The fine art of calculating cybercrime costs

How much does cybercrime cost? What are the average costs associated with a single attack? And what is the cumulative annual cost of cybercrime?

You don’t have to do much reading up on cybercrime statistics to get a pretty wide range of answers to those questions. So, it’s natural to wonder how those numbers get calculated. And I’m sure it won’t surprise you to know that there really is not a standardised way of doing that.

What counts as cybercrime cost?

Clearly, it’s important to cast a wide net when estimating the costs of cybercrime. As reported in Cybercrime Magazine: “Cybercrime costs include damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, reputational harm, legal costs, and potentially, regulatory fines, plus other factors,” said Steve Morgan, founder of Cybersecurity Ventures.

Direct vs. indirect costs

ITPro reported in on a study that found cybercrime costs in the UK amounted to “£64 billion a year in ransom payments, staff overtime, lost business, and other associated costs.”

The study distinguished between direct and indirect costs. Direct costs were identified as extra staff time spent dealing with attacks, along with “ransom payments, stolen or lost funds, legal and regulatory costs, disruption to operations, and the cost of bringing in third-party expertise along with higher cyber insurance premiums.” This amounted, in the study’s reckoning, to £37.3 billion.

Indirect costs, however, were found to be very significant as well, reaching £26.7 billion. And the largest category of indirect cost was reported to be increased cybersecurity budgets following attacks. “Other indirect costs included loss of clients, the cost of redirecting resources to incident response, and a loss of competitive advantage due to the theft of corporate intellectual property.”

What to make of it all

So, what’s the bottom line? First, regardless of the actual numbers, there is no doubt that cybercrime imposes massive costs on the world’s economy, and that those costs are rising.

For governments and intergovernmental organisations, that alone is not very helpful in developing polices and measuring their effectiveness. But for individual businesses, the conclusion is pretty simple: Making smart, targeted investments in cybersecurity and cyber insurance is critical.

Do you need accurate numbers, whether for average individual costs or global costs, to make those investments properly? I don’t think you do. What you do need is an accurate assessment of your own vulnerabilities, based on trending attacks and expanding attack surfaces. And you need a cybersecurity partner that can help you make that assessment and deliver solutions and strategies that target your specific areas of greatest risk.

And that’s exactly what DynamicITC does, every day, with organisations of all sizes.