The Numbers Are In: $45 Billion Was Lost Due to Cyber Criminal Activity in 2018
The online world is so vast and complex that trying to detail even a small portion of it with any sort of accuracy is going to be next to impossible. That won't stop people from trying, though, and this is a good thing.
Security companies throw plenty of resources into studying and researching the online threat landscape and the prevailing trends. This information, as inconclusive as it is, helps them fine-tune their products and services and offer better protection for their customers. The thing is, the figures in the different research papers vary so wildly, that the pictures they draw tend to be rather chaotic. Experts from Internet Society's Online Trust Alliance (OTA) have gone through quite a few of these reports and have tried to make some sense out of the information. Last week, they published their work in their 2018 Cyber Incident & Breach Trends Report. Here's what they think.
Fewer ransomware infections, data breaches, and DDoS attacks
The figures in research papers tend to be so far apart because different security companies offer different services aimed at different sets of users. Nevertheless, after closely analyzing all the information, OTA's experts did manage to identify a few trends that are definitely worth pointing out.
The first, and perhaps most important one, is the decline in ransomware infections. After seeing it dominate cybersecurity news for quite a few years, many people thought that ransomware will continue to be the threat to watch out for in 2018. Instead, some of the notable names in the ransomware business seemingly dropped off, and the number of infections declined. Of course, people shouldn't get too excited and start predicting the demise of ransomware as we know it. In fact, OTA's experts reckon that cybercriminals have realized that the potential profits of attacks on local and state government organizations could be bigger. The unfortunate side effect of this is that more people are affected, which is why despite the overall decline in infections, some ransomware attacks on such organizations managed to grab a few front pages in 2018 and early 2019.
Surprisingly or not, OTA's researchers also think that 2018 saw fewer data breaches as well as an overall decline in the number of compromised records. Once again, given how varied the numbers in different sources tend to be, it's difficult to set out a particular trend, but apparently, the Alliance's experts think that there is enough reason to do so. They noted that although there were a few incidents that resulted in major data leaks, the overall number of breaches was smaller. This may very well be the case, but once again, we mustn't get ahead of ourselves. As you can probably guess, if it's big enough, a single data breach can reverse this particular trend.
Distributed Denial of Service (DDoS) attacks have also seen a decline apparently. Some of you may remember how the emergence of the Mirai botnet in the second half of 2016 made DDoS a prominent part of the threat model of people and organizations around the world. Mirai was once again used in 2017 when criminals tried to bring down the WannaCry kill switch and cause millions of ransomware infections, but in 2018, the IoT botnet didn't really cause any major disruption. Overall, DDoS didn't disappear completely as a threat, but the attacks were neither as numerous nor as high-profile as the ones from previous years.
More cryptojacking, credential stuffing, BEC scams, and supply chain attacks
While the prominence of some threats diminished, others emerged and became quite fashionable with the crooks. Cryptojacking is the cybercriminal activity that saw the biggest surge in popularity. There was a very good reason for this, too.
In late-2017, Bitcoin experienced an inexplicable price jump, and although there was no immediately obvious reason for the outburst, the hype around lesser-known cryptocurrencies was just as big. Overnight, the digital coins became a rather valuable commodity, and many people wanted to obtain as much crypto money as possible. Cybercriminals quickly figured out that if they harness innocent users' computer resources, they can amass serious amounts of cryptocurrency without making an initial investment. They started embedding scripts in websites, and they later developed standalone cryptocurrency mining programs that were distributed via emails and other infection vectors. In 2018, these attacks were three times as numerous as they were in 2017, and cryptojacking quickly overtook ransomware as the most prominent threat in the information security landscape.
Another type of attack that took center stage last year was credential stuffing. There are billions of compromised username and password pairs floating around the internet at the moment, and getting your hands on a large number of them is not exactly rocket science. Couple this with the fact that many people reuse the same login credentials on multiple websites, and you'll see how a single username-and-password combination can open quite a few accounts. As OTA pointed out, users of major services like Reddit, Spotify, and Dailymotion were targeted by credential stuffing actors, and we even saw customers of HSBC getting the same treatment.
While predicting the future in such a dynamic environment is hardly advisable, when it comes to credential stuffing, we can safely say that it's here to stay. The number of compromised login credentials won't go down, and unfortunately, we're unlikely to see a reduction in the password reuse rates as well, which means that the rise in credential stuffing is a trend that is likely to continue for the foreseeable future.
The experts have also seen a surge in the number of Business Email Compromise (BEC) scams as well as supply chain attacks. These two threats are mostly aimed at companies and bigger organizations, and if they succeed, they could end up rather costly for the victims. Speaking of costs, is there an accurate way of telling how much was lost last year thanks to cybercrime?
How much financial damage did the crooks make?
Accurately estimating the cost of all the cybercriminal activity we saw last year is simply not possible. Calculating the cost of a single breach is extremely difficult at the best of times, and even if the attacked organization manages to do it, nothing can force it to publicly disclose its findings. In fact, although there is a push for regulating the public disclosure of hacking incidents, it's often difficult to say how much information an attacked company must divulge after it finds out that it has been hacked.
After looking at some numbers and doing some calculations, OTA's researchers said that in total, organizations lost about $45 billion thanks to cybercrime in 2018. It's a formidable sum indeed, but even OTA admits that it's not accurate. They say that the actual number is much higher because, among other things, a number of hacking-related incidents and data breaches remain undisclosed.
Unfortunately, this is unlikely to change any time soon which means that if someone asks you how much financial damage cybercrime causes, you can do little more than say "more than you can imagine".