What is behind the decline in cyber crime victim rates?

null

Investors in cyber security companies will have been heartened in recent weeks by financial results showing growing demand for their technologies. Businesses have spent heavily on cyber security measures over the last year and anyone with even half an eye on the technology industry will by unsurprised by the reasons why.

Concerns have been mounting about cyber crime for some time due to a series of high-profile cyber attacks, new GDPR regulations that will see businesses fined for being hacked, and unprecedented US and UK warnings that Russian-backed hackers are targeting western internet infrastructure.

Beaming’s analysis shows that ransomware attacks such as WannaCry and NotPetya were simply the tip of the iceberg last year. 2017 was the worst year on record for the sheer volume of cyber attacks on British businesses, with each and every company connected to the internet subjected to 231,028 internet-borne cyber attacks on average, the equivalent of 633 attacks a day.

The volume of attacks continued to increase in the first three months of 2018, a period in which the extra cyber crime activity originating from former Soviet states meant that Europe overtook Asia to become the most common source of attacks for the first time.

Most attacks on British businesses last year sought to take control of connected devices such as building control systems and networked security cameras. Hackers seek to infect these devices with malware that they can use as part of a bigger hack or distributed denial of service attack at some point in the future. It is possible that many readers of this blog work for companies whose IT assets are already infected and they don’t know about it.

The Internet of Things is far from the only target. Beaming also recorded a six-fold surge in attacks targeting company databases, a five-fold increase in attempts to hijack Domain Name Systems and a three-fold rise in efforts to infiltrate remote desktop systems during 2017.

But while the volume of attacks increased last year, Beaming’s research indicates that the number of British businesses falling victim to cybercrime reduced by a fifth. Beaming’s numbers, which are in the same ballpark as the UK Government’s new cyber security survey, show that 43 per cent of British businesses suffered breaches in 2017. This was significantly fewer than in 2016, when more than half (52 per cent) of firms fell victim.

Victim rates fall as smaller companies become more secure

It is encouraging to see that the number of businesses becoming victims of cybercrime is reducing, especially when considering the threat has never been greater. Beaming’s research helps to demonstrate the factors that are contributing to this reduction. We’ve delved deeper into the data to discover what lies behind the decline in victim rates.

Beaming’s research shows that both fear of cybercrime and the risk of becoming a victim of cybercrime increases with business size. This is because larger businesses have more data and more financial resources, and therefore more attractive to targeted attacks, but also because larger companies have more employees and therefore more potential sources of vulnerability.

Big businesses have been aware of this for some time and were the first to put in place the kind of extensive and increasingly complex cyber security defences that are now commonly used. Large companies, those employing more than 250 people, are more than twice as likely to say they were sufficiently concerned by cybercrimes to put in place additional defences that went beyond a basic level of protection.

The frequency of incidents at these large companies remained fairly constant between 2016 and 2017, with approximately seven in every ten businesses falling victim in both years.

By contrast, small and medium sized businesses achieved significant reductions in victim rates last year. The proportion of small firms (10 - 49 employees) telling Beaming’s researchers they had been compromised fell from 55 per cent in 2016 to 47 per cent in 2017. Amongst medium sized companies (50 - 249 people), victim rates fell from 65 per cent to 57 per cent of medium sized companies over the same period.

This is because small and medium sized businesses, which are now much more aware of the damage a breach can do to their operations and reputations, and have invested heavily in cyber security technology over the last year to improve their resilience to attack.

The proportion of small and medium sized businesses using a network perimeter firewall increased from around half (54 per cent) of those surveyed in 2016 to three quarters (75 per cent) in 2017. Beaming’s researchers also discovered that the number of small companies with intrusion detection systems and proactive vulnerability scanning doubled in the same period of time.

For full disclosure, I must reveal that Beaming has a vested interest here. We aren’t a cyber security company, but we do provide online threat monitoring and a range of specialist network and data security services to help protect our customers and their traffic as it travels across the internet.

We experienced a notable increase in demand for our most secure forms of connectivity and networking services last year from small and medium sized firms wanting to maximise their resilience to cyber attacks and data theft.

The improvements this section of the business community has achieved, however, have gone way beyond the relatively straightforward task of adopting better cyber security technologies and more secure communication protocols.

Employee education and better business preparation have played a key role in the reduction of victim rates. The proportion of small firms with documented cyber security policies increased from a quarter (26 per cent) in 2016 to more than half (51 per cent) by the end of 2017. Amongst medium sized businesses their use increased from 36 per cent to 57 per cent over the same period.

Meanwhile the number of businesses with cyber insurance in place doubled between 2016 and 2017, to 38 per cent of small companies and 54 per cent of medium sized ones. Obtaining this kind of cover requires businesses to have robust defences against attack and solid cyber security policies. As such, many businesses that have recently introduced cyber insurance will have taken steps to be much more resilient as a result.

These measures have made a big difference in victim rates and that fact that they are now being adopted at pace by small and medium sized businesses is accelerating the overall resilience of the UK’s business community.

It is far quicker to implement new policies and educate users in smaller organisations, and by so doing reduce the risk associated with people, the weakest link in the cyber security chain. It takes much more effort to embed these processes and approaches in larger companies, which despite generally employing  sophisticated technological defences, are most vulnerable.

Improvements to be made

While it is encouraging to see the number of victims fall, British businesses are not resting on their laurels when it comes to cyber security. Half of businesses told Beaming’s researchers that they planned to improve their defences in 2018, with 15 per cent adding new network perimeter firewalls and a further 14 per cent improving network access control by introducing measures such as two-factor authentication.

Crucially, while technology helps, businesses cannot simply abdicate responsibility to the machines. Employee education is the hardest part of securing a business and is an area that requires sustained attention. Cybercrime is a sophisticated business, the criminals are launching more attacks than ever and the nature of those attacks is changing constantly. Businesses need to ensure they stay up to date - through technology, procedures and employee education, to ensure they stay one step ahead of the threat.

Sonia Blizzard, managing director, Beaming
Image Credit: Maksim Kabakou / Shutterstock