2020 Initiates a Banner Year for Cybercrime

This McAfee report, “The Hidden Costs of Cybercrime,” states that the annual monetary loss from cybercrime will “reach around $945 billion in 2020.” This figure compares with the $145 billion estimated to be spent on cybersecurity. That's more than 50% of the overall cost of $522 billion that occurred in 2018. But what accounts for this increase? Let’s take a look.

 

COVID-19 forced most organizations to implement work from home (WFH) initiatives. The security techniques, control, resident software, and systems are now dealing with dispersed users. The users didn’t have a common set of hardware and software when WFH. The remote users may have shared their endpoints with others. Security procedures and training hadn’t been up-to-date to support the security requirements of the organization.

 

Enter the Zoom-era, where unified communications and conferencing expanded significantly as an integral part of a business. Not all conferencing systems are equally secure. Listening-in on conference sessions can leak valuable information about the organization and its operations. Phishing schemes became more sophisticated and successful, especially if the user shared the endpoint. It’s a free for all.

 

The cybercrime financial reporting has improved as more countries and organizations are report cybercrimes. The criminals are improving their techniques by adopting more effective methods circumventing the efforts of organizations. Ransomware and phishing campaigns are exploding. As cybercrime increases, more knowledge about their endeavors is now visible. At the same time, more cybercrime gets committed. No organization is immune.

 

The report shows a substantial increase in annual cybercrime costs:

This is a 50% increase in the last two years.

 

McAfee surveyed 1,500 organizations. Surprisingly only four percent claimed they did not experience a cybercrime incident in 2019. Malware and spyware produced the highest cost to organizations, followed by data breaches. Survey respondents (92%) identified other damage besides financial. The largest non-monetary losses were in productivity and lost work hours. The average service interruption was 18 hours, costing more than half a million dollars.

 

The survey reported that most organizations do not have existing plans to reduce the effect of security incidents. Some IT executives think some departments don’t get notified of IT security incidents. Of the 951 organizations that had a response plan, only 32% reported that it was effective.

 

Creating and deploying cybercrime incident effort should be focused on expected costs if the incident is successful. There’s a long list of direct out-of-pocket costs such as reduced productivity, system downtime, incident response labor and software, consultants, legal advice, fines and penalties, and cyber insurance. There are harder costs to determine that should be calculated, including brand and reputation damage, intellectual property loss, and reduced employee morale.

 

It’s hard to calculate how much should be budgeted to deal with cybercrime. I suggest you add up all the costs that a single incident may produce and compare it to your security investments.

 

Looking at the report, organizations spent $145 billion on cybercrime, but the losses were $945 billion. Interpret this figure as a 15% investment to prevent a cybercrime incident. Are you spending 15% of your potential loss costs on your cybercrime budget? Any less than this invites potential losses.

 

Various reports and surveys estimate that about 50% of the security problems trace back to user negligence, mistakes, malicious behavior, or inadequate training. Never assume that training is fully absorbed. It should occur more than once a year. All new users should have training before being allowed to access systems and data.

 

But user-training isn’t enough because of inadequate testing. Each user should test with a pass no fail grade. One mistake equals failure as it can lead to a security breach. The question for your organization is, “what happens to a user that causes a security breach?” I don’t think a reprimand is enough. Invest heavily in your users as it may be one of the most effective and least expensive solutions.