• United States




Cyber crime not a big deal? Get real

Apr 24, 20128 mins
CybercrimeData and Information SecurityHacking

InfoWorld's Bill Snyder interprets a recent Microsoft report to mean that cyber crime stats are wildly inflated. If anything, those stats underestimate the problem

Perhaps you’ve read Bill Snyder’s blog post based on a recent Microsoft paper disputing the high cost of cyber crime cited in many industry and vendor surveys. Unfortunately, I think too many people are taking the actuall claims of the paper and expanding the conclusion to cover all cyber crime.

I don’t want to debate the validity of the original paper’s data or conclusions. I believe my knowledgeable colleagues may even be right that certain surveys radically overstate the costs of cyber crime by relying on overly small sample sizes for a given population.

[ Find out how to block the viruses, worms, and other malware that threaten your business, with hands-on advice from InfoWorld’s expert contributors in InfoWorld’s “Malware Deep Dive” PDF guide. | Don’t look now, but your antivirus may be killing your virtualization infrastructure. InfoWorld’s Matt Prigge shows you how to detect the warning signs. ]

But I think too many readers of the previous writings came away with the idea that cyber crime may not be overly expensive to society. The narrative meme changed from “some surveys aren’t accurate” to “cyber crime isn’t that costly to our society in general.” That transition would be wrong. It would be like what some climate change opponents do by taking above average snowfall in one Alaskan region and arguing that one data point refutes all the other data points from all over the world that indicate otherwise.

I have no doubt that some surveys overstate the incident and damage of cyber crime. I also have no doubt that cost of cyber crime is very high and is a major impediment to advanced society.

Here are my facts: You cannot find an active computer security expert assisting the world’s largest corporations who disagrees with the assertion that APTs (advanced persistent threats) are or have been in every Fortune 500 company. APTs have actually penetrated far more than those companies, including military networks, government websites, subcontractor computers, and other firms with significant intellectual property to steal. But I’ll deal with the Fortune 500 because that’s where my personal focus has been the last five years.

In each of those companies, the IT and management infrastructure has had to spend and fight to eradicate or lessen APTs in their environment. They spend a minimum of a few million dollars a year, and many go into the tens of millions of dollars. The teams directly involved range in size from a dozen to a few hundred. Usually the entire network and every computer has to be scoured and/or rebuilt. Expensive consultants are brought in, along with vendors, human resources, senior management, the board of directors, and employees throughout the organization. Not only does it cost a lot, but it stops the forward progress of the organization.

Most of time, the company’s most significant intellectual secrets have been stolen. What is the cost of a large company’s most promising product being brought to market by a foreign company for less? I’ve seen entire divisions closed and hundreds of people laid off. What is the cost of a foreign military having our military’s encryption codes? What is the cost that a foreign military has products that are almost identical to our rockets and military fighters and bombers? What is the cost of all our stolen secrets?

How about movie, music, and other digital content theft? A lot of people just want free content, but it does hurt (and often eliminate) the legitimate authors, owners, and publishers of the content. The music industry is destroyed as we know it. You can say that the music industry should have moved quicker into the digital era, but that doesn’t make it right that the content was stolen and given away for free.

Go to any vendor open space in the world and it will contain pre-release copies of the latest movies being sold for a few dollars. That is a real cost to the producer and owner of that content. Every book, and I’ve written or co-authored eight, has been available for free in PDF form from some foreign website before I even get my copy from the publisher. These days, most computer books don’t sell enough to make back their paltry advance, so knowledgeable book authors don’t want to get involved. There’s just no payback anymore.

How bad is online theft from our banks? Years ago I was consulting for the largest regulators for U.S. banks. I asked how bad cyber crime was against banks. No one seemed willing to answer publicly, but on a break, one of the senior managers told me that online fraud was 2 to 6 percent of a bank’s revenue. That’s huge! U.S. bank revenues are measured in the hundreds of billions of dollars.

How much faster would the Internet be if cyber crime didn’t exist? Spam makes up most of the email sent and has for more than a decade. How much less bandwidth could we buy and still get the same speed if bad things didn’t exist? Wouldn’t it be nice to buy and sell on the Internet without having to worry about cyber crime? Instead, most of the people sending me emails about my Craigslist items are from scammers and phishers. I know many people who have lost tens of thousands of dollars to online scammers and they don’t get that money back.

One in every four to eight people have their online identity stolen each year. Many have their credit ruined and spend up to 90 hours (on average) to clear their name. Many of the exploited people never clear their name or credit record. So don’t tell me how the banks replacing their stolen money means no harm was done.

According to the FBI, in the United States alone in 2011, more than 300,000 people lost $1.1 billion. Only one in every 21,000 criminals involved in these crimes got caught and prosecuted. This is just the crime that was reported.

If we’re trying to figure out the real overall cost of cyber crime, we need to include the accumulated revenues of the entities that are mostly sustained by fighting cyber crime. You must add up the revenues of Symantec, McAfee, CheckPoint (now just a subdivision), Cisco (for firewalls), every anti-malware vendor and every anti-spam, anti-virus, anti-phishing product. Every company and even person I know has purchased some of these products. What is the cost? In the billions each year.

My whole existence as a security professional is a cost. I get paid well. The companies that hire me pay my company more than my company pays me. When I show up to consult, usually the company has a team of people that meet to listen, discuss, and to deploy our recommendations. That is a real cost. Those people are getting involved in something that they would otherwise not need to be involved in, if it had not been for cyber crime.

My entire industry (fighting cyber crime) is a burden on society. We cost a lot, and we do not bring any real value. Well, we bring value in that our customers are successfully exploited less than if we didn’t exist, but we don’t add productivity above and beyond what the customer would have if cyber crime didn’t exist. Every second a company has to spend to deal with cyber crime, every dollar they have to pay, decreases real productivity and increases the cost of the product and service delivered. The cost is very difficult to estimate, but it must be in the trillions.

I make a good living doing what I do, but the reality is that I’m really just part of a huge burden placed on society by criminals. I even like what I do. I find the work interesting. But I really wish that I spent my professional life making people’s lives more productive, instead of just helping them to fight what they shouldn’t need to fight just to try and be a little productive. There is not a single person in this world, online or not, who isn’t affected by cyber crime and who bears some part of the burden and some part of the cost.

This story, “Cyber crime not a big deal? Get real,” was originally published at Keep up on the latest developments in network security and read more of Roger Grimes’ Security Adviser blog at For the latest business technology news, follow on Twitter.


Roger A. Grimes is a contributing editor. Roger holds more than 40 computer certifications and has authored ten books on computer security. He has been fighting malware and malicious hackers since 1987, beginning with disassembling early DOS viruses. He specializes in protecting host computers from hackers and malware, and consults to companies from the Fortune 100 to small businesses. A frequent industry speaker and educator, Roger currently works for KnowBe4 as the Data-Driven Defense Evangelist and is the author of Cryptography Apocalypse.

More from this author