The Cranky Admin

Making Sense of Cybercrime Statistics

The data is notoriously difficult to parse, but some basic conclusions can be drawn.

• By Trevor Pott
• 11/29/2017

Cybercrime statistics for 2017 are trickling in. ItBusiness has assembled some of the early reports into a Cybercrime Map and done some preliminary analysis. While interesting, is there anything in this data that can help with mundane IT security problems like printer security or coping with malware attacks?

To understand whether cybercrime statistics are of practical use, we must first understand what kind of data is collected. Cybercrime data tends to come in three broad categories:

• Officially reported cybercrime data from organisations or individuals who have reported cybercrimes to law enforcement
• Data made available by the IT security industry
• Anonymous surveys

Survey data helps identify things like IT budget spending priorities. For example, according to IDC, in Ontario and provinces further east, security makes up 10 percent of the IT budget. In Manitoba and the Western provinces, security makes up only 8 percent of the IT budget.

Survey data also gives us an idea of the type and frequency of cybercrimes that go unreported. This is important, because there are numerous incentives for organizations not to report cybersecurity incidents. Admitting to compromise can have impacts on insurance, expose an organization to regulatory scrutiny and make law enforcement aware that a legal duty to inform customers exists.

Official Cybercrime Stats
The incentives for organizations to keep mum regarding cybercrime means that official cybercrime statistics don't contain a lot of malware attacks or printer security issues. The number of compromised Internet of Things (IoT) devices, email breaches and ransomware reported in surveys bears almost no resemblance to what gets reported to law enforcement.

In many anonymous surveys, more than 70 percent of Canadian organizations report malware attacks. Reports to law enforcement measure in the hundreds per metropolitan region per year.

Police-reported cybercrime correlates with large populations centers about how one would expect, with a few notable oddities. Cybercrime reports in Edmonton and Winnipeg are much lower compared to their population than the national average. Ottawa has a significantly higher rate of reported cybercrime with respect to the population.

Cybercrime reporting coverage is spotty throughout the nation, leaving an incomplete picture. Most reported cybercrimes are not malware related, but rather involve the commission of traditional crimes over the Internet. These crimes traditional crimes include uttering threats and luring a child via a computer. Identity theft is the sixth most popular reported cybercrime. It is the crime highest on the list which -- today at least -- almost certainly requires use of a computer to accomplish.

Separating attacks against computer systems from attacks against people using computers as a communications medium is important when considering cybercrime statistics. Attacks against computer systems in the form of malware and ransomware frequently go unreported, something police forces in Canada are all too aware of.

Ransomware Stats
Ransomware is a growing threat, and Canada is an increasingly popular target. Most Canadian companies do not have effective IT defenses in place, something increasingly difficult for smaller organizations that don't have dedicated IT security staffs. More than 95 percent of Canadian businesses are small businesses.

Ransomware report data available from Malwarebytes and Enigma Software follow the official Cybercrime stats. The Ottawa area is listed as the No. 2 municipality for ransomware, despite being nowhere near the population of cities like Vancouver or Montreal. Again, Edmonton and Winnipeg end up with disproportionately low reports of ransomware relative to their populations.

Drawing Conclusions
It's hard to draw any useful conclusions about cybercrime at a city level from the data available. There could be any number of reasons why Edmonton and Winnipeg have disproportionately low cybercrime statistics. I live in Edmonton, work in IT and do this sort of analysis for a living, and I couldn't even begin to count the number of economic and social factors that could cause this.

On the other hand, the fact that there’s a lot of cybercrime concentrated in Ottawa makes perfect sense. It’s the national capital. It’s both a logical target for all sorts of espionage, and the target of a disproportionate number of awareness campaigns. More bureaucrats means more education about the dangers of malware attacks, and this leads to better reporting.

While it's hard to draw useful conclusions about how cybercrime is affecting individual cities, there is useful information to be mined from these statistics. First and foremost, not many are reporting attacks against computers, such as malware and ransomware. This means there’s a decent chance that if you report attacks against you, that law enforcement will pay attention.

We also know that 8-10 percent of IT budgets being spent on security is average, giving us an idea of what spending levels are required to have an advantage over competitors. Lastly, we know that ransomware is absolutely rampant, and something all businesses need to have a plan for. Nobody is too small to be a target.

Overall, the IT security picture in 2017 hasn't changed much from 2016, which is good news. Let's all work towards making 2018's picture look even better.