The True Cost of Cyber Crime
First written in 2014
One of the greatest debates in the information security world is not about security guidelines or expert certification or technical in anyway. The debate is about the true cost of cybercrime.
The 2013 McAfee report stated that cybercrime costs worldwide were £266 billion ($445 billion) annually.
NetDiligence reported the legal and operational costs associated with each stolen customer record in the US is $956 with the average US data breach/liability cost being $2.9 million.
The Ponemon report placed the average cost incurred by a corporation for a data breach at $3.2 million.
These numbers are staggering and often when they are reported many attempt to discredit them as claiming they are simply fear mongering or asking, “If these numbers are true why there aren’t any billionaire hackers?”
This industry debate, often played out through the media both traditional and social, results in companies not taking the threat seriously because they do not understand the threat. Of course firms will claim they understand the threat and will talk of new technology that they put in play or new roles within management that have been established but when asked about effectiveness and impact of the actions management is at a loss.
However, why are these numbers so important? There are various business and cultural reason but a direct reason is the penalty. When I served as an FBI Special Agent, in order for a criminal to be prosecuted you had to show they violated the various aspects of the law. Each law addressing cyber threats included a required loss to the victim of a minimum $5000. In truth however, depending on the jurisdiction of the courts, many cases would not be prosecuted unless the loss was over $250,000. In addition, if the criminal was convicted of the crime, the prison sentence was also based on the total loss or cost associated with their criminal activity. Thus, loss/cost and how it is calculated is an integral part of prosecuting criminals.
Cyber threats can be broken down into four categories: Crime, Espionage, Warfare and Activism.
Calculating the cost for each of these is extremely difficult because the impact often cannot be measured in real time.
A cyber espionage attack where trade secrets are being stolen and used by a competitor may last several years without the victim knowing it is occurring and thus understanding the impact.
A cyber warfare attack is intended to destroy systems and data and again the true impact in unknown until all battles within the war are completed.
A cyber activist attack is an attack on the company and its management’s reputation. It is an attempt to air a company’s “dirty laundry” in order to force change within the company but all the consumer’s view of the firm. How do you calculate the value of reputation?
Given this industry tries to focus on cybercrime, that is actions that are motivated strictly on profit. Within this arena, there are two sub categories, cyber-enabled crime such as hacking, malware delivery and botnet/DDOS attacks and cyber-dependent crime, which is the profit taking/fraud.
Cyber-dependent crime where most media coverage is focused as it provides a tangible for people to understand. Namely, the data was stolen and then used by criminals to buy products or steal money.
It is this belief of data monetization that fuels the debate about costs because we all assume that the fraud is the only cost. Not all stolen data is credit/debit card numbers or financial. Stolen data can be used in numerous different ways all of which resulting in profit to the criminals and costs to the victims.
Below is a graphic of all the ways one “owned” (compromised) computer can be used to profit.
The image shows eight potential uses for a hacked computer and within each of those eight, there are a minimum of four sub-uses.
The monthly values are based on a percentage of the reported losses from numerous reports plus and average of the estimated cost for operation of systems from areas in the US, UK and other countries were the data could be obtained through public sources.
In order for a cyber-criminal to achieve the $240K in a year, they must use the hacked box for all of the listed uses and sub-uses. They must also not be paying for the services such as the hardware itself, the electricity, the installed software, and the internet bandwidth or did not have the time expense of creating the email or social media accounts.
If a cyber-criminal is running any of these schemes the “costs” as reported by the various reports is not only the profit being made but also the capital outlay the victim suffers to correct the issues.
Thus cybercrime statistics lump together all the different components into the calculation impact and therefore cost. These components are:
- Man hours to fix the issue multiplied by the hourly rate of the employee
- Cost for consultants and outside experts
- Cost for new/updated equipment
- Cost of the reputational harm to the victim company
- Amount of fraud against stolen credentials
- Fraud dependent on stolen credentials
- Costs to replace stolen cards and data
- Costs for insurance
- Cost for data recovery
- Law suit liabilities
- Regulatory penalties
By including all of these components into the cost calculation, the reporting companies are attempting to give a complete picture of the true impact.
However, what is often missed in the reporting is the break out of costs.
By breaking out the costs into the components listed above, companies would be able to look at the list and develop cost saving strategies in each area.
By example, having a relationship with outside consultants and experts who understand the company’s systems prior to an event will dramatically cut costs because plans for incident management and resilience will already exist. The same can be said for relationships with law firms, insurance companies and public relations companies.
Preparation based on understanding is the key.
To that end, the true cost of cybercrime is not just the monies made by the criminals or the cost of legal liability. Rather the true cost is the combination of all systems and people impacted.
Cyber-attacks are no longer a matter of “if” but a matter of “when.”
As such, understanding the threat, the uses of the data, and the impact of the incident and the breakdown of the costs is pivotal to the resilience of a company.