09 October 2021 | Scott Nursten
The FBI’s Internet Crime Complaint Center (IC3) reported 791,790 cybercrime cases in 2020 with direct losses of almost $4.2 billion. Many more cases are unreported or unknown - the Solarwinds breach compromised the entire supply chain and went undetected for months.
The IC3 report aims to use data to catch cyber criminals and recover stolen funds. To some degree, it is working. But cybercrime is slippery; criminals hide behind foreign IP addresses and cloaking technologies.
It’s also incredibly lucrative. With 69 percent growth, cybercrime is the fastest growing industry on the planet. Is your business prepared for the war that is coming?
Cyber defence spend vs cybercrime profits
Global cybersecurity spend was $153 billion in 2020 (Juniper research). Sound impressive? Cyber criminals took $2 trillion from their victims during the same time.
IBM puts the average cost of a corporate breach at $3.86 million, yet businesses are not even investing 10 percent of this amount in cyber defences on average.
The biggest single reported payout in the year was a wire fraud business email compromise costing $60 million. Another case cost $2 million and yet another cost $977,000. These three cases, each costing a million dollars plus, show the scale of loss is growing dramatically.
The $4.2 billion losses do not include consequential costs such as lost time, lost earnings etc. This is the amount paid directly to criminals from American companies and individuals desperate to fix a problem they could have prevented for far less.
The IC3 report is the only one of its kind to categorise cybercrimes, attack methods, direct losses and criminal patterns. It shows how crimes are escalating across the world, many with international links.
Excluding the US, the UK leads the top 20 international victim countries by a wide margin. 216,633 known attacks were UK-based. In second place, Canada is 40 times less likely to fall victim to an attach with 5,000 cases.
How 5 percent of victims paid 50 percent of the losses
Of all reported cases, 95 percent (33 types of crime) mainly effect consumers and count for just over half of the losses. The remaining 5 percent (4 types of crime), those reported mainly by businesses, account for the other half. This means the average business paid more than $100,000 compared with the average consumer paying $5,000.
Top 4 losses to businesses
They state that adjusted losses do not include lost business, time, wages, equipment, or remediation services. Cases or losses are often unreported or made directly to the FBI, creating an artificially low loss rate here.
We work with a business that lost millions of pounds following a ransomware attack earlier this year. In my opinion, these losses are definitely under-accounted.
What does future cyber resilience look like?
The IC3 report is incredibly useful, but it only looks backwards. Training your staff in cyber awareness is a great start but we have to prepare for advanced, layered and persistent attacks.
Criminals access your network first, find out everything they can about you, stealing valuable data, maybe trying email scams. Once they’ve exhausted every avenue, they’ll encrypt everything and ransom you. After you think “phew, it’s over”, they may still sell your exfiltrated data as well.
Layered attacks are already happening. Only the criminals know what they have planned for tomorrow, which is why strategy is so important.
Because BEC is top of the danger list, it may be tempting to race out and buy email security software. But that alone is not enough, because once email security is fixed, attackers will use something else. Then what?