Cybercrime Reaches $1.5 Trillion – Security Must Change
Matthew Rosenquist
CISO at Mercury Risk. - Formerly Intel Corp, Cybersecurity Strategist, Board Advisor, Keynote Speaker, 190k followers
Although not a complete picture, as data can be hard to come by and validate, researchers over at Bromium have estimated cybercrime to reach an unbelievable cost of about $1.5 trillion dollars. Take the numbers with a grain of salt, but the breakdown does give some understanding of the growing problem we face. Even if it were a tenth of this amount, it is enough to bring in flocks of burgeoning criminals to explore how they can get a piece of this pie. For organized criminals, it is worthy of doubling efforts to push this number further, making other illicit avenues of revenue pale in comparison.
For cybersecurity professionals, realize the sheer weight and momentum we must undermine. Attackers are not going away, not sitting idly by, and not giving up regardless of the controls you institute. We must be smarter and act in coordination against the tidal wave that will continue to roll-in. This is a long-game scenario. Dig in.
Tactics are fine for daily activities, but they don't win such wars. Strategic thinking is necessary.
A good article can be found here: https://venturebeat.com/2018/04/21/the-web-of-profit-a-look-at-the-cybercrime-economy/ and more data with references to the original blog here: https://globenewswire.com/news-release/2018/04/20/1482411/0/en/Hyper-Connected-Web-of-Profit-Emerges-As-Global-Cybercriminal-Revenues-Hit-1-5-Trillion-Annually.html
Changes Ahead
The immense financial rewards as a motivator to cyber criminals is just another piece of the bigger picture that requires bigger thinking. As for me, I am contemplating writing up a series of blogs or potentially even a longer periodical to discuss the strategic challenges and avenues which hold the best promise. A few colleagues have asked for a book on the subject. Over my career, spanning the better part of three decades, I have spent an inordinate amount of time thinking in these terms and have witnessed how almost every business, organization, sector, and government still needs real help to organize in a way so their cybersecurity program is structured to be 'sustainable'. That is, to be effective over the long term, while not overly costly, or burdensome for customers. It is a fine balance that must be flexible to align with ever changing attacks and growing threats.
Creating fixed-fortifications is, as General Patton once said, is a monument to man's stupidity. Adaptability with insights to how adversaries will maneuver in the future, is key. "Know your enemy and know yourself" (Sun Tsu) is the mantra for the next decade and beyond for securing our digital world.
Interested in more? Follow me on your favorite social sites for insights and what is going on in cybersecurity: LinkedIn, Twitter (@Matt_Rosenquist), YouTube, Information Security Strategy blog, Medium, and Steemit
Marketing Professional-Helping Partners Build Their Brand
6 年Strategically thinking is definitely key here but moreso strategically thinking liking a cyber criminal will be most effective.
Professional Father | Risk Management | Governance | Privacy
6 年Those numbers are mind boggling ..
All views are mine. GS15 at GSA
6 年Thanks for the share. Here is the original paper for the Pros who are really interested in this work (174 pages) > https://learn.bromium.com/rs/497-ITQ-712/images/Into%20the%20Web%20of%20Profit_Bromium.pdf . Behind the numbers, it is important to read the methodology section carefully. Since this is not a scientific research paper (but rather a sponsored research/marketing paper), I do not have any problem with Dr. McGuire putting the important "Methodology" section in the Appendix beginning with page 128. . The first method involves interviewing 25 convicted criminals, 25 currently active criminals, and 50 logs/conversations data from dark web forum all in a very short amount of time (3 to 5 months). The second method was to interview 50 "expert respondents" from various industries. I have a lot of questions such as "Who are these convicts and how big of a role did they play in their crime organizations?", "How do we define 'expert'? ", ... For example, only when a convict was the leader or at least the accountant of a crime organization then the reported numbers can be close to the real numbers. I also feel some issues with referencing peer-reviewed papers, intelligence reports, etc (but I will have to read the paper again to make sure I am not missing anything) . It is good that the author acknowledged potential data gaps and inaccuracies. It is also good that the author provided basic formulas on how did he construct the final number for each section. Please check them out, since you may or may not agree with the formulas.
Writer, Artist, Educator, Technologist
6 年Sonnet Boom!