2: The headlines vs the reality

This is part of a series discussing cybersecurity basics for an SME.
Click here to go to the start of the series.

Don’t believe everything you hear

You will frequently hear about cyber-warfare, and attacks by hackers against large corporations.

But what you hear through the media is not a true reflection of what is happening to most firms most of the time.

Look at the statistics

Technology vendors publish reports on a frequent basis telling us that XYZ attack is a growing problem (and magically, their technology is the best way to block an XYZ attack).

But there are some trusted sources for independent analysis of the available data.

One of the most trusted global reports is published by Verizon on an annual basis, called the Data Breach Investigations Report.

A recent version of the report (covering the year to October 2024) contains some interesting statistics*:

  1. The majority (~65%) of security incidents are caused by external actors (the other 35% being internal actors such as staff and business partners, with about 75% of these being honest errors such as sending an email attachment to the wrong person). [See Figure 11]
  2. The vast majority (~90%) of breaches are financially motivated. The perpetrator want a payoff. [See Figure 12]
  3. The majority of breaches (~68%) involve a human element. [See Figure 3]

Key takeaway: Worry about criminals seeking financial reward.

Lies, damn lies and statistics

These statistics suggest the following:

  1. Your biggest threat is a crime gang seeking financial gain.
  2. They are likely to succeed through a phishing email that fools a staff member and/or by getting their hands on one of your passwords
  3. And if they do access one of your systems, it is likely to be a web-based system like your email or CRM system.

The key takeaway: Worry about a criminal sending an email that fools a staff member. And then worry about the systems they can access if they have a password.

Perhaps I am biased and I’ve picked specific statistics to support my argument.

Read the report for yourself and see what you think.

Or just look around you.

When you hear of an SME suffering a loss due to a cybersecurity attack, do you think it happened because:

  1. A determined attacker hacked into their network under cover of night, lurked around for a while to gain intelligence about the firm, before launching a very specific attack against the firm (or)
  2. An opportunist criminal sent an email to a staff member that fooled them into doing something that later turned out to be disastrous for the firm.

The firm may claim that they were the victim of a sophisticated cyber-attack.

But as we will see in the next section, the most common types of attacks are not sophisticated.

< Previous: Overview
Next: The Real Risks >

* There are many caveats with these statistics – For example:

  • A global report like this may not reflect what is going on in one country at this moment in time.
  • A report can only tell us about attacks that have been reported by victims. What about the reports that go unreported as firms are embarrassed about being attacked?