A means by which to calculate the economic impact caused by cyber crime at organisational and GNP levels has gained in importance as business leaders gain greater knowledge of how digital adversaries sap their capacity to operate profitably. Cyber crime’s damaging effect on national finances is also raising alarm in governmental circles.
Analysts have approached the issue using impact model types which are, and acknowledged to be, somewhat speculative in their assumptions and conclusions. For instance, there is the question of whether investment in defensive cyber security products and services represents a ‘cost of cyber crime’, or whether cost impact models should be confined to quantifiable subtractive losses identified following a cyber attack incident. And if products and services were supposed to prevent an attack fail to do so, does that render them a valueless IT asset?
For all executives seeking to gain a comprehensive understanding of potential cyber crime cost impacts, it’s essential to recognise that those costs come in several forms; it’s not just stolen money. Cyber criminals are out to thieve any assets, and inflict any disruption, that they think they can profit from.
They find encouragement in the fact their targets seem to be more co-operative. Ransomware attacks have proved lucrative in a surprising number of cases around the world. The Telstra Security Report 2018, for instance, reports that malware victims see paying for ransomware extortion almost as a more expedient form of recovery — an ‘acceptable business expense’, even. And a survey conducted by McAfee for its How Misaligned Incentives Work Against Cyber Security report found that some executives viewed the financial costs of cyber crime as tantamount to ‘the cost of doing business’, and were ‘more concerned with reputational damage than the actual losses’.
DATA FEEDS IMPACT CALCULATIONS
As McAfee points out, cyber crime cost estimations face several problems, such as underreporting by victims and the low level of data collection by governments. For example, the Office of National Statistics has estimated that only around 14% of UK cyber fraud is reported. Understanding the economic impacts of cyber crime is a relatively new exercise. There’s a limited amount it can learn from how the financial costs of traditional criminal activity have been assessed.
‘Governments can tell you the number of postage stamp thefts, but not online crime,’ McAfee adds. ‘A failure to collect data is compounded by reluctance on the part of companies to report when they have been victims. Data collection remains problematic, national estimates are still imprecise. The most significant limitation in developing an estimate of the cost of cyber crime is under-reporting. Only a fraction of losses is reported, as companies seek to avoid liability risks and reputational damage.’
Therefore, the raw data necessary to feed properly-informed calculations is usually not available to third-party agencies — often because targets of cyber crime are not able to audit its effects on their finances. Because of the change-driven dynamics of the cyber threat landscape, such models have to base themselves on variables which are both hard to pin down, and hard to apply across disparate incidents.
Executives who seek to gain a true understanding of potential cyber crime cost impacts must recognise those costs come in various forms.
Nevertheless, that boards and c-suites gain some grasp of the parameters is important, because it’s becoming an increasingly high-profile aspect of governance in organisations in the private, public and third sectors.
It’s also gained importance because decision-making around digital security expenditure is likely to be conditioned by the perceived financial value of the assets cyber criminals want to steal, or of the financial impacts of the disruption their actions cause. There’s not much point in spending more on the protection of assets than they are actually worth — especially if your IT resources are already stretched to provide basic security of digital systems due to business expansion.
A third consideration is that actual and projected cyber crime cost estimates will likely become a staple of required financial reporting. For publicly-listed companies, the declaration of some reasonably reliable estimate of financial liabilities due to cyber crime provides a basic metric by which funding of defensive cyber security proposals can be assessed — and justified to regulators, partners, investors and others who challenge decisions that have been taken or not taken. Some proprietary models can be found via a Web search, and can provide useful starting points; metrics help inform a ‘common language’ when boards/c-suites and techies need to talk.
Until lately, many senior executives have restricted their knowledge of cyber crime costs to reported news of losses that have got into the media domain — from global totals ‘Cyber crime may have cost $600bn last year’ to losses sustained by specific sectors or professions ‘Law firms lost more than £11m of client money to cyber criminals between 2016 and 2017, the National Cyber Security Centre revealed’. But headline figures explain relatively little; and if high levels of cyber crime incidents are not being reported it is impossible to determine the levels of damage that victims have sustained or estimate likely future impacts.
VALUE OF DIGITAL ASSETS
The need to agree a value on digital assets for cyber insurance purposes is an additional requirement executive leaders must be aware of. More organisations are investigating and acquiring cyber insurance cover, which sounds like a step in the right direction; but a Lloyd’s/Cyence report highlights the fact that a holistic approach to cost impacts remains somewhat of a best-guess risk estimation.
Lloyd’s/Cyence also suggested that as more organisations see value in cyber insurance, the expanding scale of cyber attacks has the potential to trigger billions of dollars of insured losses in the event of a major incident. Clearly, for insurers to develop this lucrative business without exposing themselves to high-value pay-outs when cyber crime strikes, they require some common, reliable risk model on which to calculate premiums.
For boards and c-suites, meanwhile, a starting point is to identify and agree the assets that are at risk, prior to associating a loss value to them. Even a simple list, as given here below, shows the range of digital information assets that organisations of all sizes now rely on.
A GENERIC SHORTLIST OF TARGETED DATA ASSETS COULD INCLUDE:
• Loss of monetary funds, cash currency or cryptocurrencies removed from unlawfully-accessed depositories (accounts).
• Service usage points – fraudulent addition of credits to service accounts (mobile phone credits or frequent flyer points).
• Loss of resalable data assets (i.e., customer records).
• Loss of intellectual property (i.e., software code and product designs).
• Loss of internal planning information (i.e., sales forecasts).
• Interruption to standard business operations due to denial-of-service attack or a post-breach investigation.
• Reputational damage – adverse publicity cancels business partnerships.
• Recovery costs – cleanup of malware-infected systems.
As senior executives are drawn more closely into cyber security decision-making, they will have to apply a different perspective to how this challenge is apprehended and responded to. It is to be hoped that the different perspective from which business minds will view the issue will bring forth insightful responses that are very different from the technology-driven strategies that have characterised strategy for the last 20 years.
Moreover, the challenge of cyber crime for business efficiency and organisational ‘health’ must be re-thought and re-evaluated, and appraised through the business ‘lens’.
Once these figures in their totality are projected across individual organisations, and then aggregated across vertical sectors, the likely potential costs start to look daunting. The question of cyber crime’s influence on the post-2008 economic downturn must surely warrant more serious consideration by financial analysts and historians.
Words: James Hayes. Image: Shutterstock.