[Reporter’s Notebook] Ministry of Science and ICT’s Hacking Statistics Are Flawed from the Start [Reporter’s Notebook]

Since February, we have been tracking the reality of companies that do not report hacking incidents. Both sources who were extremely reluctant to reveal their identities and cybersecurity experts consistently testified, "Only a very small number of companies report," and "Nine out of ten do not report." The most serious problem uncovered during this investigation is that the government perceives the actual situation of hacking incidents very differently from reality. The official statistics published by the Ministry of Science and ICT, which is the relevant authority, do not accurately reflect these facts.

In December of last year, the Ministry of Science and ICT announced the results of the "2024 Information Security Status Survey." These statistics reveal the state of cyber incidents among domestic companies as of 2023. According to the data, 19.6% of affected companies responded that they had reported the incident. After the SK Telecom incident, several media outlets cited this statistic and wrote that one in five victim companies reports hacking. However, this figure is greatly at odds with what is heard in the field: "Even after losing all their money and time to hackers, companies never inform outsiders for fear of damaging their reputation."

To determine which side was correct, we requested and reviewed the detailed data. The cause of the statistical distortion became clear: the reporting rate among small businesses (10?49 employees) was listed as "100%." This was far higher than the 4.1% for small and medium-sized enterprises (50?249 employees) and the 6.5% for medium-sized and larger companies (250 or more employees). We asked the agency under the Ministry of Science and ICT that conducted the survey why such figures appeared. The astonishing response was, "There were two small businesses that responded they had experienced hacking. Both answered that they reported it, resulting in a 100% reporting rate." Another official from the Ministry added, "Small businesses have low sales and lack the ability to pay in cryptocurrency, so they are not targeted by hackers in the first place."

Nevertheless, the government combined the three groups (small businesses, small and medium-sized enterprises, and medium-sized and larger companies) and announced that the overall reporting rate was close to 20%. As a result, the grim reality faced by small and medium-sized enterprises and larger companies, which are the main targets of hackers, was obscured. The reporting rate for business facility management (55.8%) was much higher than that for manufacturing (2.2%), which is a primary target for hackers, simply because there were very few companies in the former group that experienced hacking. If statistics fail to reflect reality, it is appropriate to increase the sample size or exclude statistically meaningless "extreme cases" from the analysis.

One of the main reasons companies do not report hacking incidents is that the government is unable to provide assistance. Since the statistics are flawed from the start, it is impossible to develop effective policies. This is why companies on the brink of collapse, with all operations paralyzed, turn away from the government and instead seek out shadowy negotiators to settle ransom demands with hackers. The Ministry of Science and ICT's failure to recognize the reality at the most basic level is evidence that South Korea's cybersecurity response is facing a fundamental crisis.

© The Asia Business Daily(www.asiae.co.kr). All rights reserved.