It was a big year for cybercriminals, who made off with somewhere in the neighborhood of $1.5 billion worth of users’ personal identifying information (PII) in 2021, according to a report from threat intelligence company Black Kite.

Black Kite looked at 81 third-party breaches that accounted for over 200 public disclosures, and its top findings are unsurprising for anyone who lived through the past year: Ransomware attacks were the most common, healthcare providers were the most popular target, and attackers mostly exploited software vulnerabilities to accomplish their goals.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

Bob Maley, chief security officer at Black Kite, said that the trends it identified in the report show that threat actors, like many companies, are becoming more agile and capable of launching quick, devastating attacks.

“[Increased attacker agility] is not just a change from 2021, but an overall message. Attack methods are becoming more clever, more detailed, with flexibility and dexterity. If agile attack methods are improving, our response must match, if not counter their growth,” Maley said in the report.

2021: A portrait in breach reports

Black Kite said that ransomware breaches only accounted for 15% of attacks in 2020, compared with 27% in 2021. The report calls ransomware “the most efficient attack method,” describing it as one of the quickest and easiest ways to steal, and then monetize, data like user PII.

Aside from ransomware, unauthorized network access and unsecured servers/databases were the two other top breach methods in 2021. The report describes the two methods as mainly consisting of cracking weak passwords or vulnerabilities in access control in the case of the former, and unsecured internet-facing hardware and software in the case of the latter.

In terms of third-party vendors that were the most breached, software publishers beat out IT service providers, healthcare tech providers, admin services and cybersecurity providers for the third year in a row.

“More often than not, companies trust that the software and services they use are secure and do not check for vulnerabilities along the digital supply chain. Exploitations of weaknesses along the supply chain have led to some of the most notable attacks over the last few years, including 2020’s SolarWinds (attack),” the report said.

As for industries being targeted, healthcare leads for no other reason than the COVID-19 pandemic, which has thrust healthcare into unsafe territory. “Lack of budget, remotely shared personal data between patients and hospital systems, and outdated software all point to avenues for hackers to infiltrate and gain access to a company’s data,” the report said.

Closing the gap between attacker and target

The report said that it found healthcare and government agencies to be the most likely to have improved their security postures in the past year, largely because they were trying to prevent another attack. This is a positive outcome, but the report also calls on readers to imagine how much smaller the impact of an attack would have been had those steps been taken earlier.

“There are gaps right now in vendor risk management and the way corporate society approaches cyber posture as a whole. If the process remains compliance- and checklist-oriented, we forfeit agility for rule-following,” Maley said.

SEE: Google Chrome: Security and UI tips you need to know (TechRepublic Premium)

Instead of thinking of things in terms of compliance, Maley said security needs to be thought of in terms of awareness. “A mature vendor risk-management program means looking at 200+ places at once in order to slowly close the gaps,” Maley said.

What that looks like in practice is real-time insights provided by specialized tools that connect across ecosystems to put everything you need to know in one place.

“If you are going to take one learning away from this, remember that merely following best practices, checklists and meeting industry standards is outdated methodology for understanding risk. Managing risk with the big picture in mind isn’t qualitative, it is flexible. Agility is all about knowing where to look, and truly looking isn’t process-based,” Maley said.