2024 was a tumultuous year for cybersecurity. Cybercrime reached unprecedented levels, evolving into a staggering global menace. With a total economic impact exceeding $10.4 billion — double the losses reported in 2023 — this criminal enterprise now ranks as the third-largest global economy, surpassed only by the United States and China.
No industry was safe from major security breaches in 2024. Attacks hit healthcare, finance, the public sector, and communications, with the largest—the Change Healthcare breach—affecting about one-third of Americans, according to UnitedHealth CEO Andrew Witty’s May testimony before Congress.
As we move into another year of escalating cyber threats, the long-term fallout from these breaches will only increase.
ExtraHop’s second annual True Cost of a Security Breach Report analyzed the financial impact of major security breaches on publicly traded companies in 2023 and 2024. The findings reveal a troubling trend: misconfigurations, compromised credentials, and phishing attacks were at the heart of nearly every major breach. Understanding these vulnerabilities is crucial for organizations looking to fortify their defenses and mitigate financial risk in an increasingly hostile cyber landscape.
Cybersecurity breaches are often the direct result of poor cyber hygiene. In 2023, the average security breach cost businesses around $9 million, with some long-term financial impacts reaching $677 million, according to ExtraHop.
Beyond ransom payments, the financial toll of a breach includes hiring digital forensics teams, investing in new security measures, and dealing with legal fees, regulatory fines, and skyrocketing insurance premiums. Additionally, companies face indirect costs such as plummeting stock prices, loss of investor confidence, and a damaged brand reputation—all of which impact market share and competitiveness.
Poor Cyber Hygiene: A Direct Path to Data Breaches
A recurring theme among high-profile cyberattacks is stolen credentials—often compromised due to weak passwords, unpatched software, unencrypted data, and poor employee training. In fact, ExtraHop’s research found that half of IT and security leaders reported over 50% of security incidents were due to poor cyber hygiene.
Organizations are also dealing with rising ransomware attacks, with 58% experiencing six or more attacks in a single year, and a staggering 91% admitting to paying at least one ransom. The reality? Cyber risk is business risk, and failing to prioritize security could lead to catastrophic consequences.
How Attackers Exploit Poor Cyber Hygiene
Cybercriminals don’t need advanced tactics to infiltrate networks—they exploit the basics:
- Stolen Credentials: Private credentials are available on the dark web or extracted through phishing and social engineering.
- Third-Party Vulnerabilities: Many companies lack visibility into how vendors protect shared data.
- Employee Mistakes: Poor training leads to mishandling sensitive information and falling for phishing scams.
- Lack of Executive Buy-In: When the C-suite level doesn’t encourage awareness of cybersecurity issues, companies make decisions that leave them exposed.
Strengthening Cyber Hygiene in 2025
Organizations must treat cybersecurity as a core business function and not just an IT issue. A security-first mindset is critical. Here’s how:
1. Invest in the Right Security Solutions
There is no one-size-fits-all approach to cybersecurity, but key investments should include:
- Identity and Access Management (IAM): Multi-factor authentication (MFA) and secure password management.
- Network Monitoring & Threat Detection: Real-time visibility into anomalies and unauthorized access.
- Endpoint Security & VPNs: Securing remote connections and devices.
2. Maintain an Up-to-Date Security Inventory
Organizations need a real-time view of all assets, users, and data flows to monitor for irregular activity. Implementing continuous authentication, privilege access management, and device health monitoring can prevent unauthorized access.
3. Strengthen Employee Awareness
Even the best security tools fail when employees aren’t trained to recognize phishing attempts, use strong passwords, and report suspicious activity. Regular cybersecurity training should be mandatory.
4. Evaluate Third-Party Risks
A weak link in your vendor network can expose your entire organization. Assess how partners handle sensitive data and enforce security protocols before sharing access.
Cyber threats evolve constantly, and cyber hygiene must evolve with them. Organizations should regularly review policies, update security practices, and ensure executive leadership is engaged in cyber risk management.
Companies that neglect cybersecurity are inviting financial loss, reputational damage, and regulatory scrutiny. Strong cyber hygiene isn’t optional—it’s a business necessity.
