Cybercrime 2021: Online crime at record level thanks to Covid

New challenges for companies

In the 14th edition of the report, 83 authors analysed 29.207 security incidents. 5.258 of these incidents were explicit security breaches (compared to 3.950 breaches last year). There was data from 83 participants with data subjects from 88 countries. Among these participants were members from 12 different industries in three regions of the world. The report classified the security risks using incident classification patterns. These patterns are used to classify the multitude of different threats in a meaningful way and have been revised again this year. They explain 95.8 percent of the security breaches analysed and 99.7 percent of the incidents investigated. This approach aims to make the risks understandable and to identify solutions.

When examining how cybercrime affects global security, the authors of the study found eleven percent more phishing attacks and a six percent increase in ransomware attacks. Cases of fraudulent misrepresentation have also increased fifteen-fold since 2020. 61 percent of the detected attacks involved login data. In what is known as credential stuffing, criminals use stolen credentials from one service in an attempt to gain access to accounts for other services. 95 percent of all companies that were victims of such an attack recorded between 637 and 3.3 billion malicious login attempts in 2021. Attacks on web applications also make up a large proportion of the security breaches recorded in the report, at 39 percent.

Tami Erwin, CEO of the telecommunications group Verizon Business, believes new demands are being placed on the IT security of companies due to the Covid pandemic. New challenges arise primarily from the fact that critical activities are increasingly taking place in the cloud. The risk of cyber threats has increased for almost every company, because human error and dependence on digital infrastructures offer profitable starting points for criminals. In Germany, the average cost per incident was EUR 21.818.

Cybercrime - an issue for every industry

The DBIR analyses a total of twelve industries. It becomes clear there that everyone is focusing on cybersecurity, but some businesses are more affected by security incidents than others. For comparison: 83 percent of compromised data in the insurance and financial sectors was personal in nature. In the scientific and technical area, it was only 49 percent.

• In the health sector, on the other hand, the main risk factor is human error. In particular, incorrect delivery of documents in electronic and analog form is responsible for a large number of security incidents.
• In public administration, social engineering in particular enables hackers to access data. This technique involves personal manipulation of victims in order to encourage them to behave in a certain way, such as disclosing sensitive data. Cyber criminals mainly stole a large amount of access data in this sector using this method.
• In the retail sector, on the other hand, criminals are primarily targeting payment cards and personal data. They mostly get a hold of both through pretexting - a form of social engineering that, in the worst case scenario, can result in reckless money transfers. The attackers also use what is known as phishing in the form of forged emails or entire websites to steal personal data.

Regional differences in motives and techniques

In the Asia-Pacific region, cybercrime is often financially motivated. The criminals generally use phishing to obtain access data from employees in various companies, thereby gaining access to email accounts and web application servers.

In Europe, Africa and the Middle East, cyber criminals focus primarily on web application attacks, system intrusion and social engineering. Web applications are computer programs that visitors use to send or retrieve data from a database via the internet. Since this data is mostly sensitive information such as account information, these applications are a worthwhile target for criminals.

In North America as well the hackers’ motives are mostly financial. Either the criminals obtain the money directly through their attacks or they steal data that they can quickly turn into money. This is increasingly happening through social engineering, hacking or the use of malware. Hacking involves the use of technology or know-how to overcome obstacles (in this case security mechanisms). Malware, on the other hand, relies on malicious code. It is usually downloaded by mistake. Once downloaded, it infects the device and works in the service of the criminals.

Alex Pinto, the main author of the report, makes it clear that this variety of threats does not require a particularly unusual, innovative solution. That is because as extraordinary as the circumstances of a security incident may be, a solid security foundation for the most likely threats is often the best protection.

Cybersecurity at all company levels

The digital association Bitkom gives companies advice on how they can protect themselves against cybercrime. It is not only large corporations, but also small businesses that are worthwhile targets for criminals. Unfortunately, many see the risk as abstract, and cybersecurity is still not part of everyday work - the high costs of protecting against cyberattacks do not seem justified. In addition, there is often a lack of the financial resources and knowledge needed to protect companies.

Managers as role models

Of course, trained staff is an elementary component on the way to the correct handling of data. But in general it is also true that cyber security should be a top priority for management. Managers not only have to promote the conscientious handling of data, they also have to set an example. This also includes conveying knowledge and creating an understanding of possible risks in order to be able to realistically assess threats. It is best to ensure this exchange of knowledge across the entire company. Appointing a security officer is also helpful in this endeavour. Because security concerns everyone.

Set priorities

It is not possible to protect every part of a company from cybercrime to the same degree. The more elementary a process is for a company, the better it should be protected. You should therefore identify the most important processes and critical structures in advance and make it clear where exactly sensitive data is located in order to develop a realistic security concept.

Accept help

The market is full of security service providers that offer many different services and products. Suitable partners can be of valuable help if you analyse in advance where your company needs support. Actively seek cooperation with service providers and security authorities - ideally before something happens. However, do not delegate all cybersecurity tasks to external providers. Every company has to know its own processes and inform itself about risks. Otherwise their security protection is never comprehensive.

Security as part of the corporate culture

A well thought-out security concept is primarily based on prevention. All aspects should be questioned, checked and improved at fixed intervals. Always evaluate the individual risks including their probability of occurrence and determine who is responsible for which areas in the company. If a security incident does occur despite all the measures taken, a clear plan is of course crucial for an orderly and comprehensive response to a cyberattack.

Overall, the aspects of cybersecurity can be broken down into three categories:

• Organisation
  Dealing with risks must be preventive and continuous. The overriding goal should be not only to uncover internal and external risks, but also to rectify weak points within the company immediately. Make sure you determine what will happen if worst comes to worst. Because cyber attacks require quick action with clear responsibilities.
• Technology
  Most companies have basic defence mechanisms against cyberattacks. However, the greater the use of resources and know-how, the less often the measure is actually implemented. This is where a high risk arises as it makes it difficult to identify new threats as such.
  The encryption of data carriers and email communication as well as intrusion detection already offer a minimum level of protection. You should also closely monitor networked devices. The Security Information and Event Management approach enables the observation and detection of security events within an IT environment and ensures rapid response to incidents. You can also rely on Security by Design for interfaces and networked devices. Due to its design, this software takes into account security strategies, patterns and tactics from the outset and thereby guarantees at least a basic level of security.
• Personnel
  The high success rate of social engineering allows worrying conclusions to be drawn about personnel and security in companies. The security measures taken should start in a place the personnel can understand, for example through training courses tailored to the individual workplace. This allows you to create awareness of issues such as espionage, sabotage and data theft. Employees in particularly sensitive positions should undergo a background check before starting their position. It must also be possible for the workforce to report security deficiencies anonymously and easily.

Insurance for cyber damage? Of course!

Even with comprehensive protective measures, a hacker attack can hit anyone. Even an operating system can be a gateway for attacks. With the Professional Indemnity Insurance for IT Professions from exali, you are also fully insured in these cases. If, for example, a programming error on your part results in a security loophole at your customer that enables a hacking attack, the insurer will pay for the damage incurred. If your own business falls victim to a cyberattack, the First-party Cyber and Data Risks Insurance (FPC) add-on has you covered.