Executive Summary
Since 2018, we estimated that the cost of global cybercrime reached over $1 trillion.
We estimated the monetary loss from cybercrime at approximately $945 billion. Added to this was global spending on cybersecurity, which was expected to exceed $145 billion in 2020. Today, this is $1 trillion dollar drag on the global economy.
This is our fourth report on the cost of cybercrime. Our reports surveyed publicly available information on national losses, and, in a few cases, we used data from not-for-attribution interviews with cybersecurity officials. Our 2018 report found that cybercrime cost the global economy more than $600 billion. Our new estimate suggests a more than 50% increase in two years.
But what accounts for this increase? This can be explained by better reporting and that, unfortunately, cybercriminals are using more effective techniques. More countries and organizations are reporting cybercrimes. In addition, ransomware and phishing-related schemes have increased dramatically, with cybercriminals “actively target[ing] organizations that include healthcare bodies, pharmaceutical companies, academia, medical research organizations, and local governments.”
It is no secret that cybercrime can harm public safety, undermine national security, and damage economies. What is less well known are the hidden costs that organizations may not be aware of, such as lost opportunities, wasted resources, and damaged staff morale. This report provides insights on the hidden costs of cybercrime. It aims to help decision makers in companies and governments improve their understanding of the hidden costs of cybercrime.
In researching this report, we surveyed 1,500 companies. Only 4% claimed that they did not experience any sort of cyber incident in 2019. The damage from malware and spyware represented the highest cost to organizations, closely followed by data breaches. However, 92% of respondents identified other damage besides financial costs. Affected companies said the biggest non-monetary loss was in productivity and lost work hours. The longest average interruption to operations was 18 hours, averaging more than half a million dollars.
Despite this, we found that most organizations do not have plans in place to reduce the effect of security incidents on their operations. In fact, IT decision makers think some departments are not made aware of IT security incidents. Amazingly, slightly more than half of the surveyed organization said they do not have plans to both prevent and respond to a cyber incident. Out of the 951 organizations that had a response plan, only 32% said the plan was actually effective. Usually, the board or the C-suite was not involved in developing the plans.
One of the biggest challenges is the lack of an organization-wide understanding of cyber risk. This makes companies and agencies vulnerable to sophisticated social engineering tactics, and, once a hack has succeeded, they fail to recognize the problem in time to stop the spread of malware. The increased (and unavoidable) use of personal devices, such as smartphones or tablets, expands the attack surface and complicates the management of cybersecurity. The time and cost of recovery can be considerable and can often involve outside organizations specializing in cybersecurity, public relations, and legal teams. More improvement is needed to prevent incidents from occurring, in addition to helping restore service, operations, and morale, and any damage to the brand.
The reality of cybersecurity is that we cannot eliminate risk. At best, we can manage it. Publicly available information suggests that a few firms have lost hundreds of millions of dollars and many more firms have lost tens of millions of dollars, but these losses have so far proven to be manageable. Relatively basic measures could improve performance—better cyber hygiene and, as our survey found, better planning and greater awareness among employees of the cost of cybercrime.