A trillion dollars lost to cyber crime every year

The world economy is now losing more than $1tn (approximately £740bn) to cyber crime every year, an increase of more than 50% on figures reported in 2018, and with two-thirds of organisations reporting some kind of cyber security incident in 2019, the average cost to an individual company has now topped $500,000.

This is according to a new report produced by security firm McAfee alongside the Centre for Strategic and International Studies (CSIS), focusing on the significant financial and unseen impacts of cyber crime.

The study, The hidden costs of cybercrime, is based on data collected by pollsters Vanson Bourne, who interviewed a screened, representative sample of 1,500 cross-sector IT and line of business decision makers between April and June of 2020, alongside CSIS interviews with government officials, open source material, and IMF income data.

“The severity and frequency of cyber attacks on businesses continues to rise as techniques evolve, new technologies broaden the threat surface, and the nature of work expands into home and remote environments,” said Steve Grobman, senior vice-presidemt and chief technology officer at McAfee.

“While industry and government are aware of the financial and national security implications of cyber attacks, unplanned downtime, the cost of investigating breaches and disruption to productivity represent less appreciated high-impact costs,” he said. “We need a greater understanding of the comprehensive impact of cyber risk and effective plans in place to respond and prevent cyber incidents given the 100s of billions of dollars of global financial impact.”

McAfee’s researchers said the increase could be explained on one hand by better and more accurate incident reporting, but on the other, by “better” and “more accurate” cyber criminals. Cyber crime is profitable, can be quite easy, and is a relatively low-risk criminal activity – the most sophisticated cyber criminals almost always evade justice.

These are not, however, the only factors. The increased reliance on the internet to conduct our daily lives and business – particularly during the pandemic, although this research was undertaken early on during the current period of disruption – means there is more opportunity for cyber criminals to make an impact.

Furthermore, in the past 12 months, for example, the explosion in ransomware attacks and phishing-related incidents has seen malicious actors target organisations that often have no real choice but to pay, such as those in the healthcare sector or government.

Besides the headline financial figures, the study revealed the lasting impact of an incident beyond the financial one. Some of the most overlooked costs of cyber crime come in the form of damage to company performance, McAfee found, with 92% reporting negative effects.

These included system downtime, which affected about two-thirds of respondent organisations; reduced efficiency as a result of this, with organisations losing an average of nine working hours a week; incident response and mitigation, with a significant cost burden coming in the form of outside security consultancy and forensic investigations; and brand and reputational damage – 26% of respondents identified damage to their brand thanks to a cyber attack.

McAfee and CSIS also found evidence that the majority of organisations are not preparing adequately for security events and fail to understand cyber risk, making them vulnerable to attacks from outside, and rendering them unable to spot problems in time to prevent them becoming full-blown incidents.

The report said 56% of organisations did not have a plan to both prevent and respond to a cyber security incident, and of those that did, only 32% believed it was effective.