Security industry estimates of global cybercrime losses tend to vary quite widely, and sometimes the projections can be startling in terms of magnitude. But the data still helps lend some broad perspective to the mushrooming nature of cybercrime.
Such is the case with the latest cybercrime loss estimates from McAfee.
According to the company, a study it conducted along with the Center for Strategic and International Studies (CSIS) shows cybercrime cost the world economy in excess of $1 trillion in 2019. That staggering figure — and there have been even higher previous estimates — represents a 50% increase from a 2018 study, which pegged global cybercrime losses at around $600 billion.
The study found that in addition to direct financial losses, more than nine in 10 organizations that experience a significant cyber event also have to contend with significant unplanned downtime, business disruption, and damage to their reputation and brand.
"The analysis that CSIS did, showing that [cybercrime losses] is in the trillion-dollar range, was alarming," says Steve Grobman, chief technology officer at McAfee. "That is a good indicator that we need to dial up defensive measures more aggressively."
This is especially true for organizations in industries that are usually considered relatively safe from cyberattacks, Grobman says.
McAfee and CSIS's cybercrime loss estimates counted a variety of costs they say organizations incur after a major security incident. Costs include those involved in detecting, mitigating, and responding to a breach, notifying victims, and implementing remedial measures. Also included are a variety of other costs that organizations do not always consider when evaluating the financial impact of a security incident, says Grobman. Examples include costs associated with lost and missed business opportunities, business disruption and downtime, productivity losses, and damage to the brand.
A survey of 1,500 IT business decision makers McAfee commissioned as part of the study found organizations experienced 18 hours of downtime, on average, following a major security incident. The survey found the average cost to organizations was more than $500,000 per incident. Financially motivated cyberattacks and IP theft accounted for at least 75% of the cybercrime losses organizations experienced last year, according to McAfee.
The data shows how constantly evolving adversary tactics is worsening the impact of cyberattacks for many organizations, Grobman says. In the past, attackers used to target individual devices and systems; now they have now switched to targeting the entire organization.
"One of the things we see today is cybercriminals entering an organization likely by finding credentials on the Dark Web, using a malware implant to create a back door, and then have human operators enter the company's environment," Grobman says.
Shift in Targeting
The goal is often to move laterally and find high-value targets and assets they can then target with ransomware and other malware to create most damage. Even the nature of ransomware attacks has changed from attacks seeking ransoms for encrypted data to attacks that hold entire factories and businesses to ransom. Many of these attacks are the work of sophisticated nation-state-backed threat actors, Grobman says.
The shift from attacks targeting systems and devices to attacks targeting the whole enterprise has exposed weaknesses in incident detection and response capabilities and made cyberattack costlier overall for many organizations. Previously, mitigating an attack often involved removing malware from an infected system or systems and, in drastic scenarios, reimaging them from scratch.
The survey shows that organizations take an average of 19 hours to move from initial incident discover to remediation. Less than 20% of organizations have the resources to be able to handle a security incident internally. The remaining has to hire a third party to come in and help remediate fall out from a cyberattack — another factor driving up the costs associated with cybercrime.
"One important takeaway is that cybersecurity defense is no longer something that only specific sectors have to make a top priority,'" Grobman says. There are a lot of other industries that are part of a broader supply chain — logistics and shipping companies, for instance — that need to make cybersecurity a top investment priority, he says.