Scary security stats: why you should forget the figures
Remember Lockdroid? Early last year, the terrifying ransomware was spotted in the wild, posing as a porn app and armed with the ability to brick your smartphone. Headlines screamed that billions could be affected, with Symantec claiming two-thirds of Android users could be at risk.
In the end, Google’s own analytics revealed the true story: only a thousand phones downloaded Lockdroid – and not a single one actually installed it.
When it comes to security, scare stories abound – there’s nothing more frightening than a terrifying statistic in a headline to grab our attention. It’s a tactic security companies use to encourage us to be wary online – and to buy their products of course. And while there’s plenty that we should be concerned about when it comes to digital security – cybercriminals, state-level surveillance, hackers doing it for the lulz – the marketing and public relations staff behind antivirus and other security companies opt not for personal stories of the damage wreaked by holes in digital defences, but for big, inflated numbers.
There’s plenty of recent examples, but here’s one from my inbox. A business ISP called Beaming sent out a press release claiming that UK businesses were hit by an average of 43,000 cyber-attacks in the first quarter of 2017. This isn’t across all businesses; that’s for each business – a claim that every company in the UK has been subject to roughly 474 attacks every day.
That sounds pretty high, doesn’t it? Well, it’s actually down 7% from last year.
But these aren’t necessarily attacks in the sense that you’d expect – it depends how you define that word. While a spokesperson for Beaming stressed that attacks means “individual attempts by hackers to breach a particular company’s firewall”, the company’s managing director, Sonia Blizzard, described it in the press release as “being probed”.
Given that the company is focusing on the Internet of Things, in all likelihood those hundreds of “attacks” a day are automated scripts poking around the internet, searches run from services such as Shodan that scan for connected devices, researchers looking for poorly configured devices, and, yes, some would-be hackers.
“We count them as the same in these figures – any unauthorised attempt to access the network,” explained the spokesperson. “We’ve said previously that the majority of internet cyber-attacks are computer scripts that search the web for weaknesses and probe firewalls constantly for a way in. Once inside, it’s relatively easy for hackers to take over connected devices and lie dormant before mis-using those assets as part of a bigger hack or distributed denial-of-service attack at a later stage.”
“Is sniffing for ports an attack? Or is making use of what you find the attack?”
This isn’t criticism of Beaming. It merely highlights how the way we define terms affects the research keeping track of security problems. Is sniffing for ports an attack? Or is making use of what you find the attack? Semantics aside, the number itself is largely pointless. If you have devices connected to the open internet, lock them down, regardless of whether your kit was sniffed 400 times a day, 40 times or four times.
Security companies have a goal: getting you and your company’s attention, in order that they can go on to sell you something. It’s more difficult to make allowances for the government. Multiple times a year, via the Department for Culture, Media & Sport (DCMS), the National Audit Office, or some other agency, the government releases cyber-security reports. These documents are usually produced by a consultancy – such as PricewaterhouseCoopers (PwC) or a university – so we, the taxpayer, are paying for them to be produced.
Perhaps the most amusing example is from 2013, when the NAO issued a report claiming cybercrime costs the country between £18 billion and £27 billion annually. Those alarming numbers may not sound amusing, but the first figure is from a University of Cambridge report that was commissioned by the government to debunk the source of the second stat, a Detica (an information intelligence expert) report… also commissioned by the government.
Even if we run with the £18 billion figure, the Cambridge report lists it in dollars, not pounds, so it should be $18 billion. Plus, it includes everything from card fraud, loss of consumer confidence, the cost of antivirus, tax and benefit fraud, and – what most of us consider cybercrime – online banking fraud and botnets. The latter cost the UK only $164 million annually, the report said – far less than Britons and their businesses spend on antivirus, with the report noting that “true cybercrime” costs citizens “a few tens of pence per year directly,” while the “the indirect costs, such as the money spent on antivirus software, can be a hundred times that.”
If you’ve already decided to ignore such alarmist arithmetic, you’re not alone: the report’s authors themselves warned against tallying up figures for a big number to throw into headlines.
Such dodgy maths aren’t a one-off, and are noticeable in even the most recent reports. At the end of last year, the NAO released Protecting Information Across Government, which looks at efforts to reduce costs while improving data security – a worthy goal. In section 3.9, the threat of cybercrime is described as “considerable” and “increasing”, citing research from a previous BIS-commissioned report by auditors PwC that found 90% of all large British companies were hit by a security breach of some sort in 2015. “The average rate of breaches was more than one per month, at an average cost of between £1.46 million and £3.14 million, up from £600,000 to £1.5 million in 2014.”
Unpicked, that means nine out of ten large British companies suffered a security breach in 2015, averaging more than one a month, at an average cost in the millions of pounds each. That’s a lot of hacking – and a lot of cash.
Such a claim should make anyone do a double-take, and with good reason: it isn’t true. British companies aren’t being hit by a breach that costs them millions of pounds every month. The PwC report – which is based on a self-reported survey – reveals that large companies are hit by an average of 14 breaches a year, but that includes everything from a DDoS attack to malware or a staff-related incident, such as misusing login credentials. The average cost figure in the millions of pounds isn’t for each of those breaches, but for the worst single breach suffered by large organisations in the year, with the cost for small businesses ranging from £75,000 to £310,000. That figure isn’t the average, it’s the worst-case scenario for the worst-hit businesses – one government agency has misquoted another’s report.
Back to that figure claiming 90% of British companies are hit by a breach each year. This week, a report commissioned by the DCMS and produced by the University of Portsmouth and Ipsos MORI claims a survey reveals 46% of British companies were hit by a breach in the past year, rising to two-thirds for larger firms. Nine in ten versus fewer than five in ten – that’s a very big gap.
Why are security issues so hard to add up? Martijn Verbree, partner in KPMG’s cyber-security practice, said this is down to a few issues. “Number one, we don’t have a clear and universally agreed definition about what a breach actually is and how we measure it,” he told me. “This causes apples to be compared with pears. And oranges. And bananas…”
For example, which of the following should be included in a tally of attacks against businesses? A tailored email containing ransomware that you ignore; a bot scanning your website for open ports; your Twitter account being taken over; or someone stealing 100,000 customer records. “Opinions will differ about what to count and how to count it, even within the cyber-security expert community,” he said. “Getting clarity of what we’re measuring as security breaches is necessary first before we can start reporting and comparing it.”
Add to this the problem that many companies don’t know when there’s been a breach, or don’t report it when it happens – hence the need to survey companies to get a full picture of breaches, as we can’t depend on police reports.
“Many organisations will not be keen to make their security breaches public, simply because it could harm their reputation, share price, [or] could cause regulatory issues,” Verbree said. “Sometimes, it’s such a small incident that it isn’t worth anyone’s time to report it, [but] that could develop to a much larger breach over time when more is uncovered about what happened.”
“The ones that are being reported are really the tip of the iceberg”
So how big is the scale of cybercrime? No-one knows, and anyone saying differently is selling something. Count up every probe or malware-loaded email, and we’re under constant attack. If we only include actual breaches, we lack a full picture. “We’re talking about thousands of scans per day and emails with malware in it received daily,” Verbree said. “How many of these attacks actually result in a data breach that gets found out about and eventually reported? It’s hard to say how big it actually is. But the ones that are being reported are really the tip of the iceberg.”
That could be set to change. “The silver lining here is that the new General Data Protection Regulation will enforce a European-wide requirement for organisations to notify data breaches involving personal information to supervisory authorities and affected individuals,” Verbree said. “Hopefully, this will standardise the way and manner in which some of these breaches are being reported, but it will be far from complete.”
In the meantime, don’t panic over the figures in any security report, regardless of whether they’re from industry or the government – in the end, it doesn’t matter how many attacks and breaches happen across the ecosystem, only if they happen to you or concern your data.