Cybercrime: still only a tiny percentage of GDP, but it's growing

The annual cost of cybercrime is either staggering, or a mere blip on the world's economic bottom line, depending on how you look at it.

It is notoriously difficult to quantify, since a majority of cybercrime incidents go unreported, some companies don't even realize they have been compromised and many are not able to put a dollar value on intellectual property (IP) that they still have, but is now also in the hands of a competitor, a thief or another nation state.

But most estimates put global losses in the hundreds of billions of dollars. One report released last month, by the Center for Strategic and International Studies (CSIS) and titled "Net Losses: Estimating the Global Cost of Cybercrime," puts it between $375 billion and $575 billion.

That, on the high end, would make it more than the U.S. defense budget. It would be more than the entire economies of many countries. And the report's authors say while it is possible they have overestimated that cost, they believe it is far more likely they have underestimated it.

Even so, the losses for most individual countries, including the U.S., amount to less than 1% of gross domestic product (GDP). For the U.S. it is estimated at 0.64%. The worst of the G20 countries is Germany, at 1.6%. By some reckoning, that could be viewed simply as another minor cost of doing business.

That, in essence, is the view of Jason Healey, director of the Cyber Statecraft Initiative of the Atlantic Council. "When I hear about the massive cybercrime problem, I want to know what specifically do you mean?" he said. "If we are going to take the IP loss as seriously as they want us to take it, we need to know how it was actually used."

Healey said that estimating the real economic cost of cybercrime has been almost impossible for decades. He said it has had a range of two orders of magnitude since 1988. "We really don't have a good answer," he said.

But he does agree with other experts and with reports that say the raw number matters less than the trend, which is that losses from cybercrime are increasing.

TK Keanini, CTO of Lancope, is among them. "The important point here is that it is trending in the wrong direction and the rate is increasing year over year," he said.

He added that some companies were damaged so badly by cybercrime that they are no longer in business. So, for individual companies, "that is a much greater number than 0.64% in my book," he said.

More worrisome is that a majority of companies, while their leaders express heightened concern about cyber attacks, are not taking security measures that have been recommended by experts for years.

A second report by PwC, also released in June, titled, "US Cybercrime: Rising Risks, Reduced Readiness" (CSO is a cosponsor of the report, along with the CERT Division of the Software Engineering Institute at Carnegie Mellon University and the U.S. Secret Service), did not attempt to estimate total global or U.S. losses, but found that, "7% of U.S. organizations lost $1 million or more due to cybercrime incidents in 2013, compared with 3% of global organizations; furthermore, 19% of US entities reported financial losses of $50,000 to $1 million, compared with 8% of worldwide respondents."

There are a number of reasons suggested for the growth in cybercrime. One is that defenders are, effectively, outgunned. The PwC report, based on a survey of more than 500 U.S. executives, security experts, and others from the public and private sectors, was blunt: "The cybersecurity programs of U.S. organizations do not rival the persistence, tactical skills, and technological prowess of their potential cyber adversaries," it said.

According to the CSIS report, the incentives are with the attackers. "Cybercrime produces high returns at low risk and (relatively) low cost for the hackers," it said, while for companies, it is a business decision based on their perception of their risk.

"The problem with this is that if companies are unaware of their losses or underestimate their vulnerability, they will underestimate risk," the report said.

Many are indeed unaware of their risk, according to PwC, which reported that, "the FBI last year notified 3,000 US companies ranging from small banks, major defense contractors, and leading retailers that they had been victims of cyber intrusions." In other words, they didn't discover the intrusions on their own.

And that lack of awareness apparently leads to broad failures to implement even fundamental security practices practices that have been recommended by the U.S. Commerce Department's National Institute of Standards and Technology (NIST). The PwC survey found that 54% of respondents don't provide security training for new hires, and only 20% train on-site first responders to handle potential evidence.

Only half reported having a plan to respond to insider threats, and fewer than 40% reported that they have a mobile security strategy, encrypt devices and have mobile device management.

It found that many organizations, including utilities and operators of other critical infrastructure, are using outdated software like Windows XP, which is no longer supported, even though the warnings about the end of support were issued six years in advance.

And relationships with third parties are lax, and getting worse. The survey found that only 44% of companies have a process for evaluating third parties before they launch business operations with them. That is down from 54% the previous year.

Only 31% reported including security provisions in contracts with external vendors and suppliers, and a mere 27% conduct incident-response planning with supply chain providers.

To counter, or even slow the growth of cybercrime, experts agree that a much larger percent of organizations need to implement those basics what most of them call "security hygiene." Tom Bain, senior director at CounterTack, said it is important to remember that much cybercrime is not all that sophisticated, such as SQL injection and basic malware, "like a Trojan that has been around in millions of variants for years. It doesn't always have to be a sophisticated attack, or executed with precision and stealth," he said.

But beyond that, Bain said companies could actually turn the tables by, "applying stealth methods of monitoring, and doing that at-scale, so that organizations can essentially spy on attackers."

Keanini recommended, "treating cybercrime as a business problem as a competitor or disrupter to one's business continuity is the first step.

"Attackers are more than anything beating defenders by their innovation and creativity," he said." It is time that defenders meet them on these terms and outplay them for once.

Healey believes that the market, not government regulation, has the best chance of making companies take cybersecurity seriously, and that the most effective way to achieve it is though shareholder pressure.

In a recent column in U.S. News & World Report, he argued that the road to real reform should start in Omaha, Nebraska, home to the iconic "Oracle of Omaha" Warren Buffett; and then proceed to Sacramento, Calif., home to one of the nation's most activist investor groups CalPERS (California Public Employees Retirement System).

If Buffett, famously risk averse, were to reject investments in companies that didn't take cybersecurity seriously, "every other investor, corporate board director and executive would take notice," he wrote. "Perhaps not even President Obama could command such attention on the issue."

CalPERS, he said, even when it is a minority shareholder, has been effective in a grassroots way in pressing companies to change policies or actions that they believe will hurt the long-term value of its shares.

"I think that's a great approach," Healey said. "Convince shareholders that they're at the risk of losing." Companies are much more likely to respond to that kind of pressure than to another round of government regulations, he said.

"I say let's start with market solutions," he said.

Join the CSO newsletter!

Error: Please check your email address.

Tags applicationscybercrime costsoftwaredata protection

More about Carnegie Mellon University AustraliaCERT AustraliaCSOFBIindeedLancopeMellonOraclePricewaterhouseCoopersTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts