Recently, two Microsoft researchers published a white paper that called into question cybercrime statistics.
In particular, the white paper suggested that the amount of money stolen each year is wildly overinflated by security companies and security consultants by relying on small sample sizes. The researchers stated that security companies do this to exaggerate the problem and drum up business.
In response, security advisor Roger Grimes published an article on InfoWorld in which he states that the money lost to cybercriminals is probably understated, if anything. Grimes has spent his entire career as a security expert fighting hackers and currently works for Microsoft as a Principal Security Architect.
The Real Costs of Cybercrime
Grimes admits that the research techniques used by security companies to come up with cybercrime statistics are probably flawed, but says that we shouldn’t assume that because these models are flawed it means that cybercrime is not a huge (and very costly) problem.
For example, most large companies spend millions — or tens of millions — of dollars each year on network security, security consultants, and updates to their infrastructure. Stolen intellectual property can lead to entire departments being laid off. Pirated movies, computer games, and books result in hundreds of millions of lost revenue each year.
In addition, banks may lose anywhere from 2%-6% a year to cybercriminals. When you consider that big banks earn hundreds of billions of dollars a year, this is a gigantic amount of money lost to online theft.
In 2011, more than 300,000 people lost $1.1 billion to cybercriminals, according to the FBI. And these are just the crimes that were reported.
Likewise, 12%-25% of people have their identities stolen each year, and it can take 90 hours on average to clear one’s name. These figures should be included in cybercrime statistics.
Grimes argues that we also need to include all the software we use to keep out cybercriminals, including firewalls, VPNs, and antivirus and antiphishing software. The revenue of all the companies making these products runs into the billions each year.
It’s possible that the amount of money stolen by cybercriminals each year may be based on flawed research. But when we truly look at the cost of cybercrime, we need to include the amount of money spent on trying to protect ourselves and our businesses from cybercrime, as well as the lost revenue from stolen property, and the amount of money and time we spend to restore our identities after they are stolen.
Taken all together, can anyone really argue that cybercrime is not a big deal? As Grimes notes, everyone in the world is directly affected by cybercriminals and must bear part of the cost.