lolloj - Fotolia
Businesses need to take the economic impact of cyber crime more seriously, say researchers, with the cost of cyber crime now up to 0.8% of global gross domestic product (GDP) or $600bn a year, a study has revealed.
This is up from 0.7% of GDP in 2014 and represents a 34% increase from $445bn, which is an average rise of 11.3% a year for the three years to June 2017 – steady and significant growth.
Europe suffers the highest economic impact of cyber crime, which is estimated at 0.84% of the regional GDP, compared with 0.78% in North America, according to the latest report on the economic impact of cyber crime by security firm McAfee and the Center for Strategic and International Studies (CSIS).
The main drivers of this growth include the easy availability of cyber crime tools, the rapid adoption of new technologies by cyber criminals, the expanding number of cyber crime centres, and the growing sophistication of top-tier cyber criminals.
“There is a serious problem with under-reporting of cyber crime, with up to 95% going unreported, so the $600bn figure is extremely conservative and is based purely on the figures we have available,” said Raj Samani, chief scientist and fellow at McAfee. “It is bound to attract criticism, but people need to look beyond the metrics at the real story of how the economic impact is growing, and they will realise that it has value because, all of a sudden, we begin to get a different debate.
“The cost of doing business in the digital age is to protect your IT systems and investments, and the economic impact of cyber crime should be one of the most important things businesses are focusing on because failure to protect their intellectual property [IP], financial information and IT networks does have an economic impact.”
According to Samani, too much attention is paid to which country or cyber crime group is behind attacks to identify who is to blame, whereas the more important focus should be on the economic impact, how that can be reduced and the return on investment in cyber defences.
“The reality is that cyber crime is just an evolution of traditional crime and has a direct impact on economic growth, jobs, innovation and investment,” he said. “Companies need to understand that in today’s world, cyber risk is business risk.”
IP theft alone accounts for at least 25% of the cost of cyber crime and threatens national security when it involves military technology, the report said.
“IP theft and loss of opportunity are two areas of cyber crime impact that are extremely difficult to measure, but we have seen that IP theft and lost opportunities can be fatal for companies, especially for small and medium-sized businesses,” said Samani.
The report identifies cyber crime-as-a-service as a key driver of cyber crime, noting that the industry has become more sophisticated, with flourishing markets offering a broad range of tools and services, such as exploit kits, custom malware and botnet rentals.
“Ever since cyber crime services became commercialised in the mid-2000s, this market has grown and evolved to become bigger and more accessible than it has ever been, with the result that even an 11-year-old could mount and run a ransomware campaign,” said Samani.
Crimeware-as-a-service has not only lowered the barrier to entry, but cyber criminals can now outsource much of their work to skilled contractors, said Steve Grobman, chief technology officer at McAfee.
“Ransomware-as-a-service cloud providers, for example, efficiently scale attacks to target millions of systems, and attacks are automated to require minimal human involvement,” he said.
Add to these factors cryptocurrencies, which ease rapid monetisation while minimising the risk of arrest, said Grobman, and it is clear that recent technological accomplishments have transformed the criminal economy as dramatically as they have every other part of the economy.
Although ransomware is the fastest-growing cyber crime tool, with more than 6,000 online criminal marketplaces and ransomware-as-a-service gaining in popularity, Samani said cyber attackers seeking easy financial gains are increasingly following the money and switching their focus to stealing cryptocurrency.
“Attacks on cryptocurrency exchanges and vaults are fast emerging as a new area of growth for cyber criminal activity, along with associated fraud,” he said.
Greater standardisation of threat data and better coordination of cyber security requirements would improve security, particularly in key sectors such as finance, according to the report, which noted that banks remain the favourite target of cyber criminals.
However, nation states are the most dangerous source of cyber crime, the report said, with Russia, North Korea and Iran being the most active in hacking financial institutions, and China the most active in cyber espionage.
“Our research bore out the fact that Russia is the leader in cyber crime, reflecting the skill of its hacker community and its disdain for western law enforcement,” said James Lewis, senior vice-president at CSIS.
The UK recently attributed to Russia the NotPetya malware attacks that affected companies around the world in June 2017, declaring that the UK and its allies will not tolerate malicious cyber activity.
“North Korea is second in line, as the nation uses cryptocurrency theft to help fund its regime,” said Lewis, “and we are now seeing an expanding number of cyber crime centres, including not only North Korea but also Brazil, India and Vietnam.”
The types of cyber crime that have the biggest economic impact include:
- The loss of IP and business-confidential information.
- Online fraud and financial crimes, often the result of stolen personally identifiable information.
- Financial manipulation directed toward publicly traded companies.
- Opportunity costs, including disruption in production or services and reduced trust in online activities.
- The cost of securing networks, buying cyber insurance and paying for recovery from cyber attacks.
- Reputational damage and liability risk for the affected company and its brand.
The report also includes some recommendations on how to deal with cyber crime, including:
- Uniform implementation of basic security measures and investment in defensive technologies.
- Increased cooperation among international law enforcement agencies.
- Improved collection of data by national authorities.
- Greater standardisation and coordination of cyber security requirements.
- Progress on the Budapest convention on cyber crime.
- International pressure on state sanctuaries for cyber crime.