Report and related events 2016

Cover OAD 2016

126 pages A4 format - Published in July, 2016 

Author: Marco R. A. Bozzetti 

In cooperation with : Polizia Postale e delle Telecomunicazioni

Publisher:  Nextvalue  Srl 


  • Gold: F5 Network
  • Silver:  AIPSI, Sernet Group, Technology Estate, Trend Micro 

Patronage providers:  AICA, AIPSI, Assintel, Assolombarda, Aused, CDI Torino, CDTI Roma, ClubTI Centro, ClubTI Emilia Romagna, ClubTILiguria, ClubTI Milano, FIDA Inform, FTI, IEEE-Italian Chapter, Inforav,  itSMF

The Report 2016 is all in Italian, but it includes an Executive Summary  in English, in the following  reported.

For the complete Report, the related articles and presentations, all in Italian, please refer to the Italian web page (click at the top right to the Italian Flag).


Executive Summary OAD Report 2016 

 OAD, Observatory on Digital Attacks in Italy, is the new name for the previous OAI, Observatory on Informatics Attacks in Italy. This initiative, now in its sixth edition, provides an analysis of intentional attacks against informatics systems for organizations of every size and industry sector, including central and local public administrations, and provides an annual report.

OAD is promoted by AIPSI, Italian Chapter of ISSA, and is realized by Malabo Srl , the company of the author for ICT advisory, and by Nextvalue Srl, a
company active on ICT market research and consulting.
The OAD analysis is based on the responses received via web from an online questionnaire in January-June 2016, with a total of 288 respondents.
Since the web survey is not based on a specific sample of respondents, the resulting data cannot have statistical significance. Given the number of
responses and their good distribution in terms of size and industry sector, OAD survey provides accurate and contextual information on the phenomenon
of cyber-attacks in Italy; it is also useful to raise awareness about computer security as well as to be a reference for risk analysis. In addition, the report analyses what are the tools used by the respondents for the prevention, protection and recovery of the attacks, and how they react in case of attack.  Several considerations may emerge from all the data collected, in the following we summarize some of the most significant.

• The OAD Report 2016 considers the attacks detected in 2015.
• The respondents are mostly from companies of the services sectors (tertiary), followed to a lesser number of manufacturing companies (secondary),
and public administration. In terms of size of the organizations, the majority of respondents, 43.7%, belongs to structures up to 49 employees, 22.6% in structures between 50 and 250 employees (Italian limit for SMEs, Small and Medium Enterprises), 33.6% more than 250, equally distributed in the considered three classes of 251-1000, 1001-5000, over 5001. The sample is fairly well balanced among SME, large structures and very large ones.
• The compilers of the questionnaire are responsible at the 35.3% of IT systems, for the 15.1% belongs to the organizational unit of computer systems, for the l8% are responsible for the digital security (CISO). The 24.4% belongs to the top management (owner, managing director, partner, general manager), especially for small and micro enterprises.
• The attacks in 2015 hit 37.6% of respondents, with a share similar to the total number of attacks in the year for company / institution.
• A percentage below 40% of the detected attacks has remained stable since 2007. To the author’s judgment, this is due especially by the vast majority of small and very small enterprises in Italy, which are not, individually, a target of interest for the cybercrime. A second cause is certainly due to the non-detection of the attacks, but this implies that the attack did not have a strong impact on the company / organization, beyond the possible theft of information.
• The most common types of attacks in 2015 are malware (78.4%), social engineering (71.9%), theft of ICT devices (34%), saturation of resources (29.4 %). These four types of attacks have been always on the top of the list of the attacks for all the OAI-OAD editions, with different percentages and in different positions from each other depending on the year, but with malware, which includes ransomware, always first in the standings.
• In 2015, as in the previous years, the number of attacks and their frequency increases depending mainly on the organization size (as number
of employees): an organization more is big and internationally known, more it should have economic and financial capacity, and therefore more it is an attractive target for cyber-crime, and therefore more it is attacked.
• The impact of attacks is severe only in a limited number of cases, 14.6%. Attacks that in 2015 had the largest and most severe impacts were blackmail ICT, followed by denial of services (Dos/Ddos), malware and TA / APT (Targeted Attacks /Advanced Persistent Threats), all with percentages higher than 20%.
• The low severity of the impact in most of the attacks is confirmed by the fast recovery time: the 44% of cases it is restored in a day, and globally about the 80% of cases is restored in three days. No case took more than a month. The types of attack that required more than a week to restore include malware, thanks also to the wide spread of ransomware in Italy, theft of ICT equipment and Dos/Ddos.
• The economic impact of an attack is carried out by 25.9% for all the attacks and by 10.2% only for the most serious. For respondents who have reported, the higher cost of single attack has been estimated about € 70,000.
• The economic impact of an attack is carried out by the 25.9% for all the attacks and by the 10.2% only for the most serious. For respondents who have reported, the highest cost for a single attack has been estimated about € 70,000.
• Normally each attack exploits one or more vulnerabilities, which can be technical, organizational or caused by people, be they end users or operators of computer systems. The known technical vulnerabilities are usually resolved by the producer-suppliers, emitting patches and software updates, are not always promptly installed. The vulnerabilities are sometimes not discovered and resolved in short from suppliers, and remain so exploitable by attackers for long times.
• The known technical vulnerabilities are usually resolved by the produce, emitting patches and software updates: but only the 44.5% of the respondents updates promptly the software in production. The causes may be different, but most of them are organizational: in particular the lack of knowledge of the availability of patches, lack of procedures for software testing, the non-renewal of software maintenance contracts, that often is caused from the severe economic crisis that still remains in Italy
• The behaviour of ICT users and ICT operators is the most critical and widespread vulnerability, on which the majority of successful attacks are based. Facilitators and amplifiers of personal vulnerability are some instruments such as social networks, e-mail, search engines, collaborative tools, the more powerful USB sticks and the now prevalent use of mobile devices. These tools facilitate the possibility to steal the identities of users and acquire their confidential information with which to carry out attacks and make computer frauds.
• For the user of cloud services, three-quarters of respondents did not detect attacks, only 3.4% have suffered them on applications (SaaS, Software as a Service), and 2.5% on ICT infrastructures (IaaS, Infrastructure as a Service); no attacks on PaaS, Platform as a Service, have been detected. These low percentages are a clear indicator of the reliability and availability of the cloud services in use.
• Three-quarters of the user of cloud services has not detected attacks, only 3.4% have suffered them on applications (SaaS, Software as a Service), and 2.5% on ICT infrastructures (IaaS, Infrastructure as a Service); no attacks on PaaS, Platform as a Service. These low percentages are a clear indicator of the good level of digital security of the cloud services in use.
• The main motivation for the digital attacks (particularly the most feared in the next future) is to get the illegal economic returns: the estimates of respondents are 52.1% for fraud, 51.3% for blackmail and 28.1% for espionage, particularly industrial.

• During 2015, The Postal and Communications Police of Italy, as part of the fight against “financial cybercrime,” has checked 16,697dubious online ransactions in 10 banking groups, blocking € 65,870,825.63 and recovering € 2,734,269.31.
• Only 1.3% of respondents stated that in 2015 they had a subtraction of money in the bank accounts caused by the theft of digital identity: an indicator that the computer systems used by the sample of Italian banks ensure a good level of digital security

• Regardless of the size and the product sector of the respondents, a significant part of the sample utilizes computer systems at the status
of the art and technically promptly updated: 

• 52.1%, has informatics architectures with high reliability;
• 42.1% has a Business Continuity Plan;
• the operating systems of the servers are mainly of the last versions: the 68.9% uses Windows Server 2012, and the 14.3% uses Windows Server 2016. The 58.8% uses hypervisors for server virtualization.

 • The technical measures for digital security, from the physical ones to those for the data protection, are fairly widespread throughout the sample.

• A significant 15.1% of respondents are using behavioural analysis for ICT systems and users, one of the most advanced tools for preventing functional and technical deterioration of ICT ssytems, and therefore for identifying possible attacks on going.
• Some of the weaknesses, as a percentage of dissemination, concern the inspection of the software code , performed by 16.8%, the systematic management of patches and versions, performed by just over half of the sample, the encrypted storage of critical information, performed by 21.8%, the management of operator logs, mandatory for privacy, carried out by less than half of the respondents, the periodic test of the Disaster Recovery plans made by the 21% against a 39.5% which published a Disaster Recovery plan.

 • The organizational level is less advanced than the technical one for the digital security of the sample, although some aspects are positive and underline some improvements, as trend, compared to the figure recorded in the previous editions:

• 57.4% of the sample did not set policy on digital security;
• the organizational structure for digital security is not formally and/or very well defined for most of the respondents: 39.5% defines a clear role for CISO and in the 18.6% of the cases this role is directly performed by the CIO; only a small fraction of the sample, 3.1%, outsources the CISO role to external professionals or companies;
• for internal roles concerning digital security, only the 12.6% requires specific certifications; for external suppliers and consultants these certifications are required by the 11.8% of the respondents;
• the systematic use of standards and best practices for digital security and its government is still limited mainly to the largest structures:

• the standards of the ISO 27000 family are adopted with certifications from 12.6% of respondents;

• ITIL is followed by certified personnel by the 12.6%;
• COBIT is followed with certifications by the 3.4%;
• the risk analysis is carried out by the 23.5% of respondents; the 20.2% already assures the residual risk, and the 13.4% intend to do so in the near future;
• the ICT audit, internal, external or mixed, is performed by the 45.8% of respondents; the 65.5% of these performs it in a structured way, periodic and regular.

 In conclusion, OAD 2016 confirms the macro-trend of the previous OAI reports and of the recent international surveys. Due to the huge number of small and very small organizations that constitute its economic kernel, Italy now does not fall among the countries most affected by digital attacks. The majority of the respondents have improved the security level of their ICT systems, but the latest digital attacks are more and more sophisticated, more and more difficult to detect and they can seriously impact the attacked companies. mainly for losses in finance and in reputation. Moreover, not only the ICT critical infrastructures should be a target for terrorism, but also small realities may be subject to massive and parallel attacks, with the objective, being these last less protected, to cause a collapse of the whole Italian economy. Until now Italy is not a key target of the cyber-crime and of a terroristic cyber war, but runs a growing risk to be an easy target in the near future if the awareness and the culture of digital security is not growing in the country at every level.


This website uses cookies from both its Joomla 3.x and from third party software to improve the browsing experience of users and to collect information on the use of the site itself.