Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

2/21/2018
08:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Global Cybercrime Costs Top $600 Billion

More than 50% of attacks result in damages of over $500K, two reports show.

In cybersecurity it can sometimes be hard seeing the forest for the trees. Constant reports about new attacks, breaches, exploits and threats can make it hard for stakeholders to get a picture of the full impact of cybercrime.

Two reports this week are the latest to take a crack at it.

One of the reports is from McAfee in collaboration with the Center for Strategic and International Studies (CSIS). It shows that cybercrime currently costs the global economy a startling $600 billion annually, or 0.8% of the global GDP. The figure represents a 20% jump from the $500 billion that cybercrime cost in 2014.

The other report from Cisco is based on interviews with 3,600 CISOs and shows among several other things that nearly half of all attacks these days end up costing the victim at least $500,000. Eight percent of companies in the Cisco report said cyber attacks had cost them over $5 million; for 11% the costs ranged between $2.5 million and $4.9 million. The figures include direct and indirect costs such as those associated with lost revenue, customers, and lost opportunities.

Together, the two reports paint a picture of a landscape that is getting from bad to worse in a hurry.

"Cybercrime impacts economic growth. This is not an IT issue but something much bigger," says Raj Samani, chief scientist at McAfee. "Nearly every breach focuses on attribution or the technique, but we rarely ever discuss what the real impact is," Samani says. The net result is that many organizations continue to view cybercrime as a somewhat abstract issue. "I am constantly told 'this does not impact me,'" Samani says. "Yet cybercrime impacts every one of us."

As with many other reports that have attempted to calculate total cybercrime costs, the $600 billion figure in the McAfee/CSIS report is based on estimates. It represents total estimated losses due to theft of intellectual property and business confidential information, online fraud and financial crimes, personally identifiable information, financial fraud using stolen sensitive business information and other factors. Other estimates have put the number much higher, some far lower.

As the report makes clear, underreporting by victims and the overall paucity of real data surrounding cybercrime incidents worldwide have made it extremely hard to get a truly precise estimate of cybercrime costs. In many cases, organizations only report a fraction of their actual losses from cybercrime to avoid reputational damage and liability risks. So to calculate cybercrime costs, McAfee and CSIS borrowed modeling techniques that have been used previously to estimate costs associated with other criminal activities such as maritime piracy, drug trafficking, and transnational crime by organized groups.

The exercise showed that costs of cybercrime have increased significantly in recent years as the result of state-sponsored online bank heists, ransomware, cybercrime-as-a-service, and the growing use of anonymity-enabling technologies like Tor and Bitcoin, McAfee and CSIS said. Malicious activity on the Internet is at an all-time high, with some vendors reporting 80 billion malicious scans, 4,000 ransomware attacks, 300,000 new malware samples and 780,000 records lost to hacking on a daily basis, the report said.

The theft of intellectual property and business confidential information has been a huge reason for the higher cybercrime costs globally. According to McAfee and CSIS, intellectual property theft accounts for at least 25% of overall cybercrime costs. Such theft can include everything from patented formulas for paints to designs for rockets and other military technology. Over the years, the theft of IP has become a huge problem for many industries and has impacted the ability of companies to compete and to profit from their innovations. Yet, it remains one of the most underreported forms of cybercrime.

"[IP theft] is probably the most surreptitious form of data theft," Samani says. For example, a ransomware infection is clearly obvious, and with other forms of data theft or breaches there is an obligation to report. "However IP theft and calculating the cost becomes invisible to the victim, particularly since proving that a competing product was derived from a historical breach is very difficult," he says.

Europe appears to be the region most impacted by cybercrime, but that is likely also in part due to the maturity of the breach reporting habits of organizations there compared to other regions, Samani says.

Cisco's report meanwhile showed that in addition to increasing financial costs, organizations are also becoming more vulnerable to attacks on their supply chain. Supply chain attacks, according to the company, have increased in complexity and frequency and have heightened the need for organizations to pay close attention to their hardware and software sources.

Enterprise security environments have become much more complex as well. Twenty-five percent of the security executives Cisco interviewed said their organizations used security products from between 11 and 20 vendors. Sixteen percent said their organizations were using between 21 and 50 products. The complexity has begun impacting enterprises' ability to defend against threats, Cisco said.

Franc Artes, an architect in the security business group at Cisco says the new report marks the first time the company asked respondents to indicate a range of their financial loss from a security incident. In last year's report, one-third of those who suffered a breach reported a revenue loss of 20%, he says.

Cisco's latest survey shows that attackers are evolving their techniques faster than the ability of defenders to keep up. Troublingly, as organizations continue to leverage their operational technology (OT) infrastructure and create connectivity to these systems, the recognition of it being a vital attack vector has grown as well, Artes says.

"Nearly 70% of the respondents stated they see their OT infrastructure as an attack vector; 20% stated that while it wasn’t currently, they expected it would be in the next few years."

Related content:

 

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Unreasonable Security Best Practices vs. Good Risk Management
Jack Freund, Director, Risk Science at RiskLens,  11/13/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19040
PUBLISHED: 2019-11-17
KairosDB through 1.2.2 has XSS in view.html because of showErrorMessage in js/graph.js, as demonstrated by view.html?q= with a '"sampling":{"value":"<script>' substring.
CVE-2019-19041
PUBLISHED: 2019-11-17
An issue was discovered in Xorux Lpar2RRD 6.11 and Stor2RRD 2.61, as distributed in Xorux 2.41. They do not correctly verify the integrity of an upgrade package before processing it. As a result, official upgrade packages can be modified to inject an arbitrary Bash script that will be executed by th...
CVE-2019-19012
PUBLISHED: 2019-11-17
An integer overflow in the search_in_range function in regexec.c in Oniguruma 6.x before 6.9.4_rc2 leads to an out-of-bounds read, in which the offset of this read is under the control of an attacker. (This only affects the 32-bit compiled version). Remote attackers can cause a denial-of-service or ...
CVE-2019-19022
PUBLISHED: 2019-11-17
iTerm2 through 3.3.6 has potentially insufficient documentation about the presence of search history in com.googlecode.iterm2.plist, which might allow remote attackers to obtain sensitive information, as demonstrated by searching for the NoSyncSearchHistory string in .plist files within public Git r...
CVE-2019-19035
PUBLISHED: 2019-11-17
jhead 3.03 is affected by: heap-based buffer over-read. The impact is: Denial of service. The component is: ReadJpegSections and process_SOFn in jpgfile.c. The attack vector is: Open a specially crafted JPEG file.