12 Oct Cybercrime To Cost The World $9.5 trillion USD annually in 2024
Cybersecurity Facts, Figures, Predictions and Statistics Sponsored by eSentire
– Steve Morgan, Editor-in-Chief
Sausalito, Calif. – Oct. 25, 2023 / Press Release
Cybercrime is predicted to cost the world $9.5 trillion USD in 2024, according to Cybersecurity Ventures. If it were measured as a country, then cybercrime would be the world’s third largest economy after the U.S. and China. Download the Report
We expect global cybercrime damage costs to grow by 15 percent per year over the next two years, reaching $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015.
The damage cost estimation is based on historical cybercrime figures including recent year-over-year growth, a dramatic increase in hostile nation-state sponsored and organized crime gang hacking activities, and a cyberattack surface which will be an order of magnitude greater in 2025 than it is today.
Cybercrime costs include damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, reputational harm, legal costs, and potentially, regulatory fines.
An explosion in mobile, cloud, Internet of Things (IoT), and remote tools has permanently transformed how consumers and businesses utilize technology. While this has paved the way for innovation, new businesses, and closer bonds between business partners around the globe, it has also, unfortunately, dramatically increased the digital attack surface.
The insight of over 2,700 risk management professionals from 94 countries and territories, analyzed and published in the 2023 version of the Allianz Risk Barometer, indicates that close to half — 45 percent — of experts say cyber incidents are the most feared cause of business interruption, even more so than natural disasters or energy concerns.
A breakdown of global cybercrime damage costs predicted by Cybersecurity Ventures in 2024:
- $9.5 trillion USD a year
- $793 billion USD a month
- $182.5 billion USD a week
- $26 billion USD a day
- $1 billion USD an hour
- $18 million USD a minute
- $302,000 USD a second
How much is cybercrime costing your organization annually?
RANSOMWARE
Ransomware is a particularly destructive form of malware that has, in recent years, become the weapon of choice for cybercriminals.
In the latest White House National Cybersecurity Strategy, the government reclassified ransomware as a top security threat and one that requires “a comprehensive Federal approach and in lockstep with our international partners” to combat.
“Ransomware is continually evolving and it’s really hard to keep track of all the different strains,” says John Moretti, CISSP, CCSK & CEH, principal solutions architect at eSentire. “While each ransomware variant has different ways of spreading, all ransomware variants rely on similar social engineering tactics to deceive users and hold their data hostage.”
Hacking groups including Alphv, Hive, Conti, and LockBit all utilize ransomware, and some even provide Ransomware-as-a-Service (RaaS) to other gangs, granting them access to sophisticated ransomware suites.
Consumers may be targeted through phishing campaigns, malicious email attachments, or drive-by downloads, whereas organizations have more potentially damaging attack routes to consider.
Cybercrime Radio: Thought leadership on cybercrime
Trends in 2023, looking to 2024
Cybercriminals will attempt to infiltrate corporate networks and encrypt them, demanding substantial ransom payments in return for a decryption key. Rather than grind operations to a halt for long periods, some businesses pay up. Others may be subject to double-extortion tactics, in which data is stolen prior to encryption, set to be released publicly unless the victim capitulates to blackmail.
They may also lure insiders to “accidentally” execute ransomware on their company devices.
Indeed, some ransomware operators pay other criminals for points of initial access to streamline and speed up the attack process.
Ransomware will cost its victims around $265 billion USD annually by 2031, up from $42 billion in 2024, and $20 billion in 2021, Cybersecurity Ventures predicts, with a new attack (on consumers and organizations) occurring every two seconds as ransomware perpetrators progressively refine their malware payloads and related extortion activities.
The dollar figure is based on a 30 percent year-over-year growth in damage costs over the next 10 years.
Recent, high-impact ransomware attacks include:
- MGM Resorts: MGM Resorts suffered a shutdown of computer systems following a cyberattack in September. The ransomware attack caused enough disruption to impact hotel reservations, digital room keys, credit card processing, and casino slot machines. Some hotel amenities became cash-only. Two cybercriminal organizations known as Alphv and Scattered Spider claimed responsibility, and some researchers suspect the groups are business associates.
- Caesar’s Entertainment: Prior to the MGM Resorts cyberattack, Caesar’s Entertainment reportedly paid Scattered Spider $15 million USD to prevent the disclosure of stolen information following a ransomware attack.
- MOVEit: MOVEit experienced one of the largest hacks of 2023. A zero-day vulnerability in the popular secure file transfer service, used by thousands of organizations, gave cybercriminals an enormous attack surface to exploit. Costing billions of dollars worldwide, the security flaw was exploited by the CL0P ransomware gang and others to steal data, wipe systems, deploy ransomware, and extort victims on the pain of the leak of confidential data.
- Royal Mail: The UK’s national mail service, Royal Mail, was subject to a ransomware attack in January. Evidence points toward the LockBit ransomware, and the cyberattack impacted domestic deliveries and overseas operations. Royal Mail rejected an $80 million USD ransom demand.
- Capita: British outsourcing company Capita experienced a ransomware attack in March, leading to the potential theft of customer, supplier, and employee data. The costs of remediation are estimated at up to $25 million USD.
- City of Dallas: In May, hackers targeted systems belonging to the City of Dallas. The Royal ransomware group claimed responsibility for the intrusion and alleged it was able to encrypt critical data and steal information belonging to approximately 26,000 residents stored on government servers: including names, addresses, and medical information, and data associated with minors.
Ransomware has not gone unnoticed in the boardroom given its destructive power and the potential impact an infection can have on a company’s operations.
According to the World Economic Forum’s annual report, The Global Cybersecurity Outlook 2023, cyber leaders and business leaders said identity theft, followed by cyber extortion — including ransomware — concerned them the most in regard to their personal cybersecurity.
Whether or not to pay is a question organizations will face under extreme pressure, generated when a ransomware attack is underway. These scenarios are exacerbated when threat actors have stolen sensitive information prior to making their presence known.
However, there is no guarantee that stolen information will be returned, or that the cybercriminals behind a ransomware attack will not leak victim data. The lure of a decryption key may also be nothing more than a smokescreen, and systems may have to revert to backups whether or not a payment is made.
Furthermore, just because one ransomware group is satisfied with a payout does not mean that a victim organization will not be targeted a second time, resulting in repeat attacks and payments.
CRYPTOCRIME
Cryptocurrencies have been a game-changer for some, a get-rich-quick scheme for others, a way to lose life savings for an unfortunate few — and a means to conduct financial crime with less traceability for threat actors.
Decentralized finance (DeFI) services and the ease with which cryptocurrencies can be bought, sold, exchanged, and moved between wallets are all creating avenues for exploitation.
Cybercriminals seeking to cash in on cryptocurrency can perform various scams, including rug pulls — the abandonment of a crypto project without warning, taking investor proceeds with them — associated exit scams and pump-and-dump schemes. Consumers may also be approached with investment scams in which they are urged to invest their proceeds into malicious trading apps.
Cybercriminals may attack cryptocurrency exchanges directly, taking advantage of security weaknesses to drain a project, or its users, of funds.
Cybersecurity Ventures predicts cryptocurrency crime will cost the world $30 billion USD in 2025 alone. That’s nearly twice the $17.5 billion USD lost in 2021 — and these figures are expected to grow by 15 percent annually.
Some of the biggest cryptocurrency-related hacks taking place so far in 2023 are:
- Atomic Wallet: In June, the non-custodial cryptocurrency wallet developer suffered an attack on its technology. The abuse of an exploit led to 5,500 cryptocurrency accounts being impacted, with overall losses totaling over $100 million USD. The heist was originally linked to the North Korean hacking group Lazarus, although some researchers suspect involvement by Ukrainian cybercriminals.
- Euler Finance: A March cyber incident suffered by Euler Finance was the sole responsibility of an individual who drained roughly $200 million USD in virtual assets including Dai (DAI), wrapped Bitcoin (wBT), and USD Coin (USDC). However, the hacker did return roughly $19 million USD.
- Bitrue: In April, Bitrue revealed a hot wallet exploit abused to steal roughly $23 million USD including Ethereum (ETH), equating to roughly five percent of the company’s assets. Withdrawals were temporarily suspended to “conduct additional security checks.” Bitrue said that no other wallets were compromised.
- Deus Finance: A security breach impacting decentralized finance protocol Deus Finance left a $6 million USD hole in the organization’s balance sheet, caused by a BNB Smart Chain (BSC) implementation error. In May, a bot was launched to hack BSC. The attack was the second in as many months, with Deus Finance losing over $13 million USD in a flash loan on the Fantom network.
- Multichain: Multichain, a cross-chain router protocol, closed down and ceased operations in July following a loss of $125 million USD, transferred through unauthorized withdrawals. The company’s CEO, Zhaojun, has been arrested by Chinese police.
- Stake: Stake, an online cryptocurrency casino and betting platform, was hacked in September. Attackers were able to make unauthorized withdrawals from Stake’s hot wallets, leading to losses of $41 million USD.
There is also a rising number of cryptocriminals who have been arrested, prosecuted, and sentenced.
“I think there is still a shrinking but existent group of people who think they’re staying a step ahead of law enforcement and surveillance,” says Andy Greenberg, senior writer at WIRED. “But it’s very easy to think you’re doing enough to evade this tracing when you’re not. And there’s a whole industry of very clever and well-funded people whose job it is to find ways to surprise you and trace what seems untraceable,” adds Greenberg, also the award-winning author of “Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency.”
Last year, the U.S. Department of Justice appointed the first-ever director of the National Cryptocurrency Enforcement Team (NCET), a unit dedicated to investigating and prosecuting those responsible for cryptocrimes. In Jul. 2023, NCET was formally merged with the Computer Crime and Intellectual Property Section (CCIPS) department, ensuring its future as a permanent fixture in the U.S. government.
CYBER ATTACK SURFACE
The modern definition of the word “hack” was coined at MIT in April 1955. The first known mention of computer (phone) hacking occurred in a 1963 issue of The Tech.
Over the past fifty-plus years, the world’s attack surface has evolved from phone systems to a vast datasphere outpacing humanity’s ability to secure it.
A decade ago, IBM proclaimed that data promises to be for the 21st century what steam power was for the 18th, electricity for the 19th, and hydrocarbons for the 20th.
The world will store 200 zettabytes of data by 2025, according to Cybersecurity Ventures. This includes data stored on private and public IT infrastructures, on utility infrastructures, on private and public cloud data centers, on personal computing devices — PCs, laptops, tablets, and smartphones — and on IoT (Internet-of-Things) devices.
It is predicted that the total amount of data stored in the cloud — including public clouds operated by vendors and social media companies (think Apple, Facebook, Google, Microsoft, and X, to name a few), government-owned clouds that are accessible to citizens and businesses, private clouds owned by mid-to-large-sized corporations, and cloud storage providers — will reach 100 zettabytes by 2025, or 50 percent of the world’s data at that time, up from approximately 25 percent stored in the cloud in 2015.
The internet, now viewed by some societies as necessary as access to water and electricity, continues to connect the globe.
Cybersecurity Ventures estimates that six billion people were connected to the Internet in 2022. With roughly one million people joining the online world each day, we predict that there will be over 7.5 billion Internet users by 2030, or 90 percent of the human population aged six years and older.
Anything with an Internet connection and an electronic pulse is at risk of cyberattack. Our personal computers, smartphones, tablets, and networks are assaulted every day, but in recent years — and due to the explosion in IoT — now everything from our planes, healthcare services, energy grids, wearables, and personal vehicles have to be protected.
The issue is complicated further as so many small, limited devices are connected to corporate networks in some fashion. With analysts expecting 16.7 billion connected IoT endpoints to be active in 2023, rising to over 29 billion by 2027, threat actors worldwide will have an almost unlimited attack surface to exploit for purposes including data exfiltration, ransomware deployment, identity theft, and more.
GEOPOLITICAL, INDUSTRIAL RISK FACTORS
Cybercrime exists in a profound way on a global scale, with almost every service we rely upon — government services, utilities, consumer goods, and private enterprises — connected to the Internet and, therefore, at risk of disruption due to cyberattacks.
The 2023 Allianz Risk Barometer found that cyber incidents rank among the top perils facing 19 countries, including the UK, France, Austria, Spain, India, and Japan. Small companies in these countries fear business interruption the most due to cyberattacks.
As noted by the Google Threat Analysis Group (TAG), geopolitical shifts and warfare can also change cyberattack risk levels on the country level. Since Russia’s invasion of Ukraine in 2022, researchers say Ukraine has been under “near-constant digital attack.”
“For many companies, the threat in cyberspace is still higher than ever,” says Scott Sayce, global head of cyber at AGCS and group head of the Cyber Center of Competence, as cited in Allianz’s research. “The conflict in Ukraine and wider geopolitical tensions are reshaping the cyber risk landscape, heightening the risk of a large-scale cyberattack.”
According to the World Economic Forum’s 2023 Global Security Outlook report, “global geopolitical instability has helped to close the perception gap between business and cyber leaders’ views on the importance of cyber-risk management.”
It isn’t just country-level grids, utilities, resources, and services we need to consider, however. The private sector, too, is constantly under assault by cybercriminals with no moral compass or consideration.
In WEF’s survey, business and cyber leaders said that global geopolitical instability is “moderately” or “very likely” to lead to a catastrophic cyber event in the next two years (93 percent and 86 percent, respectively).
In total, 74 percent of organizations revealed that global geopolitical instability has influenced their cyber strategy, in an attempt to avoid impacting business continuity or their reputations. In total, 43 percent of organizational leaders also said they think it is likely a cyberattack will “materially” affect their organization within the next two years.
According to Verizon’s 2023 Data Breach Report, which examined over 16,000 reported data breach incidents, the majority of attacks centered on public administrators, the IT sector, finance, manufacturing, and professional services.
While these figures are influenced by differing data breach reporting mandates and regulatory requirements, it is still notable that there are patterns in incident data: with denial of service, lost and stolen assets, web application attacks, and social engineering campaigns taking center stage.
SMALL BUSINESS
“There are 30 million small businesses in the U.S. that need to stay safe from phishing attacks, malware spying, ransomware, identity theft, major breaches and hackers who would compromise their security,” says Scott Schober, author of the popular books “Hacked Again” and “Cybersecurity Is Everybody’s Business.”
More than half of all cyberattacks are committed against small-to-mid-sized businesses (SMBs), and 60 percent of them go out of business within six months of falling victim to a data breach or hack.
To put this into perspective, the U.S. Small Business Administration Office of Advocacy says that 99.9 percent of all American businesses are small (with fewer than 500 employees), and have hired 46.4 percent of all private sector employees.
In other words, the vast majority of businesses underpinning the U.S. economy are at serious risk of cyberattacks, and any material disruption could lead to countless employees losing their jobs — thereby having a serious detriment to the economy at large.
In total, 66 percent of small businesses are concerned or extremely concerned about cybersecurity risk.
The U.S. Federal Communications Commission (FCC) recommends that small business owners consider cybersecurity training for their employees, regular patch cycles, firewall security, and frequent backups to be better prepared for modern threats.
CNBC reports that the FBI is worried about a wave of cybercrime against America’s small businesses.
“The large businesses continue to invest in their cybersecurity and enhance their cybersecurity posture,” says Michael Sohn, FBI supervisory special agent. “So what the cybercriminals are doing is they’re pivoting, they’re evolving and targeting the soft targets, which are the small and medium businesses. A lot of the cyberattacks that we have witnessed from our investigations, almost all of them could have been prevented by doing very basic cyber hygiene.”
TALENT CRUNCH
The number of unfilled cybersecurity jobs worldwide grew 350 percent between 2013 and 2021, from one million to 3.5 million, according to Cybersecurity Ventures.
The number of open roles has remained constant, with 3.5 million jobs still available in 2023. Around 750,000 of these positions are available in the U.S., according to Cyberseek US. We expect that the disparity between the supply and demand of cybersecurity talent will persist through 2025.
Despite industry-wide efforts to reduce the skills gap, the number of open jobs in our field is enough to fill 50 NFL stadiums.
The unemployment rate for cybersecurity professionals, in other words, is effectively at zero percent, and many companies are now launching in-house training, upskilling, and apprenticeship programs to plug the cybersecurity skills gap.
Microsoft launched a national campaign in 2021, in partnership with U.S. community colleges, to train up and place 250,000 people in cybersecurity. Citing Cybersecurity Ventures data, the Redmond giant also recently announced a new partnership under its Ready4Cybersecurity program in Asia to improve access to cybersecurity skills and careers for women and underrepresented youth groups, with the intention being to certify at least 100,000 individuals by 2025.
In the same year, Google pledged to invest over $10 billion USD through 2025 in cybersecurity, including initiatives to promote open source security and the recruitment and training of 100,000 U.S. citizens for cybersecurity roles. This year, Google is pouring a further $20 million USD into hands-on training initiatives for students, in collaboration with the Consortium of Cybersecurity Clinics.
IBM, too, is willing to invest in the next generation of cybersecurity leaders and has committed to partnerships expanding technology and cybersecurity learning opportunities to 30 million people by 2030.
However, there is still a supply problem regarding recruiting candidates with experience or qualifications in the U.S. and beyond. According to Cyberseek US, nationwide, there are close to 92,000 CISSPs (Certified Information Systems Security Professionals), the gold standard qualification, with just under 98,000 open positions requiring the certificate.
CyberSeek US analysis also shows that online job listings for cybersecurity-related positions have increased by 77 percent since 2010, and the national average of the supply-demand ratio of available cybersecurity workers to employer demand is 69 percent.
On average, cybersecurity positions take 21 percent longer to fill than other IT roles.
We need more talented professionals to shoulder the tasks of protecting data, assets, and networks belonging to our businesses. However, it is not just the private sector that is feeling the sting caused by a lack of available talent — governments and federal fighters, too, are struggling to handle modern cybercrime.
This persistent issue was summed up by FBI Director Christopher Wray, who remarked in Sep. 2023: “China already has a bigger hacking program than every other major nation combined. If each one of the FBI’s cyber agents and intelligence analysts focused on China exclusively, Chinese hackers would still outnumber our cyber personnel by at least 50 to 1.”
It is also important to note that we are not utilizing the full potential of many would-be cyber fighters.
Cybersecurity Ventures predicts that women will represent 30 percent of the global cybersecurity workforce by 2025, and that will reach 35 percent by 2031.
Underrepresented groups, including women, should be encouraged from an early age to enter the STEM field. In total, 49.7 percent of the global population is female and if organizations overlook such a large percentage of the workforce, potential talent pools are being left untapped.
Businesses are missing out on a wealth of experience and perspectives that can only be assets to defense. When threats are as diverse as the criminals behind them, we must combine the gifts and talents offered by people of all ages, backgrounds, genders, and creeds.
The gender gap becomes a chasm when we consider the top roles in cybersecurity. For example, our research found that women held only 17 percent of Chief Information Security Officer (CISO) roles at Fortune 500 companies. Said otherwise, women held only 85 of 500 available CISO positions.
Women understand cyber. They understand technology. They are no less capable than men, but discrimination, a lack of awareness, and a failure to encourage the next generation to promote cybersecurity as an attractive career path all contribute to fewer women entering the field.
Underrepresentation is not the only issue impacting today’s top cybersecurity leadership roles — and recruitment for them.
CISOs, overall, are responsible for an organization’s security posture and policies. These lead cyber fighters, unfortunately, typically have a short tenure.
According to Heidrick & Struggles’ 2023 Global Chief Information Officer survey, the most significant risks cited in the role were stress, burnout, and job loss due to a breach at 71 percent, 54 percent, and 29 percent, respectively.
Cybersecurity Ventures found that 24 percent of Fortune 500 CISOs have been working in their roles for just one year on average. Even though it is well-known that CISOs often serve a short tenure, 40 percent of CISOs responding to the Heidrick & Struggles research revealed their organizations have no succession plan in place.
Furthermore, 13 percent of security leaders said their company was not in the process of developing one.
With 76 percent of CISOs admitting they were “very” or “entirely open” to changing companies in the next three years, the organizational risk of not supporting existing CISOs or planning for their successors is a risk that could result in increased breach exposure and heightening the risk of cyberattacks being successful.
“The CISO is there to raise the risk, to shine light on it, to offer solutions, to differentiate and prioritize what needs to be fixed,” says Greg Crowley, CISO at eSentire. “You can’t ask the CISO to do everything and everything; you need to give them the support — and give them a team that can really make sure the cybersecurity and risk management program is well-functioning.”
The statistics presented in the 2023 Cybercrime Report demonstrate that there is no end to cyber risk so our executive board-level conversations must shift to how we are actively improving cyber resilience, and putting our organizations ahead of disruption. Cyber-savvy boards are discussing topics like cyber risk appetite, cyber risk tolerance, cyber risk quantification and the risk-based approach to cybersecurity with increasing frequency.
– Steve Morgan is founder and Editor-in-Chief at Cybersecurity Ventures.
Go here to read all of my blogs and articles covering cybersecurity. Go here to send me story tips, feedback, and suggestions.
Charlie Osborne, Editor-at-Large at Cybercrime Magazine, contributed to this report.
CYBERSECURITY INSIGHTS
As the Authority in Managed Detection and Response, eSentire recommends proactively building a cyber resilient cybersecurity program, allowing security leaders to anticipate, withstand, and recover from even the most sophisticated cyberattacks. Security leaders should also take a risk-based approach to prioritize building the appropriate controls for the worst vulnerabilities, to defeat the most significant threats. Risk-based approaches tend to be significantly more cost-effective than traditional maturity models since business leaders have the option to invest heavily in defenses for the vulnerabilities that affect the business’s most critical areas.
Defending your organization against modern ransomware, social engineering, cryptocrime and the level of state-sponsored attacks, outlined here, requires a multi-layered defense strategy that includes 24/7 security monitoring, visibility and coverage over the complete attack surface, and an incident response plan in the event of a successful attack.
eSentire’s Threat Response Unit recommends the following foundational security program elements:
- Adopting a comprehensive vulnerability management program that provides your team with continuous awareness of the threat landscape enables a disciplined, risk-based patch management approach, and conducts vulnerability scanning to understand which systems are inadvertently exposed.
- Educating your employees to recognize the signs of phishing and social engineering tactics that state-sponsored adversaries may leverage to gain access into your environment through ongoing Phishing and Security Awareness Training (PSAT).
- Engaging a 24/7 multi-signal Managed Detection and Response (MDR) provider to ensure you have visibility across all your signal sources — endpoints, network, log, cloud, and identity — help your team perform rapid threat investigation, containment, and remediation when an incident occurs.
- Leveraging a global threat hunting program that includes detection engineering driven by highly-skilled threat hunters who can build proprietary detection content and runbooks mapped to the MITRE ATT&CK framework. The threat hunting program your team engages should have demonstrated expertise in investigating the latest threat actor Tactics, Techniques & Procedures (TTPs) through original research, leverage enriched threat intelligence, proactively identify threats, and streamline investigations using the best-of-breed platforms.
- Having an Incident Response retainer for post-incident support and emergency preparedness so your team can determine the precise extent of an attack and to investigate the threat with speed and efficacy.
Security leaders who can demonstrate the financial consequences of a cyberattack and business downtime to their executive teams are more than likely going to get the budget required to prevent business disruption and protect their customers’ sensitive data.
When comparing the average daily cost of revenue disruption to the cost of building out and maintaining a DIY security operation, or investing in an outsourced 24/7 extension of your security team, the choice to partner with trusted experts in cybersecurity is clear.
Cybercrime has evolved with threat actors modeling their strategies after enterprise organizations (for example: through role differentiation, using as-a-service business models, and sophisticated malware distribution). The best way to combat the dynamic threat landscape and continue to scale your business operations securely, is to partner with an organization who is as focused on preventing threat disruption to help you reclaim the advantage and improve your overall cyber resilience.
Sponsored by eSentire
The 2023 Annual Cybercrime Report is sponsored by eSentire, the authority in managed detection and response services, protecting the critical data and applications of 2000+ organizations in 80+ countries, across 35 industries from known and unknown cyber threats. Founded in 2001, eSentire protects the world’s most targeted organizations with 65% of its global base recognized as critical infrastructure, vital to economic health and stability. By combining open XDR platform technology, 24/7 threat hunting, and proven security operations leadership, eSentire’s award-winning MDR services and team of experts help organizations anticipate, withstand, and recover from cyberattacks.