Cyber crime may now cost the world almost US$600 billion a year, up from US $445 billion three years ago.
And –despite regular headlines announcing a new data breach — the report says cyber crime isn’t the most lucrative of illegal activity. Beating it are government corruption and narcotics, citing numbers from the International Monetary Fund.
“Where cybercrime is the undisputed leader,” adds the report, “is in its ability to make hundreds of millions of people victims. A good estimate is that two-thirds of the people online— more than two billion individuals—have had their personal information stolen or compromised. One survey found that 64 per cent of Americans had been victims of fraudulent charges or loss of personal information.
“Cybercrime also leads in the risk-to-payoff ratio. It is a low-risk crime that provides high payoffs. A smart cybercriminal can make hundreds of thousands, even millions of dollars with almost no chance of arrest or jail
Why? Because, the report says, “Cybercrime remains far too easy, since many technology users fail to take the most basic protective measures, and many technology products lack adequate defences, while cybercriminals use both simple and advanced technology to identify targets, automate software creation and delivery, and monetization of what they steal.”
Use of digital currencies is helping criminals launder stolen money and data, the report adds.
As for what organizations and individuals can do, the report says
■ Uniform implementation of basic security measures (like regular updating and patching and open security architectures) and investment in defensive technologies—from device to cloud—remain crucial. “Protection against most cybercrimes does not require the most sophisticated defences;”
■ Increased international law enforcement co-operation with the private sector and other nations is needed, as well as improved collection of aggregate data by national
authorities. There is the Budapest Convention on Cybercrime, but the report notes Russia, China, Brazil and India haven’t signed;
■ Greater standardization (threat data) and coordination of cybersecurity requirements would improve security, particularly in key sectors like finance;
■ State sanctuaries for cybercrime must come under pressure from the international community to change their behavior and co-operate with other nation’s law enforcement agencies. This means imposing some kind of penalty or consequence on governments that fail to take action against cybercrime. “In the case of Russia and North Korea, we have exhausted the portfolio of sanctions, and new penalties must be devised.”
“Without these kinds of action,” warns the report, “cybercrime will continue to grow as the number of connected devices grows and as the value of online activities increases.”
The report says cyber crime continues to expand because attackers have quickly adopted new technologies, such as cloud computing (leading to crimeware-as-a-service), artificial intelligence and encryption. There are a growing number of cybercrime “centres,” which now includes Brazil, India, North Korea, and Vietnam.
The conclusion that cyber crime amounts to almost US$600 billion is based on models that includes estimates of the loss of intellectual property and business confidential information, of online fraud and financial crime including from stolen personal data, financial manipulation using stolen corporate data, the cost of disruption from attacks, the cost of securing networks and paying for recovery from cyber attacks and reputational and stock damage to organizations.
However it admits the estimates could be off because countries under-report cyber crime.
Many infosec experts are leery of attributing specific cyber attacks to nation states. Not the author of this report, who says the Center for Strategic and International Studies believes Russia, North Korea, and Iran are the most active in hacking financial institutions. “Hackers in these countries, whether affiliated with the state or not, account for much of the cybercrime that occurs in the world. Until these nation-states change their behavior, either by stopping state support for hacking or by enforcing laws against criminal hackers, cybercrime will remain a major international problem.”
The exact level of cyber crime in Canada isn’t known because organizations don’t have to report data breaches. That is expected to change sometime this year when the federal government finally proclaims regulations on the new mandatory data breach reporting law. It will be another year before the federal privacy commissioner, who gets a copy of each report, issues an annual report. But the McAfee report notes that Australia, which has a data breach reporting law, said it received 24,000 reports of cyber crime in the first half of 2017 alone.
Accenture surveyed Canadians last year and reported that more than one-third (36 per cent) of respondents said they had been a victim of cybercrime in the last three years.