Cyber crimes often go underreported, leaving authorities guessing about the most pervasive types of incidents as well as how best to combat them. Now, these two reports on cyber victimization aim to pin down details and lay groundwork for future preventative research. One study is focused on individuals while the other takes a close look at businesses, and both are based in Virginia.
INDIVIDUALS
“Probably the most important thing you could do is keep track of your passwords. Change them frequently. Don’t use the same one,” said James Hawdon, one of the researchers behind the reports. Hawdon is a professor of sociology at Virginia Tech and director of its Center for Peace Studies and Violence Prevention.
The researchers surveyed 1,206 Virginians in 2022 and found a link between online activity and likelihood of cyber thefts or fraud.
The study focused on residents who’d been victimized by having financial accounts opened with their information without their consent, paying online for services from fraudsters, or simply suffering other kinds of fraud. It did not address victimization by malware or cyber extortion.
Findings showed those who had social media accounts, owned multiple devices or engaged in online banking were more likely to have been victimized.
In fact, “use of social media doubles the odds of victimization, while each piece of equipment used and banking on the Internet increases the odds by 25 percent and 41 percent, respectively,” researchers wrote.
While the exact relationship between owning devices and higher risk isn’t captured by the study, Hawdon said people may struggle to maintain strict security across devices when they have many to keep track of.
Hackers constantly target companies that handle financial data, so residents that engage with such companies always face some danger, Hawdon said. But taking certain precautions can greatly reduce those risks.
Precautionary password behavior — including saving passwords in a digital password keeper and updating passwords frequently — reduced the likelihood of being cyber victimized by 14 percent.
To a lesser extent, careful Internet navigation correlated with lower likelihood of victimization. Hawdon said this meant avoiding public Wi-Fi and directly navigating to websites rather than clicking email links. People doing these things were 5.4 percent less likely to have suffered cyber crime in the past year.
At the federal level, the Cybersecurity and Infrastructure Security Agency has also advocated secure password practices, naming it one of four key steps to staying safe online.
BUSINESSES
A separate report from the same researchers found a surprisingly high number of business respondents had suffered cyber incidents.
In 2022, researchers received responses from 451 businesses across sectors and sizes, with heavy representation from the tech sector in Virginia. Among respondents, 85.6 percent had suffered a cyber incident, most commonly getting directed to fraudulent websites or receiving fraudulent emails.
Nearly 72 percent of businesses were hit within the past year and nearly 60 percent had been victimized at least twice in that time period.
Almost all businesses engaged in at least one online activity that increases risks, such as using social media, letting customers do business online, storing customers’ personal information digitally or having an online company bank account. Many took the risky practice of letting employees use personal devices for work activities.
Fewer than two-thirds of companies followed certain recommended precautions, like routinely updating software (done by 61 percent), using current malware protections (57 percent) and having firewalls on company networks (52 percent). Fewer than one-third of companies followed other core practices like securely backing up data or using multifactor authentication.
One defensive practice — followed by nearly 32 percent of companies — may have had a major impact: separating Wi-Fi for staff and visitors.
“Not having such a policy increased victimization chances by approximately 83 percent,” said the report.
Nearly one-fifth of the 386 businesses that had ever suffered cyber victimization avoided disclosing the incident. Those that reported it most commonly told antivirus companies, followed by clients or customers, and finally, service providers. As for law enforcement, only 12 percent told the FBI and 9.5 percent told the police.
Researchers suggested law enforcement raise awareness about the benefits of reporting. And looking ahead, federal laws could soon help. As of December, companies must now report cybersecurity incidents to the Securities and Exchange Commission (SEC). No official date has been set for enacting the Cyber Incident Reporting for Critical Infrastructure Act of 2022, but progress is expected in 2024.
As for these reports, researchers said following the same individuals over time, as well as gathering more data in general, should allow for even better testing of theories about cyber crime.