Cybercrime Costs. PHOTO: Cybercrime Magazine.

The Cost Of Cybercrime Is Always Rising And The Economics Favor The Attackers

Global cybersecurity spending is expected to reach $1 trillion cumulatively from 2017 to 2021

Ann Johnson

Seattle, Wash. – Nov. 15, 2019

Cybersecurity numbers are getting so large that they might cease to have much impact. Businesses globally spent $37 billion on cybersecurity last year, which Canalys says will rise to $42 billion a year by 2020. Gartner says worldwide information security spending generally will exceed $124 billion this year and reach $248 billion by 2023. Add it up over five years, say from 2017 to 2021, and Cybersecurity Ventures predicts global spending on cybersecurity will be more than a trillion dollars.

A 2017 report from Cybersecurity Ventures predicted ransomware damages would cost the world $5 billion in 2017, up from $325 million in 2015 — a 15X increase in just two years. The damages for 2018 were predicted to reach $8 billion, and for 2019 the figure is $11.5 billion. The latest prediction is that global ransomware damage costs will reach $20 billion by 2021 – which is 57X more than it was in 2015. This makes ransomware the fastest growing type of cybercrime. Cybersecurity Ventures estimates that there will be a ransomware attack on businesses every 14 seconds by the end of 2019, and every 11 seconds by 2021.

If attackers could take down a cloud provider, that could cause anything from $50 billion to $120 billion of economic damage; that’s on the scale of the economic impact of Hurricane Sandy or Katrina.

Cybercrime is more expensive for some industries than others, but Accenture says the cost of an attack to an individual organization averages $13 million. Insurance carrier Hiscox found the average cost of a cyberattack for all businesses jumped from $34,000 in 2018 to a fraction under $200,000 in 2019. If you look at individuals, 6 percent of all internet users in Ireland say they’ve lost money because of phishing, falling for fake websites or from online identity theft.

The sooner you detect an attack the better; cleaning up an attack you find immediately costs about a third of what it will take to clean up after an attack you don’t detect for a week or more. But you still need to budget for damage to and destruction of data, lost productivity, theft of intellectual property, theft of personal and financial data, actual theft of money, embezzlement, fraud, post-attack disruption to your business, forensic investigation, security training, emergency improvements to your infrastructure and business software, restoration of hacked data and deleting files that might have malware hidden in them. It’s a list that goes on and on.

The direct financial impact isn’t the only figure to think about: the resulting damaged reputations, lost trust and missed opportunities also affect the bottom line.

Reputational damage reduces sales, hurts your credit ratings and puts up the cost of your insurance premiums. If you look at the impact on stock prices of organizations that have suffered significant attacks, malicious cyber activity costs the US economy between $57 and $109 billion a year — or between 0.3 and 0.6 percent of the value of all goods and services in the US market. Cybersecurity Ventures predicts that cybercrime damages are expected to cost the world $6 trillion annually by 2021.



Not only are the numbers getting too big to think about helpfully, they’re also somewhat nebulous; many of them are averages, estimates and predictions because accurate figures are hard to come by, and depend very much on the specific details of the attack, and the defenses that were already in place. Organizations are often reluctant to divulge attacks unless required to by law (assuming they are even aware of all attacks) and they’re equally reluctant to disclose specific costs and losses, which can be difficult to tease out from on-going cybersecurity spending.

The lack of accurate data could also be holding back effective cyberinsurance; without enough actuarial information, the cost and coverage of policies and the standards policyholders are required to meet may not be aligning well with the actual threats organizations face.

But practically speaking, one much smaller number matters far more to organizations than all those big numbers — $500. That’s how much it costs an attacker to buy a toolkit online that they can use to hack into your environment. These toolkits aren’t just a set of scripts you can block once. For $500 they get a software license agreement that includes several months of patches and updates, plus 24-7 technical support if they get stuck.

That small initial investment gives a casual hacker without a great deal of expertise access to the latest techniques to attack you. Even sophisticated fileless attacks quickly become commoditized and show up in these toolkits.

For defenders, it means a higher volume of attackers, because the cost of attacking you is so low. Broad-based attacks like NotPetya and WannaCry, broad-based vulnerabilities like Specter and Meltdown allow bad actors to develop tools to deploy attacks at scale. Phishing attacks increased 250 percent between January and December 2019 and ransomware attacks are also on the rise, because phishing and ransomware are low-investment, high return attacks.

The economics of hacking mean that the best way to fight back is to raise the cost to the attacker of getting into your environment and reduce their ROI — because they’re in it to earn money. You need your security systems and operations to make it so hard to get in that the mass of casual attackers can’t reach you — and you also need the sophisticated tools that help you deal with the much smaller number of sophisticated attackers you will then be facing.

Treating cybercrime as an economic issue makes a lot of sense, and the answer isn’t to outspend the attacker. After all, they only need to get into your systems once, but you have to stop them every time. What’s needed is a way of making that attack too expensive, and that’s not something you can do on your own. The best modern cybersecurity systems receive signals from many hundreds of millions of endpoints, building an anonymized model that can be used to quickly pinpoint abnormal behaviors, in email, in network traffic, and in files.

Sharing that information helps you have a rapid response, but it can also be used to benchmark your security posture. Using Microsoft 365’s Secure Score you can compare aspects of your approach to security with everyone in your cohort, or across all businesses, with tips to guide you to a quick win. Similarly, Azure Sentinel monitors your network, and using signals from the Microsoft Security Graph helps pinpoint intrusions and other attacks.

Of course, nothing matters without a good resilience strategy. If a cyberattack does affect your business, you need to be back online and working as quickly as possible. That requires thinking about operational resilience first and foremost, with a well-tested and repeatable data recovery strategy. If you can be back and trading within hours of a major cyberattack, you’ll have saved your business and kept your costs down.

Microsoft Archives

Ann Johnson is Corporate Vice President, Cybersecurity Solutions Group for Microsoft. She is a member of the board of advisors for FS-ISAC (The Financial Services Information Sharing and Analysis Center), an advisory board member for EWF (Executive Women’s Forum on Information Security, Risk Management & Privacy), and an advisory board member for HYPR Corp. Ann recently joined the board of advisors for Cybersecurity Ventures.


Sponsored by Microsoft 

Microsoft provides enterprise-class security for emerging cyberthreats. Be prepared to defend your organization from new cyberthreats with help from Microsoft. Start by learning ten tips to enable Zero Trust security.

To find out more about Microsoft’s Cybersecurity Solutions, visit the Microsoft Security Site, or follow Microsoft Security on Twitter at Msft Security Twitter or Msft WDSecurity Twitter.