Global Cybercrime Costs Top $600 Billion

In cybersecurity it can sometimes be hard seeing the forest for the trees. Constant reports about new attacks, breaches, exploits and threats can make it hard for stakeholders to get a picture of the full impact of cybercrime.

Two reports this week are the latest to take a crack at it.

One of the reports is from McAfee in collaboration with the Center for Strategic and International Studies (CSIS). It shows that cybercrime currently costs the global economy a startling $600 billion annually, or 0.8% of the global GDP. The figure represents a 20% jump from the $500 billion that cybercrime cost in 2014.

The other report from Cisco is based on interviews with 3,600 CISOs and shows among several other things that nearly half of all attacks these days end up costing the victim at least $500,000. Eight percent of companies in the Cisco report said cyber attacks had cost them over $5 million; for 11% the costs ranged between $2.5 million and $4.9 million. The figures include direct and indirect costs such as those associated with lost revenue, customers, and lost opportunities.

Together, the two reports paint a picture of a landscape that is getting from bad to worse in a hurry.

"Cybercrime impacts economic growth. This is not an IT issue but something much bigger," says Raj Samani, chief scientist at McAfee. "Nearly every breach focuses on attribution or the technique, but we rarely ever discuss what the real impact is," Samani says. The net result is that many organizations continue to view cybercrime as a somewhat abstract issue. "I am constantly told 'this does not impact me,'" Samani says. "Yet cybercrime impacts every one of us."

As with many other reports that have attempted to calculate total cybercrime costs, the $600 billion figure in the McAfee/CSIS report is based on estimates. It represents total estimated losses due to theft of intellectual property and business confidential information, online fraud and financial crimes, personally identifiable information, financial fraud using stolen sensitive business information and other factors. Other estimates have put the number much higher, some far lower.

As the report makes clear, underreporting by victims and the overall paucity of real data surrounding cybercrime incidents worldwide have made it extremely hard to get a truly precise estimate of cybercrime costs. In many cases, organizations only report a fraction of their actual losses from cybercrime to avoid reputational damage and liability risks. So to calculate cybercrime costs, McAfee and CSIS borrowed modeling techniques that have been used previously to estimate costs associated with other criminal activities such as maritime piracy, drug trafficking, and transnational crime by organized groups.

The exercise showed that costs of cybercrime have increased significantly in recent years as the result of state-sponsored online bank heists, ransomware, cybercrime-as-a-service, and the growing use of anonymity-enabling technologies like Tor and Bitcoin, McAfee and CSIS said. Malicious activity on the Internet is at an all-time high, with some vendors reporting 80 billion malicious scans, 4,000 ransomware attacks, 300,000 new malware samples and 780,000 records lost to hacking on a daily basis, the report said.

The theft of intellectual property and business confidential information has been a huge reason for the higher cybercrime costs globally. According to McAfee and CSIS, intellectual property theft accounts for at least 25% of overall cybercrime costs. Such theft can include everything from patented formulas for paints to designs for rockets and other military technology. Over the years, the theft of IP has become a huge problem for many industries and has impacted the ability of companies to compete and to profit from their innovations. Yet, it remains one of the most underreported forms of cybercrime.

"[IP theft] is probably the most surreptitious form of data theft," Samani says. For example, a ransomware infection is clearly obvious, and with other forms of data theft or breaches there is an obligation to report. "However IP theft and calculating the cost becomes invisible to the victim, particularly since proving that a competing product was derived from a historical breach is very difficult," he says.

Europe appears to be the region most impacted by cybercrime, but that is likely also in part due to the maturity of the breach reporting habits of organizations there compared to other regions, Samani says.

Cisco's report meanwhile showed that in addition to increasing financial costs, organizations are also becoming more vulnerable to attacks on their supply chain. Supply chain attacks, according to the company, have increased in complexity and frequency and have heightened the need for organizations to pay close attention to their hardware and software sources.

Enterprise security environments have become much more complex as well. Twenty-five percent of the security executives Cisco interviewed said their organizations used security products from between 11 and 20 vendors. Sixteen percent said their organizations were using between 21 and 50 products. The complexity has begun impacting enterprises' ability to defend against threats, Cisco said.

Franc Artes, an architect in the security business group at Cisco says the new report marks the first time the company asked respondents to indicate a range of their financial loss from a security incident. In last year's report, one-third of those who suffered a breach reported a revenue loss of 20%, he says.

Cisco's latest survey shows that attackers are evolving their techniques faster than the ability of defenders to keep up. Troublingly, as organizations continue to leverage their operational technology (OT) infrastructure and create connectivity to these systems, the recognition of it being a vital attack vector has grown as well, Artes says.

"Nearly 70% of the respondents stated they see their OT infrastructure as an attack vector; 20% stated that while it wasn’t currently, they expected it would be in the next few years."

Related content:

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.