Ride the Lightning

Cybersecurity and Future of Law Practice Blog
by Sharon D. Nelson Esq., President of Sensei Enterprises, Inc.

Global Losses from Cybercrime Rockets to Almost $1 Trillion in 2020

December 10, 2020

The Washington Post (sub.req.) reported on December 7 that projected global losses from cybercrime are expected to hit just under a record $1 trillion for 2020 as the pandemic offered new opportunities for hackers to target consumers and businesses.

The projection of $945 billion in losses comes from a report published on December 7 from the Center for Strategic and International Studies and computer security company McAfee. The projected loss is almost double the monetary loss from cybercrime of $500 billion in 2018.

Unsurprising that COVID spawned any numbers of scams, but the migration of employees to a work-from-home environment created a disaster.

"When workers move to home environments, they are essentially becoming their own I.T. support," said Steve Grobman, senior vice president and chief technology officer at McAfee. "It's really about understanding that this is a different environment and building a security strategy to effectively defend it."

This is the fourth such report on global cybercrime. It "surveyed publicly available information on national losses, and, in a few cases, we used data from not-for-attribution interviews with cybersecurity.

"The reason that is so costly to organizations is it's much more difficult to investigate and recover when an organization doesn't necessarily know the full scope of a cyberattack and therefore has to do a much more in-depth investigation," he says. Global spending on cybersecurity is expected to exceed $145 billion in 2020, researchers note.

The average ransomware attack knocks a company's systems offline for 18 hours — more than enough time to have serious consequences for productivity.

"Most of the incidents are not always successful in the sense of getting money out, but they're successful in the sense of disrupting operations, disrupting networks," says the CSIS's James Lewis, who directed the report. "It's not just your monetary losses in the sense of, you know, 'they took this cash from me.' It's also the opportunity cost."

Companies tend to underestimate those costs, Lewis says. The average cost to organizations from their longest amount of time their systems were disrupted in 2019 was $762,231, CSIS researchers found. In the case of ransomware attacks where hackers demand a payment in return for unlocking a company's systems, the disruption can often cost more than the ransom, which motivates companies to pay up.

Business interruption costs can be anywhere from five to 100 times larger than the cost of a ransom itself, Bill Siegel, chief executive of ransomware recovery firm Coveware, testified to the Senate Homeland Security and Governmental Affairs in a recent hearing on ransomware.

There can also be a residual impact when a company is a part a supply chain, Grobman notes. A 2017 attack on Danish shipping company Maersk disrupted operations for two weeks and cost the company $300 million. More recently, hackers targeted companies involved in the supply chain to distribute coronavirus vaccines, IBM's Security X-Force reported.

Other costs can include the loss of intellectual property. Cybersecurity officials have warned of an increase in efforts by Chinese hackers to steal U.S. business secrets and research. Putting a price tag on that kind of loss is difficult for companies, Lewis says.

Despite the gloomy stats, more than half of the 1,500 organizations surveyed for the report said they lack plans to both prevent and respond to an incident. Only a third of the organizations that had plans said their plans were effective.

The uneven approach stems in large part from different regulatory standards for different industries. The financial and health-care sectors — two leading targets for cybercriminals — are more heavily regulated than other sectors.

"Ransomware is the new way for criminals to monetize hacking. And so that is going to be one of the big stories of the covid episode," Lewis says. "And so that leads to the question of do we need more regulation because the regulated sectors tend to be better prepared than the unregulated sector."

The incoming administration could play a role in deterrence. President-elect Joe Biden could also issue stronger warnings to foreign governments who enable hackers.

"How we establish trade and other economic agreements with countries should absolutely comprehend the level of focus and cooperation that they put on enforcing laws against cybercriminal actors within their borders," Grobman said.

In large part, it seems to me, we have not played hardball in negotiating with countries who either encourage or turn a blind eye to cybercrime. That needs to change.

Sharon D. Nelson, Esq., President, Sensei Enterprises, Inc.
3975 University Drive, Suite 225|Fairfax, VA 22030
Email: Phone: 703-359-0700
Digital Forensics/Cybersecurity/Information Technology
https://senseient.com
https://twitter.com/sharonnelsonesq
https://www.linkedin.com/in/sharondnelson
https://amazon.com/author/sharonnelson