Last week, security vendor McAfee released a piece of research that revealed that cybercrime costs the global economy £266bn each year. While this is a very big number to pin on the annual economic impact of cybercrime, is there a possibility we will look back two years from now and realise that it was just the tip of the cybercrime iceberg?
The Centre for Strategic and International Studies (CSIS), commissioned by McAfee, analysed the known breaches discovered through 2013 and used assumptions, clearly outlined in the report, to estimate the total cost to the global economy. Many security commentators have questioned the assumptions CSIS made and pointed to the range of estimations (£266bn to £324bn) as a sign that it may have been as much finger in the wind as it was science. However, I applaud McAfee for trying to quantify the known breaches and extrapolate the unreported and the unknown.
In some ways arguing about the methodology for calculating cybercrime's value is like the debate on global warming, the science does not need to be exact because everyone is already feeling the heat and seeing the affects around them. To get more data points to make future reports more statistically robust the research industry will be reliant upon more companies reporting all known breaches and investing in new security solutions to minimise unknown breaches. Strangely the EU may provide help on both counts.
EU mandatory data breach disclosure will encourage full visibility
It is widely accepted that many companies are choosing not to report known data breaches to their regulator or customers. I have experienced this first hand. Over the past three years Proofpoint has seen a dramatic increase in the volume of advanced cyber attacks, most of which start with targeted spear-phishing and long-lining emails that are so sophisticated that they fool security software and humans alike into thinking the emails are genuine and that the malicious websites they link to are harmless. As such our team in Europe is increasingly called into meetings with companies that ask direct questions about how we block spear-phishing and longlining and detect polymorphic malware... but some exchange looks and move on hastily when we ask, "Have these attacks impacted you already?".
Under current EU law any organisation not disclosing a breach and getting found out is likely to lead to the maximum possible fine for the company, however today this is just £500,000 in the UK and similar fines elsewhere in Europe. As such many organisations who know they have been breached are covering up and taking their chances. Fast forward to 2017/2018 when the EU data protection reform should be fully in place, the fines will be game changing. The new fines coming into force will be much heftier – €100m or five per cent of global turnover – whichever is the greater. Suddenly taking a chance on a cover-up is no longer worth the risk of a harsh and probable maximum fine as it could be a business-ending event.
Increased EU fines for breaches will incentivise companies to add new layers of defence
The EU's objective with the increased maximum fines is to focus business leaders' minds on improving security and privacy and in Proofpoint's experience it is working already as businesses shape up for the imminent change. More and more of our teams are being asked to present the findings of our targeted attack audits directly to a customer's board of directors as they take a proactive interest in cyber-risk, the likes of which we have not seen before. So with increased board awareness comes increased security budgets and the opportunity to investigate new technologies that provide predictive defence and retrospective detection using big data analysis, as tied into automated response and remediation capabilities.
Close your ears members of UKIP as I have to say that the EU has done a great job in this area.
Mark Sparshott is EMEA director at Proofpoint