An annual survey on computer security issues run by a UK university was published last week. Its stats on the prevalence of ransomware, and how many people give in to the crooks and pay the ransom, raised some eyebrows.
The figure for ransomware as a whole seems even more eye-opening, with almost 1 in 10 reporting having fallen victim.
The survey was organised by the University of Kent’s Interdisciplinary Research Centre in Cyber Security, by a team composed of both computer scientists and psychologists, and conducted using Google’s Consumer Surveys platform.
As the authors of the report caution their readers, the survey covered a relatively small number of people – just over 1,500 UK adults. That leaves it open to inaccuracies for all sorts of reasons, including sampling bias due to the kinds of people drawn to responding to online surveys, but the results seem dramatic enough to be more than just an anomaly.
Other data picked up by the survey seems fairly predictable. Around two-thirds of us feel at risk from cybercrime, just over 1 in 4 have been the victim of some sort of “cyber-dependent crime” in the last year, with malware (11.9%) and phishing (7.3%) the main culprits. 1 in 10 has been exposed to online bullying, harassment or stalking.
If the rate of malware infections seems a little higher than we normally see in surveys of this nature, that could well be down to the high levels of CryptoLocker and other ransomware included in those figures.
9.7% of people claimed they had been infected by ransomware of some kind, with CryptoLocker specifically named in the survey question and making up around a third of all reported infections.
Proving a negative
Survey data always has a problem in that it’s only as accurate as the knowledge (and honesty) of the people being surveyed.
Malware, for the most part, aims to avoid revealing its presence to its victims, sometimes going to great lengths to do so.
So when you ask someone if they have ever been hit by malware, and their response is a strong and definite “no”, that answer should always be viewed sceptically. How can they possibly know?
Proving a negative is not easy in the best of circumstances, and being certain something hasn’t happened simply because you haven’t noticed it happen is particularly difficult when the thing you haven’t noticed is specifically designed to be secretive and stealthy.
Have you ever been spied on from a distant rooftop? No? Can you really be sure of that?
Unlike most malware though, CryptoLocker and other ransomware attacks make no secret of their presence, indeed their main intention is to make it very plain to their victims that they have been infected.
So it could be that what we’re seeing here is not a change in the total level of malware going around, simply a change in the visibility of it to the general public.
Only a third have firewalls
And perhaps that is no bad thing. Other details emerging from this same survey include less than half of respondents using up-to-date anti-malware, just over a third implementing firewalls, and a little less than that exercising sensible password hygiene.
Maybe a little more visibility will finally make the general public start sitting up and paying more attention to the risks of malware and other online threats.
At the moment, it seems like we’re still mostly either ignorant or in denial, right up until something nasty infects our machine and nabs our data, or encrypts it and demands a ransom.
That so many people pay up is not much of a surprise either. Like other security basics, it looks like proper backing up of sensitive or precious files is a rare thing.
Victims forced to pay up include police departments and law firms, with ransomware threats clearly targeting small businesses where proper security practices such as backups are more likely to be lacking.
These shortcomings may have been hidden in the past, but now they are being forced into the spotlight, and the shock may just jolt people into giving the right priority to their security needs.