Many different blogs, posts, and even industrial reports quote statistics on cybersecurity. What is the most "dangerous" cyber threat? How many breaches do we experience each year? And, most importantly, what is the financial impact of cyber security threats? There are many estimates of all these things. Yet, the question is - where do these numbers come from and can they really be trusted? In this blog post we look at the reliable sources of cyber security information and what they tell us.
Cyber Security Statistics: the UK Picture
Despite the great variety of literature offering cyber security statistics, it is hard to understand the relative cost of various cybersecurity threats as sources of information about cybersecurity and the underlying methodology for conducting various measurement exercises are rarely revealed. In the UK, the Department for Digital, Culture, Media and Sport releases an annual Cyber Security Breaches Survey. In its 2018 edition, the survey included answers from 1519 UK businesses (with the exception of sole traders; agriculture, forestry, and fishing businesses) as well as 569 third-sector organisations (charities). According to the survey, 43% of businesses and 19% of charities admitted that they have experienced a cybersecurity attack during the 12 months preceding the survey. 49% of businesses and 24% of charities revealed that they outsourced their cybersecurity to a third-party vendor.
The survey also established the most common threats. Phishing comes firmly in first place and splits between two types of activities: fraudulent emails or redirection to fraudulent websites, which represents the lion’s share of adversarial impact (75% in businesses and 74% in charities), and spear-phishing attempts (28% and 27% in businesses and charities, respectively). Viruses, spyware, or malware attacks represent 24% of breaches for businesses and charities. 15% of breaches for businesses and 10% for charities are ransom- ware attacks, while DoS attacks represent 12% and 13% of experienced threats for businesses and charities, respectively. Brute force attacks such as hacking online bank accounts are infrequent, totalling 8% and 3% for businesses and charities, respectively. Unauthorised use of computing power, networks, and servers by insiders (staff) is related to 7% of breaches targeting businesses and 6% targeting charities. Other types of threats are associated with 5% and 6% of attacks on businesses and charities, respectively. Additionally, 48% of businesses and charities admitted that phishing attacks were the most costly and caused the greatest disruption to their organisations.
In terms of monetary costs, the estimates varied greatly between different types of organisations, with large businesses spending, on average, £15,300 ($19,635) to address the problem associated with the harmful out- come of a breach; while medium businesses, small businesses, and charities spent £12,100 ($15,528), £1190 ($1527), and £678 ($870), respectively. Yet, at the same time, estimates revealed that only 11% of their cybersecurity investment went into protecting staff and systems, and only 20% of businesses had cybersecurity training for staff.
Cyber Security Statistics: United States
Reliable and traceable statistics on US cybersecurity breaches are harder to obtain than those for the UK as the majority of published results come from private entities and large cybersecurity providers. Data in the USA is mostly provided by private cybersecurity surveys. For example, IDC conducted a survey of US businesses and released a report in 2018 suggesting that 77% of surveyed American businesses were victims of cyberattacks in the 12 months prior to the survey. In February 2018, the Council of Economic Advisers published a report titled “The Cost of Malicious Cyber Activity to the US Economy”, which cited several sources, including the Ponemon Institute, and highlighted that, due to the lack of centralised statistical records, the estimates of the cybercriminal impact on businesses are likely to be biased or inaccurate because they are primarily based on survey data and often highlight the most notorious or publicly available events.
The Council conducted its own analysis, using 290 events in the 2013/2014 financial year covering mostly large businesses, and estimated the effect of cyberattacks on market capitalisation of the victim companies. Their analysis revealed that businesses in their sample lost, on average, $494 million per event. For comparison, Ponemon came up with a different estimate of $21 million per year using a similar sample of companies. The Council’s report does not provide a comprehensive break- down of costs by threat, leaving us to rely on other sources. Yet, the landscape seems to be somewhat similar to the UK, as 56% of “1,300 surveyed IT security decision-makers” in the CyberArk Global Advanced Threat Landscape Report 2018 named phishing attacks as the most challenging threat.
It is obvious that there are very few reliable and trustworthy sources of cyber security information. Under these circumstances, it is not clear how to find the benchmark for the decisions we are making about cyber security on a daily basis. Consider this: would you proceed with building a bridge without having reliable, rigorously collected, unbiased data about multiple inputs such as materials, stability, destabilisation threats, geography, etc.? Probably not. Yet, we are building cyber security systems based on (often conflicting and unreliable) information every day...