Sophos Cloud Optix
The UK government has today published a report into the cost of cybercrime, concluding that the overall cost to the UK economy from cybercrime is £27bn per year.
Wow. £27 billion a year is a huge amount of money. It’s even more staggering when you compare it to other problems that Britain faces. For instance, drug-related crime is estimated to cost the UK £13.9 billion a year.
Unfortunately the report, which was compiled for the Office of Cyber Security & Information Assurance by security consultancy Detica, doesn’t give any real detail of how it came by the number.
It does break the £27 billion cybercrime total down into different categories – for instance, £9.2 billion comes from theft of intellectual property (IP), and £7.6 billion is calculated for industrial espionage – but the report acknowledges that calculating such figures is “complex” because such incidents are typically not reported.
Well, hate to ask an obvious question but… if they’re not being reported, how have they been counted?
Yes, IP theft and industrial espionage are real concerns for businesses, and cybercriminals are perfectly capable of engaging in them, but there needs to be a proper mechanism for reporting cybercrime (both for home users and businesses) before we can begin to whisk up grand totals like this.
Maybe I’m being a bit cheeky comparing the cost of cybercrime to the cost of fighting drugs, especially as the report itself doesn’t make the comparison.
However, there has been an ongoing myth, that has been repeated time-and-time again, that the money made by cybercriminals exceeds those of the global drugs trade.. so it seems fun to compare the cost of cybercrime with the cost of the war against drugs. 🙂
The UK government report into the cost of cybercrime is right that businesses need to take the threat seriously. It’s not just the spam and malware attacks that trouble home users that can also cause problems in the office environment. It’s also about hackers gaining remote access to your company systems, spying on your activities and stealing information. These are serious concerns.
And although I cast a querulous eyebrow at the statistics being given in the report (at least, I’m fascinated as to how they were calculated), where I strongly agree with the report is in its conclusion that a proper picture of cybercrime in the UK needs to be built up.
Businesses often don’t report cybercrime because they are worried about the damage to their reputation. Home users don’t report phishing attacks and virus infections because they think no-one gives a damn, or don’t know to whom they should turn.
An accurate measure of cybercrime is required in order to provide the proper support that computer users – in business and at home – need to defend against the threats. Once we know the true scale of the problem, and can produce reports that aren’t dealt with skepticism, we can fund the computer crime authorities appropriately, and we can begin to measure if the UK’s attempts to fight the problem are really working or not.
You can download the “Cost of Cyber Crime” report for yourself from the Cabinet Office’s website.
Whilst this figure may seem vast, the fact remains that organisations need to protect against cyber attacks, to protect the company information rather than sourcing the attack point. With attacks being encountered by the UK government, NASDAQ and London Stock Exchange, APTs such as Night Dragon are on the increase, so protection policies should be introduced as such; 2011 should certainly be the year for organisations to invest in cyber security.
I couldn’t agreee more with you Graham, especially on the point of getting more accurate measurements of cybercrime. I feel that there’s far too much actions that are based on rumors and unscientific measures. After all, how can we battle something when the input we get is based potentially inaccurate data?
The lack of accurate data may also cause organizations to focus on the “wrong” risks. As an example, a perceived increased risk of chinese hacking and cyber espionage may drift the focus away from the real “down-to-earth” issues, say like wide privileges, lackluster change management or the accountant with a gambling problem. After all, most businesses are far more prone to the latter threat than the former.
My personal experience is that businesses are far too worried about their reputation to share data about breaches. They need to overcome that fear and open up; in order to beat the bad guys they must share intelligence on what’s really happening. It may seem counterintuitive, but it’s the only way to gain an accurate threat picture and start addressing the real issues.