A pair of new studies out of Virginia explore the experiences of victims of cyber crime – both individuals and businesses – with the hope that the findings will help bolster cybersecurity.

Cyber crimes often go underreported, leaving authorities guessing about the most pervasive types of incidents as well as how best to combat them. Now, these two reports on cyber victimisation aim to pin down details and lay groundwork for future preventative research. One study is focused on individuals while the other takes a close look at businesses, and both are based in Virginia.

Individuals

The first study focused on individuals, finding that Virginia residents who used social media, used online financial services or owned more devices were more likely to have suffered financial fraud and scams. But careful password practices and Internet navigation made a big difference.

"Probably the most important thing you could do is keep track of your passwords. Change them frequently. Don't use the same one," said James Hawdon, one of the researchers behind the reports. Hawdon is a professor of sociology at Virginia Tech and director of its Center for Peace Studies and Violence Prevention.

The researchers surveyed 1,206 Virginians in 2022 and found a link between online activity and likelihood of cyber thefts or fraud.

The study focused on residents who'd been victimized by having financial accounts opened with their information without their consent, paying online for services from fraudsters, or simply suffering other kinds of fraud. It did not address victimization by malware or cyber extortion.

Findings showed those who had social media accounts, owned multiple devices or engaged in online banking were more likely to have been victimised.

In fact, "use of social media doubles the odds of victimisation, while each piece of equipment used and banking on the Internet increases the odds by 25% and 41%, respectively," researchers wrote.

While the exact relationship between owning devices and higher risk isn't captured by the study, Hawdon said people may struggle to maintain strict security across devices when they have many to keep track of.

Hackers constantly target companies that handle financial data, so residents that engage with such companies always face some danger, Hawdon said. But taking certain precautions can greatly reduce those risks.

Precautionary password behaviour – including saving passwords in a digital password keeper and updating passwords frequently – reduced the likelihood of being cyber victimised by 14%.

To a lesser extent, careful Internet navigation correlated with lower likelihood of victimisation. Hawdon said this meant avoiding public WiFi and directly navigating to websites rather than clicking email links. People doing these things were 5.4% less likely to have suffered cyber crime in the past year.

At the federal level, the Cybersecurity and Infrastructure Security Agency has also advocated secure password practices, naming it one of four key steps to staying safe online.

Businesses

A separate report from the same researchers found a surprisingly high number of business respondents had suffered cyber incidents.

In 2022, researchers received responses from 451 businesses across sectors and sizes, with heavy representation from the tech sector in Virginia. Among respondents, 85.6% had suffered a cyber incident, most commonly getting directed to fraudulent websites or receiving fraudulent emails.

Nearly 72% of businesses were hit within the past year and nearly 60% had been victimized at least twice in that time period.

Almost all businesses engaged in at least one online activity that increases risks, such as using social media, letting customers do business online, storing customers' personal information digitally or having an online company bank account. Many took the risky practice of letting employees use personal devices for work activities.

Fewer than two-thirds of companies followed certain recommended precautions, like routinely updating software (done by 61%), using current malware protections (57%) and having firewalls on company networks (52%). Fewer than one-third of companies followed other core practices like securely backing up data or using multifactor authentication.

One defensive practice – followed by nearly 32% of companies – may have had a major impact: separating WiFi for staff and visitors.

"Not having such a policy increased victimisation chances by approximately 83%," said the report.

Nearly one-fifth of the 386 businesses that had ever suffered cyber victimisation avoided disclosing the incident. Those that reported it most commonly told antivirus companies, followed by clients or customers, and finally, service providers. As for law enforcement, only 12% told the FBI and 9.5% told the police.

Researchers suggested law enforcement raise awareness about the benefits of reporting. And looking ahead, federal laws could soon help. As of December, companies must now report cybersecurity incidents to the Securities and Exchange Commission (SEC). No official date has been set for enacting the Cyber Incident Reporting for Critical Infrastructure Act of 2022, but progress is expected in 2024.

As for these reports, researchers said following the same individuals over time, as well as gathering more data in general, should allow for even better testing of theories about cyber crime. – Government Technology/Tribune News Service