of Cyber Executives agree that cyber resilience is integrated into the IR organizations’ enterprise risk management strategies (2023 WEF Cyber Outlook)
    1. Simplicity
      • Remove complexity. A frictionless experience for employees, easy to manage and integrate for IT professionals and straightforward security is how complexity and the associated risk is removed
    2. Active Posture to ‘Secure the Supply Chain’
      • Extend cybersecurity to the ecosystem. SLAs are reviewed regularly as part of the risk management practises
  • Cyber Protection + Cyber Resiliency
    Keep Bad Actors out. Ensure breaches and disruptions can’t shut down systems and stop an organisation’s operations.
    1. Automated Response: Identify threats earlier in attack cycle and prioritise
      • Get closest to the breach, preventing further spread. Separate the signal from the noise, thereby prioritising work for security teams. Security automation enhances incident response
    2. Extend detection and response across the whole attack surface
    3. Implement multi-factor authentication
    4. Multi-hybrid cloud deployments limit risk exposure caused by outage disruption
    5. Adaptive: Integrate with existing security monitoring and applied intel (behavioural/threat)
    6. Infrastructure = Hybrid cloud + Zero Trust + MFA
      Protect data everywhere. Reduce impact of human error
  • Data Security and Data Resiliency
    Prevent Bad Actors from accessing Data. Ensure breaches and disruptions can’t prevent access to Data.
    1. Data Resilient: Recover in hours and without doubt 
    2. Automated backup: Air gap the data with separation of duties for access
  • People Protection
    Limit the impact from human error. Confine Bad Actors away from the Crown Jewels
    1. Zero Trust decreases the scale and scope of an attack, while limits any damage caused by human error
    2. Phishing attack training reduces human error
  • Rehearse the Worst-Case Scenario
    Act like the military. Rehearse for real-world events using table-top exercises. Preparation is key to limit the risk and exposure of a disruption.
    1. Formal incident plan in place, along with regular table-top exercises to rehearse the incident response
    2. Cyber insurance: The last point of support, not the first
    3. IR firm on retainer to accelerate the response and contain the threat

The Unfair Advantage to the Digitally Resilient

  • USD$2 million. Incident response readiness saves an average of USD$2 million when responding to a data breach
  • USD$1.1 million. The average cost savings when containing a data breach to 200 days or less
  • 43% higher revenue growth: Mature organisations experience higher revenue growth over a 5 year period of 43% vs least mature organisations (Prosper in the Cyber Economy whitepaper, IBM IBV)
  • 4 in 5 see security as a value enabler through improved operations, mitigated financial impacts, and avoiding the loss of revenue due to a cyber incident (2022 WEF Cyber Outlook)
  • Tend to Avoid the Stock Market Bounce
  • Perceived as a better investment by Investors and VCs
    • 60% investors and venture capitalists will use cybersecurity risk as a key factor in assessing new business opportunities by 2025
  • Compliance Ready. Unfazed by (future) regulation like DORA/NIS2​. Much of the foundation is in place to become compliant.

The Long Road Ahead Towards Becoming Digitally Resilient

  • 79% of critical infrastructure organisations don’t deploy a Zero Trust Architecture.
  • 59% don’t deploy a Zero Trust Architecture (all organisations)
  • 60% of organisations will embrace Zero Trust as a starting point for security by 2025. More than half will fail to realize the benefits (Gartner)
  • < 40% of organisations with developed business continuity plans have tested them. Most organisations have a documented business continuity plan (2022 Allianz Risk Barometer Report)
  • 86% report the adoption a security strategy 
  • 35% have started executing their security strategy
  • 50% of security plans align business and cyber security strategies
  • 70% of organisations are unable to secure data across multiple clouds and on-premises environments

Cited Resources

Taking Steps Towards Digital Resiliency

The road to Digital Resilient starts with assessing where you stand today across the core pillars: Secure by Design strategy, cyber security + resiliency, data security + resiliency, people protection and response simulation exercises.

Each organisation operates at a different maturity level. Becoming Digital Resilient starts with objectively assessing maturity level using industry benchmarking, with the assessment providing the prioritized risk mitigation roadmap to advance towards Digital Resiliency.

TES can help. Let’s talk about what’s best for you to become Digital Resilient and realise the full benefits of Digital Transformation.  We can help you at every point of your journey.

Assess for Protection, Resiliency and Preparedness

Working with you, we go ‘under the covers’ to assess and recommend a path forward to address deficiencies in your Digital Resilient posture, whether that is in cyber protection, security, resiliency or testing for survivability of an attack. Recommendations are vendor agnostic.

We regularly brief organisations on the Digital Resiliency trends, technologies and best practises that help stay ahead of cyber criminals, avoid the disruption effects of an outage and achieving in a sustainable manner.

Briefing: The Path to Digital Resilient: We regularly brief organisations on the Digital Resiliency trends, technologies and best practises that help stay ahead of cyber criminals, avoid the disruption effects of an outage and achieving in a sustainable manner.: Working with you, we go ‘under the covers’ to assess and recommend a path forward to address deficiencies in your Digital Resilient posture, whether that is in cyber protection, security, resiliency or testing for survivability of an attack. Recommendations are vendor agnostic. Request Briefing Session

Design and Deploy Protection and Resiliency Solutions: the TES Digital Resilient BlueprintTM is our guide to strengthening your Digital Resilient posture with the right set of complementary technology components ideal for your environment. Leveraging the output of the Assessment or working with you, TES will design and deploy the ideal solution that will reduce the work effort to secure and protect the organisation, ensure a seamless employee experience by reducing complexity, reduce the potential for data loss risk and close the door on the Black Swan. Request a Free Design Discovery Session