The annual cost of cybercrime is either staggering, or a mere blip on the world’s economic bottom line, depending on how you look at it.
It is notoriously difficult to quantify, since a majority of cybercrime incidents go unreported, some companies don’t even realize they have been compromised and many are not able to put a dollar value on intellectual property (IP) that they still have, but is now also in the hands of a competitor, a thief or another nation state.
But most estimates put global losses in the hundreds of billions of dollars. One report released last month, by the Center for Strategic and International Studies (CSIS) and titled “Net Losses: Estimating the Global Cost of Cybercrime,” puts it between $375 billion and $575 billion.
That, on the high end, would make it more than the U.S. defense budget. It would be more than the entire economies of many countries. And the report’s authors say while it is possible they have overestimated that cost, they believe it is far more likely they have underestimated it.
Even so, the losses for most individual countries, including the U.S., amount to less than 1% of gross domestic product (GDP). For the U.S. it is estimated at 0.64%. The worst of the G20 countries is Germany, at 1.6%. By some reckoning, that could be viewed simply as another minor cost of doing business.
That, in essence, is the view of Jason Healey, director of the Cyber Statecraft Initiative of the Atlantic Council. “When I hear about the massive cybercrime problem, I want to know what specifically do you mean?” he said. “If we are going to take the IP loss as seriously as they want us to take it, we need to know how it was actually used.”
Healey said that estimating the real economic cost of cybercrime has been almost impossible for decades. He said it has had a range of two orders of magnitude since 1988. “We really don’t have a good answer,” he said.
But he does agree with other experts and with reports that say the raw number matters less than the trend, which is that losses from cybercrime are increasing.
TK Keanini, CTO of Lancope, is among them. “The important point here is that it is trending in the wrong direction and the rate is increasing year over year,” he said.
He added that some companies were damaged so badly by cybercrime that they are no longer in business. So, for individual companies, “that is a much greater number than 0.64% in my book,” he said.
More worrisome is that a majority of companies, while their leaders express heightened concern about cyber attacks, are not taking security measures that have been recommended by experts for years.
A second report by PwC, also released in June, titled, “US Cybercrime: Rising Risks, Reduced Readiness” (CSO is a cosponsor of the report, along with the CERT Division of the Software Engineering Institute at Carnegie Mellon University and the U.S. Secret Service), did not attempt to estimate total global or U.S. losses, but found that, “7% of U.S. organizations lost $1 million or more due to cybercrime incidents in 2013, compared with 3% of global organizations; furthermore, 19% of US entities reported financial losses of $50,000 to $1 million, compared with 8% of worldwide respondents.”
There are a number of reasons suggested for the growth in cybercrime. One is that defenders are, effectively, outgunned. The PwC report, based on a survey of more than 500 U.S. executives, security experts, and others from the public and private sectors, was blunt: “The cybersecurity programs of U.S. organizations do not rival the persistence, tactical skills, and technological prowess of their potential cyber adversaries,” it said.
According to the CSIS report, the incentives are with the attackers. “Cybercrime produces high returns at low risk and (relatively) low cost for the hackers,” it said, while for companies, it is a business decision based on their perception of their risk.
“The problem with this is that if companies are unaware of their losses or underestimate their vulnerability, they will underestimate risk,” the report said.
Many are indeed unaware of their risk, according to PwC, which reported that, “the FBI last year notified 3,000 US companies – ranging from small banks, major defense contractors, and leading retailers – that they had been victims of cyber intrusions.” In other words, they didn’t discover the intrusions on their own.
And that lack of awareness apparently leads to broad failures to implement even fundamental security practices – practices that have been recommended by the U.S. Commerce Department’s National Institute of Standards and Technology (NIST). The PwC survey found that 54% of respondents don’t provide security training for new hires, and only 20% train on-site first responders to handle potential evidence.
Only half reported having a plan to respond to insider threats, and fewer than 40% reported that they have a mobile security strategy, encrypt devices and have mobile device management.
It found that many organizations, including utilities and operators of other critical infrastructure, are using outdated software like Windows XP, which is no longer supported, even though the warnings about the end of support were issued six years in advance.
And relationships with third parties are lax, and getting worse. The survey found that only 44% of companies have a process for evaluating third parties before they launch business operations with them. That is down from 54% the previous year.
Only 31% reported including security provisions in contracts with external vendors and suppliers, and a mere 27% conduct incident-response planning with supply chain providers.
To counter, or even slow the growth of cybercrime, experts agree that a much larger percent of organizations need to implement those basics – what most of them call “security hygiene.” Tom Bain, senior director at CounterTack, said it is important to remember that much cybercrime is not all that sophisticated, such as SQL injection and basic malware, “like a Trojan that has been around in millions of variants for years. It doesn't always have to be a sophisticated attack, or executed with precision and stealth,” he said.
But beyond that, Bain said companies could actually turn the tables by, “applying stealth methods of monitoring, and doing that at-scale, so that organizations can essentially spy on attackers.”
Keanini recommended, “treating cybercrime as a business problem – as a competitor or disrupter to one's business continuity is the first step.
“Attackers are more than anything beating defenders by their innovation and creativity,” he said.” It is time that defenders meet them on these terms and outplay them for once.
Healey believes that the market, not government regulation, has the best chance of making companies take cybersecurity seriously, and that the most effective way to achieve it is though shareholder pressure.
In a recent column in U.S. News & World Report, he argued that the road to real reform should start in Omaha, Nebraska, home to the iconic “Oracle of Omaha” Warren Buffett; and then proceed to Sacramento, Calif., home to one of the nation’s most activist investor groups – CalPERS (California Public Employees Retirement System).
If Buffett, famously risk averse, were to reject investments in companies that didn’t take cybersecurity seriously, “every other investor, corporate board director and executive would take notice,” he wrote. “Perhaps not even President Obama could command such attention on the issue.”
CalPERS, he said, even when it is a minority shareholder, has been effective in a grassroots way in pressing companies to change policies or actions that they believe will hurt the long-term value of its shares.
“I think that’s a great approach,” Healey said. “Convince shareholders that they’re at the risk of losing.” Companies are much more likely to respond to that kind of pressure than to another round of government regulations, he said.
“I say let’s start with market solutions,” he said.