In this chapter we present the results of the analyses of the first wave (June- August 2016). Before entering into detail, we report that the questionnaire was filled in primarily by high-level representatives of the participating businesses: or 37.8% of the respondents classified themselves as CEO or member of the executive board; 19.5% as managing director; 10.7% as Chief Information Security Officer; 10.7% as other IT staff and 5.9% as executive director. This suggests that the respondents had a good evidence base to assess both victimization and impact correctly.

The chapter is structured as follows. First, we discuss the extent to which businesses have been confronted with cybercrime in the 12 months preceding the survey, this includes, both the business victimization prevalence for each cybercrime type, and the incidence of each type. Next, we focus on the business representatives’ perceptions of the likelihood of their business being attacked in the following 12 months. Third, we estimate the harms to material support, that is, the costs of cybercrime that the businesses have experienced in the 12 months before the survey. Fourth, we discuss the business representatives’ assessments of the non-material harm of cybercrime that the businesses have experienced in the same time span. Finally, we give an overview of the technical and procedural measures businesses have taken to prevent cybercrime victimization.

VICTIMIZATION IN THE PAST 12 MONTHS

Two thirds of the businesses in our sample (66.5% or 181 businesses) have been victims of cybercrime, at least once in the last 12 months. Specifically, illegal access to IT systems and data/system interference are much more prevalent than the other types: 50% of the businesses (or 155 businesses) report illegal access to their IT systems and 44% (or 128 businesses) data/system interference. Less than a quarter admit cyber extortion (24.1% or 68 businesses), and still fewer internet fraud (12.9% or 35 businesses) and cyber espionage (3.6% or 10 businesses).

The majority of the businesses have suffered repeated attacks. The data shows that 83.2% of the 155 victims report repeated attempts at illegal access to their IT system; 72.7% of the 128 victims experience repeated incidents of data or system interference, and 57.4% of the 68 victims report repeated cyber extortion incidents.