Cut the cybercrime FUD
Putting a value on the cost of cybercrime could be dangerous for the industry, argues Webroot's George Anderson
Cybercrime is not a myth, it is a significant abuse that impacts us all, but the reality is that we rarely know how much it truly costs us all. For example, do we know exactly how many hundreds of millions banks lose to identity theft each year? The answer is no, we don't know the exact figure. The primary reason for this is that only researched and reported events come to light, while most simply remain unrecorded, or even worse in some cases, undetected.
We should also consider the hidden cost of cybercrime. The IT team dealing with protecting you from daily network and system attacks are dedicating significant resources doing so but don't account for their costs because many would not consider this daily management as a ‘security incident'. Yet a significant part of the cost of cybercrime is in the amount spent in defending against it. This simply means that true ‘cost of cybercrime' figures can never be entirely accurate, as we saw recently with McAfee's CTO Mike Fey saying he regretted the $1trn cost of cybercrime figure the firm had previously released.
The truth is it is very difficult to get really accurate data about cybercrime in all its varying forms. We know cybercrime exists, we know it has a major, sometimes devastating impact on individuals and organisations, but it is really hard to quantify its overall costs to us all accurately. This brings its own set of problems.
The IT security industry wants to highlight the impact of an attack to businesses to show the tangible consequences. We want to stress to users, businesses and all technology users that cybercrime is a very real threat and they need to act to address it. Certainly with the rise and rise of mobile coupled with the increase in mobile malware, time is of the essence for users to protect their data. Yet there is some apathy with many users. The belief that ‘it'll never happen to me' is rife amongst consumers and businesses. So much so that some in the IT security sector have resorted to shock tactics to force users into action but this cannot continue.
The security industry has often been accused of using FUD (Fear, Uncertainty & Doubt) to scaremonger and that has to stop - we need to cut the FUD, the fear and the frenzied reaction it instigates. People look at statistics from a security expert and they believe them. If they are inaccurate, this could have a knock-one effect. In a business scenario, an organisation could very well build its security procedures based on figures being discussed in the IT security world. If such statistics are wrong, then that could undermine that business' approach to security, and break the trust that businesses have in the security sector.
In order to beat cybercrime, we need to clearly understand its inner workings, objectives and impact. And that information must be accurate. The security industry needs to be especially trustworthy - being even remotely dishonest impacts our role in helping users protect themselves against criminals. The information we provide also needs to be transparent, provide context to its use of statistics, and be rigorous in defining the implications of those statistics. Only then will we ensure the security of consumers and businesses alike.
George Anderson (pictured, above left) is enterprise product marketing manager at Webroot