2: The headlines vs the reality

This is part of a series discussing cybersecurity basics for an SME.
Click here to go to the start of the series.

Don’t believe everything you hear

You will frequently hear about cyber-warfare, and attacks by hackers against large corporations.

But what you hear through the media is not a true reflection of what is happening to most firms most of the time.

Look at the statistics

Technology vendors publish reports on a frequent basis telling us that XYZ attack is a growing problem (and magically, their technology is the best way to block an XYZ attack).

But there are some trusted sources for independent analysis of the available data.

One of the most trusted global reports is published by Verizon on an annual basis, called the Data Breach Investigations Report.

A recent version of the report (covering the year to October 2019) contains some interesting statistics*:

  1. The majority (70%) of all cybersecurity breaches are carried out by external actors (the other 30% being internal actors such as staff and business partners, and this 30% includes honest errors such as sending an email attachment to the wrong person).
  2. The vast majority (86%) of breaches are financially motivated. The perpetrator want the firm’s money.
  3. Almost half (43%) of breaches involve web applications (e.g. a web-based email system or CRM system).
  4. Over half (55%) of breaches do not involve hacking – The majority of attacks do not require the bad guy getting into the victim’s systems.

I could point out dozens of other interesting findings in the report. But I’ll mention just two more:

  1. A phishing email (an email designed to fool the recipient) or the use of stolen credentials (e.g. a password) are the most common ways for a criminal to successfully attack a firm.

    As the authors state, while we all think attacks happen by the criminal getting into the firm’s network and then launching other attacks, the reality is different – The criminals “lean more toward attacks such as phishing and credential theft”. (VBIR Full Report – Figure 6)
  2. 50% of all breaches are the work of organised crime gangs. (VBIR Full Report – Figure 10)

Some key takeaways: Criminals; financial gain; phishing emails; stolen passwords.

Lies, damn lies and statistics

These statistics suggest the following:

  1. Your biggest threat is an organised crime gang seeking financial gain.
  2. They are likely to succeed through a phishing email that fools a staff member and/or by getting their hands on one of your passwords
  3. There is a greater than 50/50 chance that they won’t actually need to access your systems to get your money – Your staff will do the work for them
  4. And if they do access one of your systems, it is almost a 50/50 chance that it will be a web-based system like your email or CRM system.

The key takeaway: Worry about a criminal sending an email that fools a staff member. And then worry about the systems they can access if they have a password.

Perhaps I am biased and I’ve picked specific statistics to support my argument.

Read the report for yourself and see what you think.

Or just look around you.

When you hear of an SME suffering a loss due to a cybersecurity attack, do you think it happened because:

  1. A determined attacker hacked into their network under cover of night, lurked around for a while to gain intelligence about the firm, before launching a very specific attack against the firm (or)
  2. An opportunist criminal sent an email to a staff member that fooled them into doing something that later turned out to be disastrous for the firm.

The firm may claim that they were the victim of a sophisticated cyber-attack.

But as we will see in the next section, the most common types of attacks are not sophisticated.

* There are many caveats with these statistics – For example:

  • A global report like this may not reflect what is going on in one country at this moment in time.
  • A report can only tell us about attacks that have been reported by victims. What about the reports that go unreported as firms are embarrassed about being attacked?