ITEM: The internet may be borderless, but cyber crime is more rampant in some countries more than others – with Myanmar, Cambodia and Honduras rated as the least safest cyber-neighborhoods on the planet in terms of cyber crime risk.
That’s according to a new study from fraud solution vendor Seon, which gathered data from a variety of sources – from the National Cyber Security Index (NCSI), Global Cybersecurity Index 2020 and Basel AML Index: 9th Edition to the Cybersecurity Exposure Index (CEI) 2020 and the Global Cyber Strategies Index – to rate the risk of cybercrime in 94 countries. The resulting ‘Cyber-Safety Score’ is weighted by factors such as the level of cybersecurity programs in place (and sufficient legislation to enforce them), the level of risk to users and the level of illegal activities like money laundering and terrorist financing.
Denmark made the top of the list as the safest country on earth in terms of cybercrime risk, with a score of 8.91 out of 10. Germany is a close second at 8.76, and the US is an even closer third at 8.73.
However, bad news if you live or work in Myanmar – it ranks dead last with a score of 2.22. Cambodia is just above it at 2.67, and Honduras slightly better at 3.13.
All three score poorly in all of the indexes used, especially in terms of cybercrime legislation – Myanmar barely has any laws to prosecute cybercriminals, and Cambodia isn’t much better. Ironically, Honduras has better anti-cybercrime legislation in place by comparison, but otherwise ranks lower than both Myanmar and Cambodia in every other metric.
The big question of course is: how seriously should we take this ranking?
My own take: Not very, at least not at the individual level. Cybercrime is literally everywhere, and low risk doesn’t mean zero risk. If your organization has a crap security posture, or at least employs people easily fooled by phishing emails, it doesn’t matter if you’re based in Copenhagen or Yangon – you’re still as likely to be successfully breached.
More to the point, cybersecurity is an ongoing arms race. There is literally no cybersecurity threat assessment report or press release from any reputable source claiming that the number of attempted and successful attacks is going down. It rises every year, and will continue to do so as the world goes increasingly digital and connects more and more things. That’s why buzzwords like security by design and zero-trust are more than slogans – they are essential for digital survival and resiliency.
Consequently, any CISO worth their salt should ideally be planning and designing their security strategies as if their company was based in the most dangerous place on earth. Whether you’re based in a “cyber safe” country should be irrelevant.
That said, CISOs also have to deal with the reality of budget limitations and risk assessments that prioritize where security is implemented. Part of that risk assessment involves understanding the external threats out there and all the different ways that bad guys may be looking to attack you and what you have that they would want. So perhaps it’s worth knowing things like the level and nature of cyber crime in your immediate neighborhood. That said, it would be foolish to assume that a high “cyber safe” rating means your security doesn’t have to be as tough.
To be fair, Seon is not saying that organizations in low-risk countries can relax and lower their guard. The real takeaway of the report is that it highlights the importance of government policy in effective cybersecurity. The countries with low scores also happen to be the ones where govt policies and cybercrime legislation are minimal to non-existent.
That’s an important point because – as security expert Bruce Schneier has been saying for years now – cybersecurity in general is a problem that the private sector and the free market cannot solve alone. It needs to work with the public sector to create sound and sensible cybersecurity strategies, as well as powerful legislation with teeth to enforce those strategies. That doesn’t just mean prosecuting the groups or individuals launching attacks, but also holding organizations accountable for lax security practices.