Cloudsec Initial analysis of the European cybercrime scene shown to The Register suggests a growing concern about the threat from targeted attacks, with British enterprises significantly ahead of their European counterparts in terms of cybersecurity measures.
The research, commissioned by Trend Micro to better appreciate the security market in Europe, and conducted by Quocirca, focused on targeted attacks rather than random malware issues, and was shared with El Reg at a Cloudsec roundtable.
More ReadingUK.gov unleashes 3D virtual world to train GCHQ's kiddie divisionUK in Frenchy cyber love-in to ward off 'information bomb'UK.gov wants a cloud wizard at £1,000 a DAY. That's more than the prime minister's salaryPentagon on manual mission to build nation-wide security databaseInfosec bods Flexera snap up Secunia's cybersecurity knowhow
It suggests that of the 500 enterprises questioned, all with more than 2,500 employees, most believe that targeted attacks have increased over the last 12 months.
Concerns about cybercrime have risen, and become especially prevalent among British business since 2013, when only a quarter of Blighty's enterprises believed targeted attacks were inevitable.
That figure has now risen to 72 per cent, with a further 21 per cent now considering targeted attacks a concern, even if disputing their inevitability.
In the last twelve months, British businesses detected 8.6 targeted attacks on average. This is significantly higher than the 6.2 attacks detected across Europe as a whole (including the UK).
That a higher number of targeted attacks were detected across Europe by the financial services and IT sectors suggests detection may correlate more closely with the maturity of the sector's cyber savvy, rather than be representative of the threat landscape.
Bob Tarzey, analyst and director at Quocirca, and Rik Ferguson, veep of Security Research at Trend Micro, suggested that the data, which includes organisations who believe they had never been attacked, might not necessarily preclude UK-based enterprises genuinely being targeted more than those on the continent.
While UK organisations have reported a higher average number of attacks, fewer are sure they have been targeted. Some 18 per cent of British enterprises believe they haven't been targeted at all, a figure about which Tarzey was highly skeptical.
The figures above, which are all consistently given as a percentage of the total set of enterprises questioned, suggest that 27 per cent of definite targeted attacks were successful, a significantly lower percentage than attacks across Europe as a whole.
Just under a quarter of successful attacks lead to "a lot/devastating" amount of data being compromised in the UK, which is slightly more favourable when compared with the same effect Europe-wide.
The average estimated cost of a cyber-attack for a UK business is £172,000, compared with £243,000 for all Europe.
As an anecdote, Ferguson noted that when giving talks, he often asked attendees whether they could confidently tell him what version of the often-to-be-patched Acrobat Reader app all of their users were currently running.
"Regardless of audience size," Ferguson said, "I will only ever get two hands up."
Targeted attack mitigation
The UK is ahead in all categories of preparedness, and especially in terms of penetration testing, which British companies are 22 per cent more likely to utilise than the European average. Tarzey suggested that "this explains why, although UK organisations are as likely, if not more likely to be targeted, those attacks are less likely to be successful and data is less likely to be stolen".
The Trend Micro veep suggested that cyber fire drills could be a simple add-on to the existing preparedness actions, combining several of the other tests, and is evidently a powerful, if under-utilised tool, which would provide ongoing training.
"While UK businesses increasingly recognise the reality, scale and impact of targeted attack," stated Ferguon, "the initial data reveals that much more can and should be done in testing their readiness to deal with them."
"A large number of businesses report having training and penetration testing measures in place, but relatively few are conducting cyber-readiness tests, or fire drills. Raising user awareness and probing your systems are both crucial components, but they cannot be fully tested unless brought together in a live-fire exercise involving your employees."
Tarzey said: "Initial analysis of the new data suggests UK organisations are better prepared. However, much more could be done by most UK organisations to prevent attacks and deal with the aftermath when some are inevitably successful."
Quocirca is continuing to analyse the data it has gathered from the 500 respondents, 100 each in the UK, Spain, Italy, Germany and France. The final version of its research on the cybercrime scene in 2015 will be published no later than the end of October. ®