Recently security vendor McAfee released a piece of research which revealed that cybercrime costs the global economy £266 billion each year. While this is a very big number for the annual economic impact of cybercrime, is there a possibility we will look back two years from now and realise that this was just the tip of the cybercrime iceberg?
The Centre for Strategic and International Studies (CSIS), commissioned by McAfee, analysed the known breaches discovered through 2013 and used assumptions, clearly outlined in the report, to estimate the total cost to the global economy. Many security commentators have questioned the assumptions CSIS made and pointed to the range of estimations (£266bn to £324bn) as a sign that its report did not say anything definitive. However I applaud McAfee for trying to quantify the known breaches and extrapolate the unreported and the unknown.
In some ways, arguing about the methodology for calculating cybercrime’s value is like the debate on global warming; the science does not need to be exact because everyone is already feeling the heat and seeing the affects around them. To get more data points that would make future reports more statistically robust, the research industry should become more reliant upon companies reporting all known breaches and investing in new security solutions to minimise breaches. Strangely the EU may provide help on both accounts.
EU Mandatory Data Breach Disclosure Will Encourage Full Visibility
It is widely accepted that many companies are choosing not to report known data breaches to their regulators or customers. I have experienced this first hand. Over the last three years, Proofpoint has seen a dramatic increase in the volume of advanced cyber attacks, most of which start with targeted spear-phishing and long-lining emails that are so sophisticated that they fool security software and humans alike into thinking the emails are genuine and that the malicious websites they link to are harmless. As such our team in Europe is increasingly called into meetings with companies that ask direct questions about how we block spear-phishing and long-lining and detect polymorphic malware. Some exchange looks and hastily move on to another topic when we ask, “Have these attacks affected you already?”
Under current EU law, any organisation that does not disclose a breach will be penalized with a fine of £500,000 in the UK and similar fines elsewhere in Europe. As a result, many organisations that have been breached are covering up and taking their chances. Looking ahead to 2017/2018 when the EU data protection reforms are in full effect, the fines will be much heftier – €100m or 5% of global turnover, whichever is greater. Suddenly taking a chance on a cover-up is no longer worth the risk of a fine, for it could very well mean the end for that company.
Increased EU Fines For Breaches Will Incentivise Companies To Add New Layers Of Defence
The EU’s objective with the increased maximum fines is to focus business leaders’ minds on improving security and privacy. In Proofpoint’s experience, it is working towards the imminent changes ahead. More and more of our teams are being asked to present the findings of our targeted attack audits directly to a customer’s board of directors as they take a proactive interest in cyber-risk, the likes of which we have not seen before. So with increased board awareness comes increased security budgets and the opportunity to investigate new technologies that provide predictive defence and retrospective detection using big data analysis, as tied into automated response and remediation capabilities.
Close your ears, members of UKIP, as I have to say that the EU has done a great job in this area.
By Mark Sparshott, EMEA Director, Proofpoint
Bio: During his 17 year career in information security, Mark has worked for a number of leading companies including IBM, NetIQ, Imperva, Postini, Google and Proofpoint. Mark continues to work directly with companies, security service providers, industry bodies and the press to help organisations understand targeted attack techniques and how to mitigate their risk.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.