Cyber crime not a big deal? Get real

InfoWorld's Bill Snyder interprets a recent Microsoft report to mean that cyber crime stats are wildly inflated. If anything, those stats underestimate the problem

Perhaps you've read Bill Snyder's blog post based on a recent Microsoft paper disputing the high cost of cyber crime cited in many industry and vendor surveys. Unfortunately, I think too many people are taking the actuall claims of the paper and expanding the conclusion to cover all cyber crime.

I don't want to debate the validity of the original paper's data or conclusions. I believe my knowledgeable colleagues may even be right that certain surveys radically overstate the costs of cyber crime by relying on overly small sample sizes for a given population.

[ Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from InfoWorld's expert contributors in InfoWorld's "Malware Deep Dive" PDF guide. | Don't look now, but your antivirus may be killing your virtualization infrastructure. InfoWorld's Matt Prigge shows you how to detect the warning signs. ]

But I think too many readers of the previous writings came away with the idea that cyber crime may not be overly expensive to society. The narrative meme changed from "some surveys aren't accurate" to "cyber crime isn't that costly to our society in general." That transition would be wrong. It would be like what some climate change opponents do by taking above average snowfall in one Alaskan region and arguing that one data point refutes all the other data points from all over the world that indicate otherwise.

I have no doubt that some surveys overstate the incident and damage of cyber crime. I also have no doubt that cost of cyber crime is very high and is a major impediment to advanced society.

Here are my facts: You cannot find an active computer security expert assisting the world's largest corporations who disagrees with the assertion that APTs (advanced persistent threats) are or have been in every Fortune 500 company. APTs have actually penetrated far more than those companies, including military networks, government websites, subcontractor computers, and other firms with significant intellectual property to steal. But I'll deal with the Fortune 500 because that's where my personal focus has been the last five years.

In each of those companies, the IT and management infrastructure has had to spend and fight to eradicate or lessen APTs in their environment. They spend a minimum of a few million dollars a year, and many go into the tens of millions of dollars. The teams directly involved range in size from a dozen to a few hundred. Usually the entire network and every computer has to be scoured and/or rebuilt. Expensive consultants are brought in, along with vendors, human resources, senior management, the board of directors, and employees throughout the organization. Not only does it cost a lot, but it stops the forward progress of the organization.

Most of time, the company's most significant intellectual secrets have been stolen. What is the cost of a large company's most promising product being brought to market by a foreign company for less? I've seen entire divisions closed and hundreds of people laid off. What is the cost of a foreign military having our military's encryption codes? What is the cost that a foreign military has products that are almost identical to our rockets and military fighters and bombers? What is the cost of all our stolen secrets?

How about movie, music, and other digital content theft? A lot of people just want free content, but it does hurt (and often eliminate) the legitimate authors, owners, and publishers of the content. The music industry is destroyed as we know it. You can say that the music industry should have moved quicker into the digital era, but that doesn't make it right that the content was stolen and given away for free.

Go to any vendor open space in the world and it will contain pre-release copies of the latest movies being sold for a few dollars. That is a real cost to the producer and owner of that content. Every book, and I've written or co-authored eight, has been available for free in PDF form from some foreign website before I even get my copy from the publisher. These days, most computer books don't sell enough to make back their paltry advance, so knowledgeable book authors don't want to get involved. There's just no payback anymore.

1 2 Page 1
Page 1 of 2
8 pitfalls that undermine security program success