Estimates of just how much cybercrime costs the global economy each year are notoriously unreliable. Depending on who’s doing the counting and what they’re factoring in, figures ranging from $250 billion to as high as $358 billion and even $1 trillion dollars been published by companies like Symantec, McAfee and others.
But from the point of view of the average company doing business in Ireland, are figures such as these meaningful? Just exactly how big a problem is cybercrime, and how much damage in monetary terms does it cause?
Answering this question is notoriously difficult. The only way to gather information on an issue like this is by inviting companies to take part in surveys, but what company is going to volunteer its experiences as the victim of a cybercrime if it can avoid it?
Despite this, several security companies have ploughed on, setting up surveys and collating results. Because of the arbitrary nature of survey response, there has been much criticism of this form of information gathering when it comes to IT security.
Faithless
Microsoft researchers Dinei Florencio and Cormac Herley were recently quoted as saying that "our assessment of the quality of cybercrime surveys is harsh: they are so compromised and biased that no faith whatever can be placed in their findings."
The pair wrote this in a paper they titled ‘Sex, Lies and Cyber-crime Surveys’, named for the problem which faces researchers trying to accurately document both cybercrime and human sexuality-people tend to lie in surveys when they’re embarrassed about the questions asked.
The most recent survey to look at the scale of the problem in Ireland, Deloitte and EMC’s Irish Information Security and Cybercrime Survey, was published in July 2012 and actually came up with the figure of €41,875 as an average cost per organisation for a security incident in the past year. Is that a reliable figure? According to Deloitte, not really-it’s more of a starting point.
"We intend to run this survey annually-we consider it a starting point to build from and we intend to make the survey and its finding more statistically and scientifically valid as we go forward," said Colm McDonnell, partner and head of enterprise risk services for Deloitte.
"We asked people what was the cost of their individual incident and then we averaged those out. It was useful to do but like any survey, it’s not terribly scientific. For a start, what do you include in that cost? Some people include legal costs resulting from cybercrime incidents and others don’t because they’re big enough to have in-house lawyers.
"There is the cost of sanctions or fines payable for having lax security, there’s the cost of communications with customers-do you count all that? People find it useful to put a figure on it, to establish a point from which to benchmark, but when we look at individual answers within the survey there is significant variation. Some of the answers were ten or twentyfold that figure," he said.
Year on year
According to McDonnell, when the next Deloitte EMC survey is published, one major change will be how they arrive at that figure. Instead of using a monetary amount to represent the average cost of a security issue, they intend to use a percentage of company profits.
"We think the figure of €42,000 per incident undervalues the actual cost, so we’re going to look at costs as a percentage of profit. If you’re a big company or a small company, knowing that cybercrime could cost you 10 or 20 per cent of your profit is a much more meaningful figure than saying it costs 40 something thousand per incident."
This will also reflect the fact that costs and consequences for suffering a cybercrime incident change according to industry.
"If you’re an IT-centric organisation seeking to grow through technology channels, and you’re publicly embarrassed through a cybercrime incident, then you’re left in a very awkward place. But if you’re not an IT-centric business, if you’re just a normal business that uses IT to assist with management and maybe communications, then it’s a different thing."
"There is no average cybercrime incident-they’re all individual and affect the victim company differently. One might be a small loss of inconsequential data and another could be a business-closing data outage lasting three or four weeks."
Nine digit number
According to Dermot Williams, managing director of Threatscape, part of the problem with cybercrime surveys is the blurred line that exists between general IT security and cybercrime prevention.
"If a company gets hit by a virus that rattles its way around its computers, shuts down operations for a few days and creates a business loss, is that cybercrime or are we only talking about incidents where someone hacks in, accesses financial information or intellectual property or makes off with cash from the company’s bank accounts?" he said.
"It’s sometimes very hard to say where one starts and the other ends, although occasionally it’s totally unequivocal. If you look at Sony, it actually disclosed last year in one of its quarterly filings the cost of its security breach -$171 million. That’s a nine digit number on its balance sheet, so it’s a concrete number that if the incident hadn’t happened wouldn’t have been incurred."
Williams says that he has to be able to put concrete facts and figures regarding IT security and cybercrime risk on the table when dealing with customers.
"We help people prevent this kind of thing from happening and part of that is quantifying what the cost would be of not being prepared. Our ability to do that has to be based on concrete examples, otherwise it comes off as hot air. I hate the game playing that goes on where some company comes out with a survey and an estimate that becomes the headline for twenty stories on the web. Suddenly, people start throwing around figures and averages which are used to push marketing," he said.
"These statistics can’t be authoritative because sensible companies that suffer these problems don’t want to talk about them. So those surveys can’t be representative-they’ve just pulled figures out of the air and tied a neat bow around them. I don’t want to talk down the problem, because it is a real problem, but a lot of this is scaremongering. There are real costs there and real risk without needing to exaggerate them."
Data protection
For Irish companies, one of the easiest costs to predict as a result of suffering a major data loss is that associated with meeting the legal obligations imposed by the Data Protection Commissioner.
"If you lose what’s described as Personally Identifiable Information (PII), over a threshold of a certain amount of information, you must notify the Data Protection Commissioner and you must notify the people who were directly affected. That’s an actual cost because if you don’t do it, you can be fined-we saw that happen recently with eircom for the loss of a laptop," said Williams.
"On top of that, there’s the reputational issue. You have to write a letter to your customers, to the people you rely on for your very existence, saying that you lost something that is potentially very valuable to them. In an increasingly information-centric world, it’s very easy for customers to move their business and they will if they feel they need to. That’s a real risk and a real cost."
According to Williams, the Sony incident in 2011 created some interesting ripples in the corporate world, above and beyond shock that such a big global name could fall so hard. He says there was a subtle change in the kind of enquiries Threatscape received.
"There was a change in the type of people asking us about IT specific security. Instead of such queries coming from the IT department, we started to get them from marketing people and from the board. People who previously didn’t think or care too much about the IT department suddenly realised that if attention wasn’t given to this it could sink the company."
"That’s a fascinating development and it reflects the increasing role IT plays in the world we live in."
Narrow focus
A further development to have taken place in the area of cybercrime is that the profile of company that’s being targeted has started to change. According to Orla Cox, senior manager with Symantec Security Response, where before smaller companies were rarely specifically targeted by cybercriminals, that’s no longer necessarily the case.
"We’ve seen the incidents of this double in the last six months. Smaller contractors and businesses which are suppliers to larger organisations are being targeted because they’re seen as stepping stones to those larger organisations," she said.
"Employees from those small businesses have access to the larger organisations they work with and from a security point of view, they’re actually extensions of the larger organisation’s network. But while their security measures may be fine for a small company, they’re usually not proportionate at all to the risk they pose to the larger companies they work with. It can be a wake-up call, that this is now how the world works," she said.
Cox points out that it is in smaller companies that you typically find the laxest approach to security, and cyber criminals seeking to specifically target large companies know this.
Looking up
"We have seen sophisticated attacks where the attackers do their homework and single out specific companies for attack because they perceive it to be the soft underbelly of the larger companies it works with and they know it’s unlikely they’ll meet much resistance. Once they have accessed that smaller company’s systems, they can send legitimate looking emails and that can be enough to get them in the door of the larger company."
All this sounds quite dramatic but Cox says that Symantec sees between 100 and 120 incidents of this happening around the world each month. The payload delivered through the smaller company is usually an email with an attachment that wouldn’t otherwise be opened. But because it’s seen as coming from a trusted source, the recipient is likely to override security and open the attachment.
Meanwhile, Williams of Threatscape points out that where there is a means to make money, cyber criminals have an almost endless capacity for ingenuity.
"Often people don’t realise the value of the digital assets they have. Take the unlikely case of carbon credits trading," he said.
Under environmental legislation, there is a limit to how much greenhouse gases companies can emit. If they exceed this limit, they can purchase carbon credits from other companies that produce less greenhouse emissions than they do. This market is worth billions of dollar each year internationally and carbon credits are widely traded.
Emissions trading
"This obviously isn’t a core part of how these companies do business. But then someone managed to use a spoof email purporting to be from the German Emissions Trading Authority to get these companies to reregister their account details at a phoney website. They got their log in details and then fraudulently bought and sold credits in their name. At least seven companies fell for it and the people behind the scam managed to get away with several millions dollars," said Williams.
"So far this sounds like a normal phishing attack, but if you asked the CEO of the companies that got ripped off about their carbon credits trading activities, they probably wouldn’t have known much about it. But some junior executive clicked on the wrong link and lost an enormous amount of money. This is the level of ingenuity that cyber criminals routinely display."
Subscribers 0
Fans 0
Followers 0
Followers