IBM’s former executive chairman and CEO, Ginni Rometty — who created a 6000-strong Security Business Unit at IBM to counter cybercrime in 2015 — described data as a game-changing source of competitive advantage for the 21st century. Rometty noted that cybercrime is and should be the biggest threat to every industry and organization.
According to Cybersecurity Ventures, the world will store 200 zettabytes of data by 2025, equivalent to one trillion gigabytes or 1021 bytes (1,000,000,000,000,000,000,000). That data has immense value and will continue to be a target for cybercriminals.
One of the trends driving the growth of cybercrime to such an extent that it can destabilize economies is that cybercriminals no longer need advanced technical knowledge to launch attacks. For example, malware is available for purchase via the dark web, or illegal services selling Ransomware-as-a-Service (RaaS) kits that even come with quality assurance, helpdesk support, and money-back guarantees.
This post examines at the economic impact of cybercrime, the national security risks, and what organizations might do to protect themselves and the wider economy from malicious threat actors.
The Economic Cost of Cybercrime
According to the World Economic Forum, cybercrime has grown to such an extent that it can now be described as the world’s third-largest economy, after the US and China. Cybercrime makes far more money than worldwide illegal drug trafficking, counterfeiting, and human trafficking combined.
It’s estimated that cybercrime will make $8 trillion in 2023 and that it could reach around $10.5 trillion by 2025.
To put those figures into perspective, Microsoft — the world’s largest software company and one of the richest firms in the world — reported annual revenue of around $200 billion in 2022. Today, cybercriminals share a pot of more than 50 times Microsoft’s annual revenue.
A single ransomware attack or series of cyber attacks can cost businesses and the economy dearly. The 2017 WannaCry ransomware attack crippled businesses worldwide, including healthcare institutions and tech firms. It affected more than 200,000 computers across more than 100 countries and cost an estimated $8 billion in just four days.
According to the Centre for Strategic and International Studies (CSIS) and McAfee, the economic impact of cybercrime is most severe in Europe, approaching 0.84% of regional GDP. The economic impact of cybercrime in North America is 0.78% of regional GDP.
The Collateral Cost of Cybercrime
In the words of the FBI, cybercrime is a complex global concern involving criminals and nation-states aiming to compromise networks, disrupt critical infrastructure, and steal money and intellectual property.
The FBI cites economic espionage as a major concern. Sponsored by foreign powers, economic espionage seeks to illegally influence a country’s economic policy or steal critical technologies or sensitive data relating to a country’s finance, trade, or economic policy.
It’s difficult to quantify the true cost of cybercrime because its scope is so large, and the standards and definitions are so varied, as are ways of measuring its economic impact.
Cybercrime costs to consider include:
- Damaged IP and confidential company data
- Stolen personally identifiable information (PII)
- Stolen bank account and financial data
- Financial manipulation and insider trading
- Loss of trust
- Business disruption
- Ransom payments
- Corporate smear campaigns, fake news, and political interference via social media
- Cost of recovery after a cyber attack
Furthermore, reporting requirements vary across sectors and countries. For example, evidence suggests that only about 13% of cybercrimes are reported in the UK. This doesn’t include the organizations that avoid admitting to data breaches, fearing reputational damage and losing the trust of their customers.
Another consideration is that many firms don’t know they have been hacked, so they have not reported being a victim of cybercrime.
To estimate the total economic cost of cybercrime, it’s also vital to factor in lost sales or business as a direct result of cybercrime. Potential consumers may avoid shopping online at a certain site because they fear having their money or sensitive information stolen, so shoppers’ attitudes in response to the current cyber threat landscape also impact a country’s economy.
One area of change in the US economy is evidenced by organizations’ massive increases in cybersecurity spending. UpGuard’s 2022 Cybersecurity Spending Survey shows that over half of organizations plan to increase IT spending in 2023. Around 65% intend to increase cybersecurity spending in particular.
To counter more frequent and sophisticated cyber attacks, strategies that are adaptable and able to deal with emerging threats are necessary. International Data Corporation (IDC) estimates that AI in cybersecurity is growing at nearly 25% per year. It expects this to reach a market value of more than $45 billion in 2027.
By 2025, according to Gartner predictions, AI-powered fraud will drive organizations to focus on cybersecurity training and raising information security awareness.
The future is also likely to see increased spending on threat intelligence, including offensive and defensive strategies. Anticipating, mitigating, and preventing attacks proactively by understanding cybercriminals will be key to maintaining information security as cybercriminals leverage new technologies to achieve data breaches.
As ever, prevention is better than cure when it comes to data breaches. Preventing a data breach is typically the better option compared to remediating a data breach, not only due to the high costs of repairing systems but also business disruption, lawsuits, regulatory fines, and reputational damage.
Economic Risks and Areas of Cybersecurity Vulnerability
Billionaire Warren Buffet described cybercrime as the number one problem with mankind, with cyber attacks posing a more significant economic and existential threat than nuclear weapons. Following are some of the key vulnerabilities to the economy and risks posed by modern cybercrime.
The COVID-19 pandemic pushed many organizations into trying work-from-home models on a large scale for the first time. Many organizations have since adopted this model for the long term.
While this has many economic, financial, and lifestyle benefits, it increases cyber risks throughout the US. The use of unsecured devices and cloud-based apps to transmit data has dramatically increased organizations’ attack surfaces.
IoT (Internet of Things) Devices
IoT devices are set to revolutionize industries around the world. With innovations like smart thermostats to improve energy efficiency, laser-precision surgery in hospitals, automatic inventory systems to optimize order fulfillment, and facial recognition security systems for hospitality, the benefits of widespread adoption of IoT technology could be a significant boon to the economy.
These major industries, however, are not the only ones eagerly anticipating the proliferation of IoT devices. Cybercriminals know that IoT devices have significant vulnerabilities they can exploit to gain unauthorized access to networks.
The World Economic Forum recorded 1.5 billion attacks via IoT devices in the first half of 2021, which was up 15% from the previous year. The manufacturing of IoT devices is also currently unregulated, so rapid adoption is coupled with poor onboard security, common configuration issues, and the frequent use of unsecured wifi to connect these devices to networks.
Used extensively in healthcare, education, and manufacturing, the continued and increasing use of IoT devices poses a major cyber risk to critical infrastructure and the economy.
Terrorism and Politically Motivated Attacks
Whereas cybercriminals are generally motivated by financial gain, nation-states attack critical infrastructure to weaken and disrupt countries and states for political or military advantage. The economy is increasingly at risk from harmful cyber attacks launched in the name of terrorism or other political motivations.
Many critical infrastructure operations require real-time data, such as the power grid or an oil pipeline. Disrupting that data can cause significant harm to the economy, the environment, and public safety.
Russia’s latest cyber espionage involvement provides several examples of how politically motivated cyber attacks can destabilize economies.
Colonial Pipeline Ransomware Attack
Sometimes, nation-states sponsor organized hacking groups to launch attacks on economic targets. In one such example, in May 2021, Colonial Pipeline suffered a ransomware attack at the hands of the hacking group DarkSide.
While DarkSide claims its goal is to make money, not societal disruption, the group has been traced to Russia, which has a reputation for being a safe haven for hackers attacking foreign targets.
The ransomware attack caused the suspension of the entire pipeline for almost a week, brought the US to a state of emergency, caused panic buying, and seriously affected oil prices and supplies. Receiving a ransom worth $4.4 million, it is the largest cyber attack on oil infrastructure.
Solarwinds Cyber Attack
The Colonial Pipeline attack took place not long after the 2020 Solarwinds cyber attack, which was suspected of having been sponsored by Russia and has affected thousands of organizations worldwide. Victims included NATO, the US Treasury, and the US Department of Commerce.
SolarWinds supplied software popular with the government and industry. Both Microsoft and Solarwings suffered supply chain attacks that helped hackers launch one of the most severe cyber espionage incidents in the US, lasting around nine months and damaging at least 200 organizations.
Alleged Russian Cyber Attacks on Ukraine
Russia’s war on Ukraine has increased the number of hacking attempts aligned with politics. At the beginning of the conflict, US satellite provider Viasat was hit by a cyber attack that deleted sensitive files.
More recently, the Sandworm gang, which also has links with Russia, used NikoWiper malware to attack the Ukrainian energy sector, coordinated with a missile strike on Ukrainian energy infrastructure.
The Dragonfly hacking group, yet another group alleged to have links to the Russian government, has attacked water and energy distribution in the US, Switzerland, Germany, Turkey, and Ukraine. It also targeted Ukraine with a major Distributed Denial of Service (DDoS) attack, using botnets to cause a blackout for thousands of people.
Ransomware is the fastest-growing type of cyber attack because it’s easier than ever to perpetrate a ransomware attack with Ransomware-as-a-Service available on the dark web.
Launching a ransomware attack requires little to no technical expertise and can be done at scale. This, combined with more sophisticated malware, the anonymity of criminals receiving payments in cryptocurrency, and the increasing size of ransomware demands, poses a serious risk to global economies.
The FBI is particularly concerned about ransomware’s risk to the healthcare sector and first responders. In September 2020, Germany recorded the first death as a result of a ransomware attack on a hospital in Duesseldorf.
According to Sophos’s The State of Ransomware in Healthcare Report 2022, 66% of healthcare organizations it surveyed had been hit by ransomware in 2021 (about the same as the average across all sectors), which is almost a 100% increase over ransomware attacks in healthcare reported to them in 2020.
Sophos also discovered that the healthcare sector pays the lowest ransoms. Unfortunately, this is not due to leniency on the part of attackers but because many businesses in the healthcare industry don’t have the money to pay larger ransoms.
It’s important to note that while individual ransom payments are less than in other sectors, the overall amount paid by healthcare increased by almost 33% in 2021 compared to 2020.
While more than half of these ransom payments were under $50,000, other sectors have seen a 300% increase in the number of businesses paying $1 million or more, from 4% in 2020 to 11% in 2021.
The average ransomware payment is difficult to estimate, evidenced by the varied reports around the world. However, most sources agree on two things:
- The average ransomware payout is approaching $1 million
- This figure continues to rise rapidly
One of the reasons for the increasing size of ransom demands is that cybercriminals not only perform reconnaissance on the firms they attack but also on the firms’ cyber insurance policies so they can customize their demands to match.
Organized Cybercrime and the Dark Web
Among many cases of large-scale cyber attacks on critical infrastructure, German oil companies were subject to BlackCat ransomware and a demand for around $14 million in early 2022, causing serious disruption to the country. And in April 2022, the Russian hacking group Conti encrypted Costa Rican governmental files before demanding $20 million for their safe return.
Increasingly, large-scale cyber attacks are the work of organized crime gangs, often sponsored by governments and nation-states rather than individual cybercriminals. According to the World Economic Forum’s 2020 Global Risk Report, the chances of catching organized cybercriminal entities could be as little as 0.05%.
The dark web, part of the deep web, which is the vast majority of the web that is unindexed and unsearchable by clear web search engines, is significant in the evolution of cybercrime and its impact on the global economy.
Straddling the line between free expression, privacy, and anonymity on one side and criminal activity on the other, the dark web has its roots in providing anonymity for activists, privacy advocates, whistleblowers, and US spies. Many newspapers maintain a presence on the dark web, and much of the activity there is legal.
However, the combination of nearly untraceable cryptocurrency transfers and layers of encryption attracts criminal activity and a growing trade in drugs, stolen data, and hacking services, among other criminal pursuits.
By gathering in the relative anonymity of the dark web, criminal entities are forming, working together, and sharing technologies, techniques, and intelligence to create increasingly sophisticated and paralyzing cyber attacks.
Intellectual Property (IP) Theft
Intellectual property theft is one of the most costly cybercrimes. These attackers can damage and manipulate economies by stealing classified company and government information. Although rare, the impact of IP theft can be very sensitive and far-reaching.
One case occurred in 2021 when biotech company AbbVie accused a competitor, Alvotech, of attempting to steal trade secrets for a new drug by hiring a current Abbvie employee and exploiting his access to sensitive data. According to documents, the Abbvie employee successfully accessed company files by bypassing email security protocols to send confidential drug manufacturing information to Alvotech.
Countries are interested in intellectual property theft because it can allow them to keep up with or outdo competition from other countries without having to put in the financial investment and time for their own product development.
In a military context, stealing intellectual property can give a nation-state the means to understand the capabilities and technology of a military force so as to counter it more effectively.
In addition to stealing data worth millions of dollars, a nation-state using stolen IP for reconnaissance and the development of its own military poses significant risks to the US economy and national safety.
Protecting the Economy From Cyber Threats
Considering the trends of organized crime, their collaboration with nation-states, and their willingness to leverage new technologies, future threats to the economy are likely to be from a merging of terrorism, political activism, and organized crime.
The increase in well-researched and coordinated threats means that organizations need to up their game with company-wide engagement with cybersecurity best practices and investment in information security personnel, policies, procedures, and systems.
Here are some of the top ways organizations of all sizes can prepare for the current and coming challenges of the cyber threat landscape.
Cybersecurity systems need to work smarter, not just harder. Cybercriminals are using the latest innovations to part companies from their data and earnings, so it’s vital that organizations do all they can to spot those attacks from a distance.
With threat intelligence, chief information security officers (CISOs) and other stakeholders can proactively predict and prevent cyber attacks, which is by far the safest and cheapest way to deal with them.
With offensive cybersecurity, businesses use ethical hacking to identify vulnerabilities before cybercriminals do. They then take steps to mitigate or remediate problems without having to deal with an actual full-scale data breach led by a malicious actor.
Knowledge Sharing and Collaboration
For many, IoT technology has highlighted the fact that connected devices increase cyber risk. Essentially, organizations are connected via the software they use, third parties they rely on, their customers’ devices, and every link in the chain of the product or service lifecycle.
To protect individual businesses and the economy, it’s necessary to share information. This means sharing knowledge about emerging threats and reporting data breaches even when there is no legal requirement to do so. With more information about threats, it’s possible to determine patterns, spot vulnerabilities, and predict how and where the next attack might develop.
Governments worldwide must continue communicating and collaborating to take down illegal enterprises and disrupt illicit businesses growing on the dark web, such as the FBI’s historic takedown of the Silk Road 2.0 website. The site had been used by thousands of drug dealers and sellers globally of other illicit goods for two and a half years since 2014, making around $1.2 billion worth of Bitcoin and laundering hundreds of millions of dollars.
By sharing information, federal agencies inland and overseas can work together to develop initiatives that limit international cyber attack opportunities, actively pursue the criminals, and create consequences to disincentivize their activities. More standardization of cybersecurity requirements and regulations worldwide could help remediate vulnerabilities throughout supply chains, regardless of country.
Artificial Intelligence and Machine Learning
AI and machine learning (ML) can enhance organizations’ cybersecurity defense via:
Cybersecurity systems with AI can provide 24/7/365 monitoring of all information systems. It is also capable of monitoring and dealing with several threats at the same time, which is more likely with the growing capabilities of cybercriminals and off-the-shelf malware services.
Real-Time Threat Response
AI can respond quickly to a potential threat, taking remedial action and alerting network administrators. With cybercriminals using AI to commit their crimes, the ability to reach equally quickly is vital.
Cybersecurity Training and Awareness
Since social engineering, such as phishing, is a prime way that cybercriminals gain access credentials, ignoring the human element when developing a cybersecurity system is fatal.
Organizations, particularly those a part of critical infrastructure, must raise awareness of cybersecurity issues and the importance of information security. It’s critical that every business has documented information security policies and that employees know who to report cybersecurity issues to when they arise.
Cybersecurity best practices that everyone in business should know and implement include:
- Organizational policy regarding social engineering
- Data protection procedures to protect credit card details and prevent identity theft
- Maintaining strong password hygiene
- Mulfi-factor authentication
- Recognizing phishing attacks
- Updating systems and software
- Implementing basic network security
- Creating incident response, disaster recovery, and business continuity plans
Securing Small to Medium-Sized Businesses
When thinking about the global economy, some may think that cybercrime only affects the biggest players. However, businesses of all sizes make up the economy. Small and medium-sized private sector businesses are not beyond the risk or effects of cyber attacks and, in some cases, might be even more at risk.
Smaller firms may have fewer data than enterprise-level operations, but they also have fewer cyber protections and defenses. In addition, smaller businesses tend to work with larger business partners, making the small business a gateway to the entire supply chain.
Incident Response Plans
With cyber attacks becoming more prevalent, it’s increasingly a matter of which cyber incidents will occur and when rather than if they will occur. By preparing for cyber incidents, businesses of all sizes will be able to respond quickly, minimizing business disruption, satisfying regulators where necessary, and protecting the trust they have earned from customers and clients.
After a robust risk assessment, an incident response plan needs to cover every risk, prioritized by likelihood and impact. The documented plan should be easily understandable by anyone in the business and identify who is responsible for leading the incident response (the incident response team), along with their current roles and contact details.
Supply Chain Risk Management
Organizations are more secure when securing their attack surfaces, including those of their third and fourth parties. Supply chain risk management attempts to identify, mitigate, and remediate these supply chain issues.
Some businesses lean heavily on their digital supply chains, such as businesses that use third-party apps, cloud storage, and other cloud-based service providers. Whether the supplies are physical or digital, a firm must look at those risks to protect its infrastructure.
By collaborating with suppliers and vendors, organizations can develop an ecosystem of mutual cybersecurity awareness and ensure that there are no gaps in their security controls and attack surfaces.