How cybercrime will cost the world $1 trillion this year

Including both financial losses and cybersecurity spending, the $1 trillion in costs will represent a 50% increase over 2018, says McAfee.

financial-cybersecurity.jpg

Image: iStock/welcomia

As individuals and organizations alike face cyberattacks on a regular basis, cybercrime enacts a huge financial toll around the world. Security firm McAfee estimates the annual cost for 2020 at $1 trillion, a figure that includes both the losses themselves and the amount of money spent on cybersecurity. In a new report released Monday, McAfee reveals the costs of cybercrime and offers advice on how to better protect your organization.

SEE: Meet the hackers who earn millions for saving the web, one bug at a time (cover story PDF) (TechRepublic)

In its report entitled "The Hidden Costs of Cybercrime," McAfee says that the annual monetary loss from cybercrime will reach around $945 billion for 2020. Add in the $145 billion expected to be spent on cybersecurity, and this type of crime will cost the world economy $1 trillion this year. This figure will be more than 50% the total cost of $600 billion seen in 2018.

Why such a surge? McAfee offers several reasons. First, the actual reporting of the financial effects of cybercrime has improved as more countries and organizations are reporting such crimes. Second, criminals are adopting more effective techniques to pull off their illegal activities. Third, ransomware and phishing campaigns are skyrocketing, with attackers targeting healthcare organizations, pharmaceutical companies, schools, medical research facilities, and local governments.

To compile its data, McAfee analyzed publicly available information on cybercrime losses as well as interviews from cybersecurity officials. But the company also relied on a survey of 1,500 companies.

Among the respondents, only 4% said that they hadn't experienced any kind of cyber incident in 2019. The damage resulting from malware and spyware accounted for the largest expense of those that were hit. But there are other costs beyond financial ones. Those surveyed said their biggest non-financial losses were in low productivity and work hours. The longest average interruption to business was 18 hours, wasting more than half a million dollars.

Looking at the specific types of losses, system downtime affected around two-thirds of the respondents. The average cost in downtime in 2019 was $762,231. A third of the those surveyed said that downtime cost them between $100,000 and $500,000.

Reduced efficiency was a key side effect of system downtime. On average, organizations lost around nine working hours a week as a result, while the average interruption to operations lasted 18 hours.

Incident response costs also took a toll, as organizations spent an average of 19 hours, from the time it took to uncover a cyber incident to the time it took to actually remediate it. Some are able to manage cyberattacks in-house, but others must turn to high-priced security consultants for help, which adds to the overall cost.

A successful cyberattack can also inflict damage on an organization's brand or reputation. In such cases, the victim has to spend time and money restoring their image, calling on outside consultants to fix the damage, and even hiring more employees to help prevent future attacks. A quarter of the respondents said their brand was damaged as a result of downtime due to a cyberattack.

Despite the rise in cyberattacks, many organizations still aren't prepared or equipped to fend off such attacks. In some cases, there may not be a full understanding of cyber risk throughout the company, leaving it vulnerable to social engineering tricks and other common tactics. More than half of the people polled said their organization does not have a plan to prevent and respond to a cyber incident. Among the rest, only 32% admitted that their plan was effective.

"The severity and frequency of cyberattacks on businesses continues to rise as techniques evolve, new technologies broaden the threat surface, and the nature of work expands into home and remote environments," McAfee's senior VP and chief technology officer, Steve Grobman, said in a press release. "While industry and government are aware of the financial and national security implications of cyberattacks, unplanned downtime, the cost of investigating breaches, and disruption to productivity represent less appreciated high impact costs."

To help organizations better stave off cyberattacks, McAfee offers several recommendations.

  • Start with best practices. Organizations need to start with the following measures: 1) Uniform implementation of basic security measures; 2) Increased transparency; 3) Standardization and coordination of cybersecurity requirements; 4) Cybersecurity awareness training for employees; 5) Prevention and response plans.
  • Implement basic security measures. Another place to start is with basic measures. Multifactor authentication and backups are essential and go a long way toward reducing many of the losses from cybercrime.
  • Communicate properly within the organization. Communication of a cyber incident across an organization and the different relevant stakeholders is necessary if all the affected parties are to know what to expect and how to respond.
  • Cybersecurity training for employees. One of the biggest challenges is a lack of organization-wide understanding of cyber risk. Around 500 of the respondents said that a lack of user knowledge contributed to the success of cyberattacks. This has become more of an issue as employees increasingly use personal devices that expand the attack surface and vulnerable endpoints.
  • Streamline security tools. Large organizations use an average of 47 different cybersecurity tools, sourced from around 10 different vendors. That can create interoperability issues and impact the effectiveness of the products.
  • Elaborate prevention and response plans. With many respondents admitting that they have no plan or no effective plan in place to prevent and respond to cyberattacks, this is an area for improvement. Without a proper plan, an organization hit by an attack is left floundering as it tries to decide how to react to and mitigate the problem.

Also see