The cost of cybercrime has surpassed $1 trillion globally since 2018, a new report by McAfee concludes. The report, "The Hidden Cost of Cybercrime," says cybercrime's cost to the global economy has had a 50% increase during the past two years.
The report, conducted in partnership with the Center for Strategic and International Studies (CSIS) also explored the damage reported beyond financial losses, finding 92 percent of companies felt effects beyond monetary loss.
“The severity and frequency of cyberattacks on businesses continues to rise as techniques evolve, new technologies broaden the threat surface and the nature of work expands into home and remote environments,” says Steve Grobman, senior vice president and chief technology officer at McAfee. “While industry and government are aware of the financial and national security implications of cyberattacks, unplanned downtime, the cost of investigating breaches and disruption to productivity represent less appreciated high impact costs. We need a greater understanding of the comprehensive impact of cyber risk and effective plans in place to respond and prevent cyber incidents given the hundreds of billions of dollars of global financial impact.”
The report was created from information gathered by surveying 1,500 IT professionals around the world.
Companies Unprepared for Cyber Incidents
Through the research and analysis, the report found a lack of organization-wide understanding of cyber risk. This makes companies and agencies vulnerable to sophisticated social engineering tactics and, once a user is hacked, not recognizing the problem in time to stop the spread.
According to the report, 56% of surveyed organizations said they do not have a plan to both prevent and respond to a cyber incident. Out of the 951 organizations that actually had a response plan, only 32% said the plan was effective.
The report concludes with key ways for businesses to deal with cybercrime. These include uniform implementation of basic security measures, increased transparency by organizations and governments, standardization and coordination of cybersecurity requirements, providing cybersecurity awareness training for employees, and developing prevention and response plans.
The Hidden Costs of Cybercrime
The theft of intellectual property and monetary assets is damaging, but some of the most overlooked costs of cybercrime come from the damage to company performance. The survey revealed 92% of businesses felt there were other negative effects on their business beyond financial costs and lost work hours after a cyber incident. The report further explored the hidden costs and the lasting impact and damage cybercrime can have on an organization, including:
- System Downtime: Downtime is a common experience for around two thirds of respondents’ organizations. The average cost to organizations from their longest amount of downtime in 2019 was $762,231. Among survey respondents, 33% stated IT security incidents resulting in system downtime cost them between $100,000 and $500,000.
- Reduced Efficiency: As a result of system downtime, organizations lost, on average, nine working hours a week leading to reduced efficiency. The average interruption to operations was 18 hours.
- Incidence Response Costs: According to the report, it took an average of 19 hours for most organizations to move from the discovery of an incident to remediation. Many security incidents can be managed in-house, but major incidents can often require outside consults with high rates that form a significant portion of the cost of a large-scale incident.
- Brand and Reputation Damage: The cost of rehabilitating the external image of the brand, working with outside consultancies to mitigate brand damage, or hiring new employees to prevent against future incidents is part of the cost of cybercrime. Of the respondents, 26% identified damage to brand from the downtime experienced because of a cyberattack.
Who are the Cybercriminals?
Several countries have lax laws and punishment for cybercrime, creating hotbeds of criminals in those regions.
According to the report, cybercriminals are "highly regimented, with team leaders, coders, network administrators, intrusion specialists, data miners, and even financial specialists leading vast organizations of multinational hackers. More recently, some previously unconnected groups have started collaborating with each other in order to increase their activities and profit. In China alone, an estimated 400,000 people work in rapidly growing organized cybercrime networks."
For example, in Nigeria, "unemployment, poor implementation of laws, and inadequately equipped law enforcement agencies help explains why cybercrime can flourish," the report states.
Business Email Compromise
There has been an increase in business email compromise (BEC) in recent years, according to the report.
"Typically, these schemes target a company’s human resources department or payroll department by posing as an employee asking to change their direct deposit information," the report states. "Next, the employee’s paycheck is wired to a fraudulent prepaid card account. Other forms of BEC scams include spoofed vendor and lawyer email accounts, W-2 form requests, and fraudulent requests for gift cards. This allows for cybercriminals to send emails impersonating any employee — from new hires to the CEO."
In one instance, cybercriminals infiltrated the CEO's account and sent several emails to the accounting department impersonating the CEO and requesting money wire transfers. The accounting department believed the requests to be legitimate and transferred more than $10 million.
McAfee commissioned independent technology market research specialist Vanson Bourne to undertake the research that this report is based on.
Between April and June 2020, the quantitative study was carried out, interviewing 1,500 IT and line of business decision makers. Respondents came from the US (300), Canada (200), the UK (200), France (200), Germany (200), Australia (200) and Japan (200). Respondents’ organizations have 1,000 or more employees and were from all sectors except construction and property. However, only IT decision makers were interviewed in the government sector.
Interviews were conducted online using a rigorous multi-level screening process to ensure that only suitable candidates were given the opportunity to participate.
Additionally, CSIS utilized a survey of open source material on losses accompanied by interviews with government officials, and an estimate adjusted by national income levels using International Monetary Fund (IMF) income data to determine the cost of cybercrime.