Cantillon: Who benefits from cybercrime?

Does cybercrime pay? Some well-known security software firms would have you believe it does. Norton, for example, has reported that cybercrime is costing the global economy hundreds of billions of dollars each year, overtaking the lucrative trade in the underground drugs market. In fact, last month Intel subsidiary McAfee, which is a provider of virus protection and internet security, said cyber crime and cyber espionage could leach between $100 billion and $500 billion from the global economy annually.

Does this mean there are millionaire or even billionaire spam and malware kings at large? Considering online crooks, like their real-world counterparts, don’t file accounts, it’s hard to know. Thus, we must look to surveys of victims, often compiled by firms that sell security software. How convenient.

The latest survey by Deloitte (which provides computer forensics, technology assurance and risk management) in association with EMC (which provides security solutions to protect against malware, data breaches, phishing and trojan attacks) found the average cost of a cybercrime incident for Irish organisations over the past year was €135,000. The survey published this week also shows that cybercrime costs Irish organisations, on average, 2.7 per cent of annual turnover. What's more, some 7 per cent of respondents stated that their organisation had experienced more than 20 breaches, while 21 per cent had between one and five breaches.

“The survey results show that Irish IT organisations are in a constant state of compromise from cybercriminals, which is having a severe effect on their bottom line,” said Jason Ward, EMC director for Ireland, Scotland and UK North.

“A proactive approach that is both planned and sustained is of critical importance for Irish organisations in protecting themselves against this omnipresent threat,” said Deloitte Enterprise Risk Services partner Colm McDonnell.

It would seem the lesson to be learned from this survey is that attacks are very common if you don’t have sufficient security controls in place and can be very costly. That said, it would be preferable if the companies publishing such research didn’t have a connection with the theme, and were unable to gain financially from businesses’ reactions to the results.