Cybercrime continues to be an increasingly lucrative business for criminals and nation-states, according to a survey by McAfee.
Using publicly-available reports on losses and not-for-attribution interviews with cybersecurity officials, the company says it estimates the monetary loss to organizations and countries from cybercrime last year was approximately $945 billion (all figures in U.S. dollars), a 50 per cent hike in two years.
The total represents not only losses from monetary assets (including cash theft and ransomware payments) and intellectual property but also system downtime, incident response costs, reduced efficiency and hits to brand reputation. Despite global spending on cybersecurity expected to exceed $145 billion in 2020, the longest average interruption to operations was 18 hours, averaging more than half a million dollars per victim organization.
Called The Hidden Cost of Cybercrime, the authors admit part of the increase can be accounted for by better reporting, as well as better tactics by attackers, including the successful use of phishing schemes and ransomware.
Despite knowing that cybercrime is a fact of doing business, researchers found that most organizations don’t have plans in place to mitigate the impact of security incidents on their operations.
“In fact, IT decision-makers think some departments are not made aware of IT security incidents,” the report reads. “Amazingly, slightly more than half of the surveyed organization said they do not have plans to both prevent and respond to a cyber incident.”
Some 1,500 organizations were surveyed for the report. Out of the 951 that had a response plan, only 32 per cent said the plan was actually effective. Usually, the report adds, the board or the C-suite was not involved in developing the plans.
“One of the biggest challenges is the lack of an organization-wide understanding of cyber risk,” says the report. “This makes companies and agencies vulnerable to sophisticated social engineering tactics, and, once a hack has succeeded, they fail to recognize the problem in time to stop the spread of malware. The increased (and unavoidable) use of personal devices, such as
smartphones or tablets, expands the attack surface and complicates the management of cybersecurity. The time and cost of recovery can be considerable and can often involve outside organizations specializing in cybersecurity, public relations, and legal teams.”
Only 44 per cent of the survey respondents said that they have plans in place to both prevent and respond to IT security incidents. Although 32 per cent of decision-makers said, the organization has a plan to prevent IT security incidents, the report argues they do not seem to be as prepared to respond because only 19 per cent said a response plan exists. And these plans were not regarded
as useful or successful: Only 32 per cent of the respondents found their organization’s plans to be completely successful in responding to IT security incidents. And, although most (62 per cent) consider them “somewhat successful,” it speaks to room for improvement, say the report’s authors.
“The reality of cybersecurity is that we cannot eliminate risk. At best, we can manage it. Publicly available information suggests that a few firms have lost hundreds of millions of dollars and many more firms have lost tens of millions of dollars, but these losses have so far proven to be manageable,” the authors wrote. “Relatively basic measures could improve performance—better cyber hygiene and, as our survey found, better planning and greater awareness among employees of the cost of cybercrime.”