2: The headlines vs the reality

This is part of a series discussing cybersecurity basics for an SME.
Click here to go to the start of the series.

Don’t believe everything you hear

You will frequently hear about cyber-warfare, and attacks by hackers against large corporations.

But what you hear through the media is not a true reflection of what is happening to most firms most of the time.

Look at the statistics

Technology vendors publish reports on a frequent basis telling us that XYZ attack is a growing problem (and magically, their technology is the best way to block an XYZ attack).

But there are some trusted sources for independent analysis of the available data.

One of the most trusted global reports is published by Verizon on an annual basis, called the Data Breach Investigations Report.

A recent version of the report (covering the year to October 2022) contains some interesting statistics*:

  1. The majority (~80%) of all cybersecurity breaches are carried out by external actors (the other 20% being internal actors such as staff and business partners, and this includes honest errors such as sending an email attachment to the wrong person). [See Figure 11]
  2. The vast majority (96%) of breaches are financially motivated. Even for large organisations, this only drops to 71%. The perpetrator want the firm’s money. [See Figure 14]
  3. The majority (~80%) of breaches involve a web application or email system. [See Figure 24]
  4. The majority of breaches (~70%) involve a human being fooled by a phishing email. [See Figure 49]

Key takeaway: Worry about criminals seeking financial reward.

Lies, damn lies and statistics

These statistics suggest the following:

  1. Your biggest threat is an organised crime gang seeking financial gain.
  2. They are likely to succeed through a phishing email that fools a staff member and/or by getting their hands on one of your passwords
  3. And if they do access one of your systems, it is likely to be a web-based system like your email or CRM system.

The key takeaway: Worry about a criminal sending an email that fools a staff member. And then worry about the systems they can access if they have a password.

Perhaps I am biased and I’ve picked specific statistics to support my argument.

Read the report for yourself and see what you think.

Or just look around you.

When you hear of an SME suffering a loss due to a cybersecurity attack, do you think it happened because:

  1. A determined attacker hacked into their network under cover of night, lurked around for a while to gain intelligence about the firm, before launching a very specific attack against the firm (or)
  2. An opportunist criminal sent an email to a staff member that fooled them into doing something that later turned out to be disastrous for the firm.

The firm may claim that they were the victim of a sophisticated cyber-attack.

But as we will see in the next section, the most common types of attacks are not sophisticated.

* There are many caveats with these statistics – For example:

  • A global report like this may not reflect what is going on in one country at this moment in time.
  • A report can only tell us about attacks that have been reported by victims. What about the reports that go unreported as firms are embarrassed about being attacked?