The annual Internet Security Threat Report from security giant Symantec, released yesterday, will not be easy reading for any business with data to protect.
It throws open the window to a world of highly-skilled cyber criminals with skill sets that echo those of nation-state attackers, who are fuelling an exponential growth in online crime.
Cyber criminals 'have extensive resources and a highly-skilled technical staff that operate with such efficiency that they maintain normal business hours and even take the weekends and holidays off,' said Kevin Haley, director, SymantecSecurity Response. 'We are even seeing low-level criminal attackers create call centre operations to increase the impact of their scams.'
This increase in sophistication, with cyber criminals running their outfits with much the same business models as their enterprise victims, is leaving legitimate businesses at risk of suffering more than three cyber-attacks a year.
Alongside a staggering 125% increase in zero-day vulnerably globally, 430 million new malware variants discovered in 2015 alone, and half a billion records lost as a result of data breaches, there was one country that stood out as a victim – the UK was ranked as the most targeted nation for spear phishing attacks and ransomware in 2015. It was also ranked the second-most targeted in social media attacks.
But why is the UK so highly targeted? It could down to people in the UK being particularly prone to this type of social engineering, but it's unlikely.
> See also: UK public sector can use big data to tackle £29bn lost through fraud
Mark Hames, security specialist at internet security firm ESET points several factors: the large proliferation of users of all ages using technology in the UK and the convenience of not having to translate previous spear-phishing or scams from English could be among them.
'With so many UK citizens being connected to the internet in so many ways, it could be down to the sheer amount of targetable victims,' says James.
'From mobile phones to tablets, desktops or laptops it’s all about being connected in this day and age, we love to share our statuses, our photos and all manner of information about our daily lives. We are used to emails and social media being a very real part of our life from the early days of our youth right through to the silver surfers. We also need to consider the fact that a lot of businesses like to operate out of the UK.'
The UK is an easy target with a good ROI for criminals, but EMEA is also similarly ripe for harvesting. This increased threat could arguable be down to a general immaturity across the board in IT security, compared with businesses in the US.
Industry figures such as Philip Lieberman, president of security specialist Lieberman Software, believe that 'paranoid' EU privacy laws could be inhibiting the introduction of stronger security technologies.
Lieberman is calling for governments in the UK and EU to repeal existing privacy laws in order to be able to collaborate and knock down these attacks.
'Stop anti-competitive actions that make it difficult for US companies to sell their more secure technology in EMEA under the guise of paranoid feelings that somehow EU and UK customers are going to be spied upon by the US government,' urges Lieberman.
'Given the current laws in the UK and EMEA, there is little that citizens and companies can do to protect themselves from these threats. The act of self-protection and monitoring for threats in many cases is seen as a criminal act by an employer subject to immediate prosecution.'
At a time when tech giants are fighting for their customers' right to privacy from government spying, Liberman controversially calls the concept of privacy 'impossibly idealistic', arguing that it often creates a dangerous trade-off between privacy and keeping data secure from criminals through monitoring.
But whether or not you agree with Lieberman's assertion, technology on its own is only one defence factor. Many of the vulnerabilities faced by UK companies could be down to gaps that still exist in people and process.
> See also: Think you can spot a scam? 97% of people wouldn't know a phishing email if it hooked them
As people conduct more of their lives online, attackers are increasingly focused on using the intersection of the physical and digital world to their advantage. In 2015, Symantec saw a resurgence of many tried-and-true scams, such as fake technical support scams, which saw a 200% increase last year – with the UK again the second most targeted nation globally.
Practical measures such as incident management, proper training and the basics such as regular software patching are often the key to stopping these kind of exploits, says James:
'No software is 100% safe so most companies work very hard to find and patch any security flaws, but it’s not always possible to automatically push these fixes out to you without the potential of causing more problems.'
'Having good workable policies in place for your email system and social media along with limiting access to those that need it is a good way to lower your attack vector, user education and a good regular updating internet security software will also help to keep you safe.'
'Having a process in place to periodically review your security policies and getting your staff involved through training or clear lines of communication in case of anomalies is a great way to get that extra protection.'