{"id":874,"date":"2021-10-01T10:58:00","date_gmt":"2021-10-01T10:58:00","guid":{"rendered":"https:\/\/dev.cryptoloc.au\/?p=874"},"modified":"2023-10-03T06:18:19","modified_gmt":"2023-10-03T06:18:19","slug":"the-real-cost-of-cybercrime","status":"publish","type":"post","link":"https:\/\/127.0.0.1\/the-real-cost-of-cybercrime\/","title":{"rendered":"The real cost of cybercrime"},"content":{"rendered":"\n

Being hacked is about much more than just financial losses \u2013 and yet it\u2019s about that, too. This is what it\u2019s really like for individuals and businesses who fall prey to cybercrime.<\/strong><\/p>\n\n\n\n

Former FBI director Robert Mueller once said there are only two types of businesses \u2013 those that have been hacked, and those that will be. As our world gets smaller, and our systems for sharing information become increasingly interconnected, being hacked is becoming an inevitability. <\/p>\n\n\n\n

Dr Cassandra Cross is an Associate Professor in the School of Justice at the Queensland University of Technology who specialises in researching cyber scams and their victims. She says that despite the rising prevalence of cybercrime, most people still don\u2019t understand what\u2019s really at stake. <\/p>\n\n\n\n

\u201cThe problem is that people don\u2019t perceive the threat of cybercrime to them accurately,\u201d she says. \u201cPeople think it won\u2019t happen to them; that it\u2019s something that only happens to other people. There\u2019s a definite discrepancy between the actual threat of cybercrime, and how at-risk people think they are.\u201d <\/p>\n\n\n\n

The emotional impact <\/h3>\n\n\n\n

Before we even begin to count the dollars-and-cents impact of cybercrime, it\u2019s important to consider the psychological impact, which is too often ignored. Victims of a cyber attack can be left with feelings of anger, anxiety, fear, isolation and embarrassment, which can lead to anything from sleeplessness to self-harm. <\/p>\n\n\n\n

\u201cPeople should know that cybercrime can have a number of non-financial impacts,\u201d Dr Cross says. \u201cIt can impact their emotional and psychological wellbeing. Victims can experience depression. It can impact on relationships, on employment, and it can even lead to homelessness. At the serious end, it can have a severe impact on someone\u2019s physical health, and in the worst case scenario, there have been victims who have committed suicide as a response to cybercrime. <\/p>\n\n\n\n

\u201cI think we have to acknowledge, to a much greater degree, the range of impacts that different types of cybercrime can have, and acknowledge that the way one person experiences an incident can be quite different to somebody else in the same situation. That will depend partly on their ability to disclose what\u2019s happened to family and friends, and to gain support from both formal and informal networks.\u201d<\/p>\n\n\n\n

Dr Cross says many victims of cybercrime are left feeling that they\u2019ve been violated, in much the same way that you might expect after a physical attack. <\/p>\n\n\n\n

\u201cThat feeling of violation and vulnerability is something I\u2019ve come across a lot in my research on cyber fraud,\u201d she says. \u201cFraud is all about deception. It\u2019s about deceiving somebody for financial gain. And once a person realises that they\u2019ve been deceived, it comes with an immense sense of violation, betrayal, and loss of trust. Many victims talk about the fact that they find it difficult to trust people in their day-to-day lives moving forward, and they find it hard to start new relationships.\u201d <\/p>\n\n\n\n

One of the most damaging aspects of a hack can be the response from other people. <\/p>\n\n\n\n

\u201cThere is a lot of victim-blaming that comes with cybercrime,\u201d Dr Cross says. \u201cVictims feel so ashamed and embarrassed about what\u2019s happened, and there\u2019s such a stigma associated with it, that they often don\u2019t tell anybody about it. And that exacerbates it, because they suffer in silence. They\u2019re not able to gain any support in the aftermath of what\u2019s occurred, and it sends them spiralling downwards.\u201d <\/p>\n\n\n\n

For many victims of cybercrime, dealing with the system in the aftermath of the crime can be as traumatic as the crime itself. <\/p>\n\n\n\n

\u201cOur systems are not very well designed, and they certainly aren\u2019t victim-centred,\u201d Dr Cross says. \u201cIf my wallet gets stolen or my house gets broken into, I will generally go to the police to file a report in the first instance. But for the various types of cybercrime, there are a multitude of agencies that might be relevant to a victim\u2019s circumstances. <\/p>\n\n\n\n

\u201cThey might need to talk to the police, but they might also need to talk to banks, consumer protection agencies, government agencies, perhaps even a private organisation. It can leave them feeling like they\u2019re not being heard, and it creates a merry-go-round effect as victims are passed around from one organisation to the next. They sustain additional trauma, and frustration, and a huge sense of anger at not being acknowledged, not being listened to, and not being able to find anyone who can assist them with their personal circumstances.\u201d <\/p>\n\n\n\n

In Australia, there is a central reporting mechanism for victims of cybercrime, but Dr Cross says that comes with its own challenges. <\/p>\n\n\n\n

\u201cReportCyber<\/a> is the online reporting mechanism for cybercrime in Australia, but from a victim perspective, you can see how that might not be ideal,\u201d she says. \u201cVictims who have been deceived or defrauded and lost money or data online are then directed to go online and provide all of their personal details and the details of what happened, and send that information into a black hole that doesn\u2019t give them a personalised response and might not lead to any further interaction or communication.\u201d<\/p>\n\n\n\n

In a recent study on the police response to cybercrime for the Australian Institute of Criminology<\/a>, Dr Cross and co-authors Dr Thomas Holt, Dr Anastasia Powell and Dr Michael Wilson found that community members are more likely to express confidence in the police response to cybercrime than the police themselves. <\/p>\n\n\n\n

They surveyed hundreds of officers in Queensland and New South Wales, as well as thousands of community participants, and found that police consistently reported lower confidence in their capabilities to investigate cybercrime \u2013 most likely because they\u2019re more aware of the difficulties cybercrime presents for law enforcement in reality, with its technical complexity and cross-jurisdictional nature.<\/p>\n\n\n\n

Adding to the frustration and stigmatisation that those who have fallen prey to cybercriminals can feel, police tend to prioritise their work according to a sense of \u2018ideal victimisation\u2019. Observations of police control rooms in the UK, for instance, have found that the perceived \u2018blamelessness\u2019 of cyber-harassment victims will influence whether or not police decide further investigation is warranted<\/a>. <\/p>\n\n\n\n

All told, it can add up to a deeply unpleasant experience for victims of cybercrime who might be expecting their complaint to be taken more seriously than it is. <\/p>\n\n\n\n

\u201cIt\u2019s frustrating for victims to go to the police, be told the police can\u2019t take the complaint, and then be referred online to ReportCyber, when they\u2019re expecting a different outcome,\u201d Dr Cross says.   <\/p>\n\n\n\n

The business impact <\/h3>\n\n\n\n

The impact of cybercrime on businesses might be better understood than the psychological impact of cybercrime on individuals, but there\u2019s still a lack of awareness about the reality of the situation. <\/p>\n\n\n\n

For one thing, it\u2019s naive to think that the business impact of a hack is limited to money. This year in Australia alone, Victorian health operator Eastern Health was forced to postpone elective surgeries at four hospitals in Melbourne\u2019s east<\/a> because of a cyber attack, while Queensland health and community care provider UnitingCare Queensland, which runs numerous hospitals and aged care and disability services throughout the state, was suspended from the national My Health Record system<\/a> after falling victim to a cyber hack, leaving patient records unable to be accessed online. <\/p>\n\n\n\n

Most jurisdictions require data breaches to be disclosed. In Australia, when a business covered by the Privacy Act 1988 has reason to believe a data breach has occurred, they have to notify the Office of the Australian Information Commissioner<\/a>. They also have to notify any individual at risk of being affected, and let them know what the company is doing to mitigate that risk. <\/p>\n\n\n\n

It can take time for the true impacts of such a breach to reveal themselves. It was only this year, for instance, that National Australia Bank revealed it had paid $686,878 in compensation<\/a> to customers exposed in a 2019 data breach, when personal account details of about 13,000 customers were uploaded online. <\/p>\n\n\n\n

The costs included the reissuance of government identification documents, as well as subscriptions to independent, enhanced fraud detection services for the affected customers. But that\u2019s unlikely to be the full price of the breach for NAB \u2013 the bank also hired three cyber-intelligence experts to investigate the breach at the time, the names and cost of which remain unknown. <\/p>\n\n\n\n

The average cost of a cyber attack on a business is a matter of some debate. The Hiscox Cyber Readiness Report of 2021<\/em><\/a>, which surveyed 1,709 firms around the world that tracked the cost of cyber attacks, noted a wide range of outcomes \u201cthat should send a chill down any CEO\u2019s spine\u201d. One in six of all firms that were attacked over the past year said the impact was serious enough to \u2018materially threaten the solvency or viability of the company\u2019. <\/p>\n\n\n\n

According to the Hiscox report, the median cost for all attacks on firms with under 10 employees over the last year was just over US$8,000. At the 95th percentile, however, there were firms suffering losses of US$308,000, with one German firm having to pay the equivalent of US$474,000 per employee.<\/p>\n\n\n\n

For enterprise-scale firms, the median cost was US$24,000, but at the 95th percentile, firms were suffering losses of US$462,000. <\/p>\n\n\n\n

But those numbers pale by comparison with the Cost of a Data Breach Report 2021<\/em><\/a> from IBM and Ponemon, which studied the impacts of 537 real breaches across 17 countries and regions. Their report found the average cost of a breach currently sits at a staggering US$4.24 million, a 10 per cent increase from last year. Ransomware breaches were particularly costly, at an average of US$4.62 million. <\/p>\n\n\n\n

The IBM and Ponemon report took into account hundreds of cost factors, from legal implications and regulatory requirements to loss of brand equity, customer turnover, and the drain that managing a breach has on employee productivity.<\/p>\n\n\n\n

Breaches were costliest in the heavily regulated healthcare industry (US$9.23 million), a logical result given the additional sensitivity of medical records, with less regulated industries such as  hospitality (US$3.03 million) sitting at the opposite end of the spectrum.<\/p>\n\n\n\n

Lost business represented the largest share (38 per cent) of breach costs. Lost business costs include business disruption and revenue losses from system downtime, customer turnover, reputation losses and diminished goodwill. <\/p>\n\n\n\n

The average cost per record of personally identifiable information was US$180. Mega breaches involving at least 50 million records were excluded from the average, with a separate section of the report noting that they cost 100 times more than the average breach. <\/p>\n\n\n\n

The report found the average breach takes 287 days to identify and contain, with the cost increasing the longer it remains unidentified. When it comes to cybercrime, at least, time really is money.  <\/p>\n\n\n\n

The report confirmed that costs accrue over several years. While the bulk of a data breach cost (53 per cent) is incurred in the first year, another 31 per cent is incurred in the second year, and the final 16 per cent is incurred more than two years after the event.<\/p>\n\n\n\n

In 2019, a Deloitte report<\/a> determined that up to 90 per cent of the total costs in a cyberattack occur beneath the surface. <\/p>\n\n\n\n

Traditional approaches to calculating the cost of cybercrime have focused on the theft of personal information, because the data is readily available and the costs are relatively quantifiable.<\/p>\n\n\n\n

But the Deloitte report argued that \u2018hidden costs\u2019 \u2013 including the theft of intellectual property, the disruption of core operations and the destruction of critical infrastructure, as well as insurance premium increases, credit rating impact, the loss of customer relationships and brand devaluation \u2013 are the real killers when a cyber attack occurs. <\/p>\n\n\n\n

Dr Cross says communication in the aftermath of a breach is crucial for mitigating an attack\u2019s impact. <\/p>\n\n\n\n

\u201cThe tone of communications is so important, in terms of how the attack impacts their reputation and how they can move forward from it,\u201d she says. <\/p>\n\n\n\n

\u201cData breaches are not new. Sadly, they\u2019re very common at this point, and we see them quite often in the media now. But there are companies who deal with them better than others, in terms of the way they communicate with victims and the way they communicate publicly about what\u2019s happened. <\/p>\n\n\n\n

\u201cI think it\u2019s something that every company should anticipate and have a strategy for dealing with. Not if<\/em> this happens, but when<\/em> this happens, this is what we\u2019re going to do. There have been some great examples of this \u2013 there was some very positive commentary around the Red Cross\u2019 response to their breach<\/a>, in terms of the way they immediately notified the affected individuals, took responsibility for it, and put forward their plan for what they were going to do in the future. <\/p>\n\n\n\n

\u201cOn the other hand, we\u2019ve seen companies suffer data breaches and put out comms saying, \u2018There\u2019s nothing to see here, there\u2019s no risk, nothing happened\u2019. That\u2019s not very helpful for the individuals who might have been affected, and it\u2019s probably not true, either.\u201d <\/p>\n\n\n\n

The IBM and Ponemon report found that organisations who had formed incident response teams and tested their incident response plans had an average breach cost that was US$2.46 million lower than organisations with no incident response team or plan in place. <\/p>\n\n\n\n

Dr Cross also recommends backing up data regularly, \u201cso if you\u2019re subject to a ransomware attack and your files are encrypted by an attacker, you don\u2019t lose everything\u201d. <\/p>\n\n\n\n

The use of strong encryption has also been found to be a top mitigating cost factor. By encrypting files, businesses can ensure that if and when they suffer a breach, any files an attacker gains access to will be worthless to them without an encryption key. <\/p>\n\n\n\n

The IBM and Ponemon report found that organisations using high standard encryption \u2013 at least 256 AES, at rest and in transit \u2013 had an average total breach cost of US$3.62 million, compared to US$4.87 million for organisations using low standard or no encryption. That\u2019s a difference of 29.4 per cent. <\/p>\n\n\n\n

When you consider the real costs of cybercrime, it\u2019s clear that every organisation has a strong imperative to protect their data \u2013 not just financially, but morally and ethically, knowing that every breached record has the potential to have a devastating impact on the individual who\u2019s at risk of being affected. <\/p>\n\n\n\n

Ultimately, Dr Cross says victims of cybercrime are part of a hidden, but growing, epidemic.<\/p>\n\n\n\n

\u201cI think there needs to be greater acknowledgement of victimisation,\u201d she says. \u201cI spoke to a victim recently who lost a lot of money. She spoke to a staff member at the bank, and that staff member actually just took the few extra minutes to explain to her what had happened, how she\u2019d been defrauded, and how she could protect herself in the future. <\/p>\n\n\n\n

\u201cHe didn\u2019t make promises about how she could get her money back, he didn\u2019t resolve the situation for her, but she felt a lot better having had that phone call with him. She felt like she had a better understanding of the situation, as opposed to many other victims who are explicitly blamed for what\u2019s happened, told it\u2019s their fault and told there\u2019s nothing that can be done. <\/p>\n\n\n\n

\u201cI think organisations can do a lot for victims of cybercrime just by listening to them, acknowledging what\u2019s happened, and being truthful and upfront with them \u2013 not leading them on about the potential for some sort of international sting to take down the offender networks that might have been involved. <\/p>\n\n\n\n

\u201cThat\u2019s what happens on television, but unfortunately, we know that\u2019s not what happens in reality.\u201d <\/p>\n","protected":false},"excerpt":{"rendered":"

Being hacked is about much more than just financial losses \u2013 and yet it\u2019s about that, too. This is what it\u2019s really like for individuals and businesses who fall prey to cybercrime. Former FBI director Robert Mueller once said there are only two types of businesses \u2013 those that have been hacked, and those that […]<\/p>\n","protected":false},"author":3,"featured_media":1127,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"_links":{"self":[{"href":"https:\/\/127.0.0.1\/wp-json\/wp\/v2\/posts\/874"}],"collection":[{"href":"https:\/\/127.0.0.1\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/127.0.0.1\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/127.0.0.1\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/127.0.0.1\/wp-json\/wp\/v2\/comments?post=874"}],"version-history":[{"count":1,"href":"https:\/\/127.0.0.1\/wp-json\/wp\/v2\/posts\/874\/revisions"}],"predecessor-version":[{"id":875,"href":"https:\/\/127.0.0.1\/wp-json\/wp\/v2\/posts\/874\/revisions\/875"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/127.0.0.1\/wp-json\/wp\/v2\/media\/1127"}],"wp:attachment":[{"href":"https:\/\/127.0.0.1\/wp-json\/wp\/v2\/media?parent=874"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/127.0.0.1\/wp-json\/wp\/v2\/categories?post=874"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/127.0.0.1\/wp-json\/wp\/v2\/tags?post=874"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}