What’s the real cost of cybercrime?
Being hacked is about much more than just financial losses – and yet it’s about that, too. This is what it’s really like for individuals and businesses who fall prey to cybercrime.
Former FBI director Robert Mueller once said there are only two types of businesses – those that have been hacked, and those that will be. As our world gets smaller, and our systems for sharing information become increasingly interconnected, being hacked is becoming an inevitability.
Dr Cassandra Cross is an Associate Professor in the School of Justice at the Queensland University of Technology who specialises in researching cyber scams and their victims. She says that despite the rising prevalence of cybercrime, most people still don’t understand what’s really at stake.
“The problem is that people don’t perceive the threat of cybercrime to them accurately,” she says. “People think it won’t happen to them; that it’s something that only happens to other people. There’s a definite discrepancy between the actual threat of cybercrime, and how at-risk people think they are.”
The emotional impact of cybercrime
Before we even begin to count the dollars-and-cents impact of cybercrime, it’s important to consider the psychological impact, which is too often ignored. Victims of a cyber attack can be left with feelings of anger, anxiety, fear, isolation and embarrassment, which can lead to anything from sleeplessness to self-harm.
“People should know that cybercrime can have a number of non-financial impacts,” Dr Cross says. “It can impact their emotional and psychological wellbeing. Victims can experience depression. It can impact on relationships, on employment, and it can even lead to homelessness. At the serious end, it can have a severe impact on someone’s physical health, and in the worst case scenario, there have been victims who have committed suicide as a response to cybercrime.
“I think we have to acknowledge, to a much greater degree, the range of impacts that different types of cybercrime can have, and acknowledge that the way one person experiences an incident can be quite different to somebody else in the same situation. That will depend partly on their ability to disclose what’s happened to family and friends, and to gain support from both formal and informal networks.”
Dr Cross says many victims of cybercrime are left feeling that they’ve been violated, in much the same way that you might expect after a physical attack.
“That feeling of violation and vulnerability is something I’ve come across a lot in my research on cyber fraud,” she says. “Fraud is all about deception. It’s about deceiving somebody for financial gain. And once a person realises that they’ve been deceived, it comes with an immense sense of violation, betrayal, and loss of trust. Many victims talk about the fact that they find it difficult to trust people in their day-to-day lives moving forward, and they find it hard to start new relationships.”
One of the most damaging aspects of a hack can be the response from other people.
“There is a lot of victim-blaming that comes with cybercrime,” Dr Cross says. “Victims feel so ashamed and embarrassed about what’s happened, and there’s such a stigma associated with it, that they often don’t tell anybody about it. And that exacerbates it, because they suffer in silence. They’re not able to gain any support in the aftermath of what’s occurred, and it sends them spiralling downwards.”
For many victims of cybercrime, dealing with the system in the aftermath of the crime can be as traumatic as the crime itself.
“Our systems are not very well designed, and they certainly aren’t victim-centred,” Dr Cross says. “If my wallet gets stolen or my house gets broken into, I will generally go to the police to file a report in the first instance. But for the various types of cybercrime, there are a multitude of agencies that might be relevant to a victim’s circumstances.
“They might need to talk to the police, but they might also need to talk to banks, consumer protection agencies, government agencies, perhaps even a private organisation. It can leave them feeling like they’re not being heard, and it creates a merry-go-round effect as victims are passed around from one organisation to the next. They sustain additional trauma, and frustration, and a huge sense of anger at not being acknowledged, not being listened to, and not being able to find anyone who can assist them with their personal circumstances.”
In Australia, there is a central reporting mechanism for victims of cybercrime, but Dr Cross says that comes with its own challenges.
“ReportCyber is the online reporting mechanism for cybercrime in Australia, but from a victim perspective, you can see how that might not be ideal,” she says. “Victims who have been deceived or defrauded and lost money or data online are then directed to go online and provide all of their personal details and the details of what happened, and send that information into a black hole that doesn’t give them a personalised response and might not lead to any further interaction or communication.”
In a recent study on the police response to cybercrime for the Australian Institute of Criminology, Dr Cross and co-authors Dr Thomas Holt, Dr Anastasia Powell and Dr Michael Wilson found that community members are more likely to express confidence in the police response to cybercrime than the police themselves.
They surveyed hundreds of officers in Queensland and New South Wales, as well as thousands of community participants, and found that police consistently reported lower confidence in their capabilities to investigate cybercrime – most likely because they’re more aware of the difficulties cybercrime presents for law enforcement in reality, with its technical complexity and cross-jurisdictional nature.
Adding to the frustration and stigmatisation that those who have fallen prey to cybercriminals can feel, police tend to prioritise their work according to a sense of ‘ideal victimisation’. Observations of police control rooms in the UK, for instance, have found that the perceived ‘blamelessness’ of cyber-harassment victims will influence whether or not police decide further investigation is warranted.
All told, it can add up to a deeply unpleasant experience for victims of cybercrime who might be expecting their complaint to be taken more seriously than it is.
“It’s frustrating for victims to go to the police, be told the police can’t take the complaint, and then be referred online to ReportCyber, when they’re expecting a different outcome,” Dr Cross says.
The business impact of cybercrime
The impact of cybercrime on businesses might be better understood than the psychological impact of cybercrime on individuals, but there’s still a lack of awareness about the reality of the situation.
For one thing, it’s naive to think that the business impact of a hack is limited to money. This year in Australia alone, Victorian health operator Eastern Health was forced to postpone elective surgeries at four hospitals in Melbourne’s east because of a cyber attack, while Queensland health and community care provider UnitingCare Queensland, which runs numerous hospitals and aged care and disability services throughout the state, was suspended from the national My Health Record system after falling victim to a cyber hack, leaving patient records unable to be accessed online.
Most jurisdictions require data breaches to be disclosed. In Australia, when a business covered by the Privacy Act 1988 has reason to believe a data breach has occurred, they have to notify the Office of the Australian Information Commissioner. They also have to notify any individual at risk of being affected, and let them know what the company is doing to mitigate that risk.
It can take time for the true impacts of such a breach to reveal themselves. It was only this year, for instance, that National Australia Bank revealed it had paid $686,878 in compensation to customers exposed in a 2019 data breach, when personal account details of about 13,000 customers were uploaded online.
The costs included the reissuance of government identification documents, as well as subscriptions to independent, enhanced fraud detection services for the affected customers. But that’s unlikely to be the full price of the breach for NAB – the bank also hired three cyber-intelligence experts to investigate the breach at the time, the names and cost of which remain unknown.
The average cost of a cyber attack on a business is a matter of some debate. The Hiscox Cyber Readiness Report of 2021, which surveyed 1,709 firms around the world that tracked the cost of cyber attacks, noted a wide range of outcomes “that should send a chill down any CEO’s spine”. One in six of all firms that were attacked over the past year said the impact was serious enough to ‘materially threaten the solvency or viability of the company’.
According to the Hiscox report, the median cost for all attacks on firms with under 10 employees over the last year was just over US$8,000. At the 95th percentile, however, there were firms suffering losses of US$308,000, with one German firm having to pay the equivalent of US$474,000 per employee.
For enterprise-scale firms, the median cost was US$24,000, but at the 95th percentile, firms were suffering losses of US$462,000.
But those numbers pale by comparison with the Cost of a Data Breach Report 2021 from IBM and Ponemon, which studied the impacts of 537 real breaches across 17 countries and regions. Their report found the average cost of a breach currently sits at a staggering US$4.24 million, a 10 per cent increase from last year. Ransomware breaches were particularly costly, at an average of US$4.62 million.
The IBM and Ponemon report took into account hundreds of cost factors, from legal implications and regulatory requirements to loss of brand equity, customer turnover, and the drain that managing a breach has on employee productivity.
Breaches were costliest in the heavily regulated healthcare industry (US$9.23 million), a logical result given the additional sensitivity of medical records, with less regulated industries such as hospitality (US$3.03 million) sitting at the opposite end of the spectrum.
Lost business represented the largest share (38 per cent) of breach costs. Lost business costs include business disruption and revenue losses from system downtime, customer turnover, reputation losses and diminished goodwill.
The average cost per record of personally identifiable information was US$180. Mega breaches involving at least 50 million records were excluded from the average, with a separate section of the report noting that they cost 100 times more than the average breach.
The report found the average breach takes 287 days to identify and contain, with the cost increasing the longer it remains unidentified. When it comes to cybercrime, at least, time really is money.
The report confirmed that costs accrue over several years. While the bulk of a data breach cost (53 per cent) is incurred in the first year, another 31 per cent is incurred in the second year, and the final 16 per cent is incurred more than two years after the event.
In 2019, a Deloitte report determined that up to 90 per cent of the total costs in a cyberattack occur beneath the surface.
Traditional approaches to calculating the cost of cybercrime have focused on the theft of personal information, because the data is readily available and the costs are relatively quantifiable.
But the Deloitte report argued that ‘hidden costs’ – including the theft of intellectual property, the disruption of core operations and the destruction of critical infrastructure, as well as insurance premium increases, credit rating impact, the loss of customer relationships and brand devaluation – are the real killers when a cyber attack occurs.
Dr Cross says communication in the aftermath of a breach is crucial for mitigating an attack’s impact.
“The tone of communications is so important, in terms of how the attack impacts their reputation and how they can move forward from it,” she says.
“Data breaches are not new. Sadly, they’re very common at this point, and we see them quite often in the media now. But there are companies who deal with them better than others, in terms of the way they communicate with victims and the way they communicate publicly about what’s happened.
“I think it’s something that every company should anticipate and have a strategy for dealing with. Not if this happens, but when this happens, this is what we’re going to do. There have been some great examples of this – there was some very positive commentary around the Red Cross’ response to their breach, in terms of the way they immediately notified the affected individuals, took responsibility for it, and put forward their plan for what they were going to do in the future.
“On the other hand, we’ve seen companies suffer data breaches and put out comms saying, ‘There’s nothing to see here, there’s no risk, nothing happened’. That’s not very helpful for the individuals who might have been affected, and it’s probably not true, either.”
The IBM and Ponemon report found that organisations who had formed incident response teams and tested their incident response plans had an average breach cost that was US$2.46 million lower than organisations with no incident response team or plan in place.
Dr Cross also recommends backing up data regularly, “so if you’re subject to a ransomware attack and your files are encrypted by an attacker, you don’t lose everything”.
The use of strong encryption has also been found to be a top mitigating cost factor. By encrypting files, businesses can ensure that if and when they suffer a breach, any files an attacker gains access to will be worthless to them without an encryption key.
The IBM and Ponemon report found that organisations using high standard encryption – at least 256 AES, at rest and in transit – had an average total breach cost of US$3.62 million, compared to US$4.87 million for organisations using low standard or no encryption. That’s a difference of 29.4 per cent.
When you consider the real costs of cybercrime, it’s clear that every organisation has a strong imperative to protect their data – not just financially, but morally and ethically, knowing that every breached record has the potential to have a devastating impact on the individual who’s at risk of being affected.
Ultimately, Dr Cross says victims of cybercrime are part of a hidden, but growing, epidemic.
“I think there needs to be greater acknowledgement of victimisation,” she says. “I spoke to a victim recently who lost a lot of money. She spoke to a staff member at the bank, and that staff member actually just took the few extra minutes to explain to her what had happened, how she’d been defrauded, and how she could protect herself in the future.
“He didn’t make promises about how she could get her money back, he didn’t resolve the situation for her, but she felt a lot better having had that phone call with him. She felt like she had a better understanding of the situation, as opposed to many other victims who are explicitly blamed for what’s happened, told it’s their fault and told there’s nothing that can be done.
“I think organisations can do a lot for victims of cybercrime just by listening to them, acknowledging what’s happened, and being truthful and upfront with them – not leading them on about the potential for some sort of international sting to take down the offender networks that might have been involved.
“That’s what happens on television, but unfortunately, we know that’s not what happens in reality.”