Cybercrime – UNICRI study analyzed risks for the economy and enterprises

UNICRI published a study on the impact of the cybercrime on the economy in the Europen region with a specific focus on the effect suffered by enterprises.

The UNICRI has recently published a study titled “Cybercrime and the risks for the economy and enterprises at the European Union and Italian level” that analyzed the impact of the cybercrime on the economy in the Europen region with a specific focus on the effect suffered by enterprises.

The cybercrime is one of the most serious threats to the global economy, it has been estimated that overall costs for the society has reached €750 billion annually, but what is most frightening is that these losses correspond to a significant share of GDP on a global scale.

Below a few statistics on the cybercrime:

• Total cost of cyber crime between 375 and 575 billion per year (data McAfee)
• Data theft accounts for 43% of total costs
• 36% of total costs for damage to the business and loss of competitiveness (Ponemon Institute)
• In 2013, 550 million identities violated (+ 493% compared to 2012) (Symantec)
• Up to 3000 billion in estimated losses over the next six years (World Economic Forum)
• + 130% increase in the time required for the solving a problem.
• The average time to resolve a cyberattack was 32 days, with an average cost incurred during this period of $1,035,769, or $32,469 per day. (Ponemon)
• Nearly 80% of cybercrime acts are estimated to originate in some form of organized activity.

The action of the cybercrime is across countries and targets private companies of any dimension and operating in different industries, as confirmed by data published by principal security firms.

SMEs represent the fundamental of the European economic and social structure, as well as 99.9% of Italian enterprises.

“Cybercrime a multidimensional and complex phenomenon” reports the study “In addition to large companies, small and medium sized enterprises (SMEs) are increasingly affected by cybercrime attacks.”

The principal problem approaching the cybercrime is the evaluation of its effects by considering the following factors:

• The loss of intellectual property and sensitive data.
• Opportunity costs, including service and employment disruptions.
• Damage to the brand image and company reputation.
• Penalties and compensatory payments to customers (for inconvenience or consequential loss), or contractual compensation (for delays, etc.)
• Cost of countermeasures and insurance.
• Cost of mitigation strategies and recovery from cyber attacks.
• The loss of trade and competitiveness.
• Distortion of trade.
• Job loss.

The research conducted by the Dr. Flavia Zappa Leccisotti for the UNICRI aims to provide a framework to assess the impact of cybercrime on the economy, and to evaluate the exposure of the SMEs to the risks of cyber-attacks. The research was conducted through targeted interviews and case study analysis to provide an overview of the Tactics, Techniques, and Procedures (TTPs) related to the criminal ecosystem.

The first part of the document analyzes the various cyber threats and the threat actors behind them, meanwhile the second part details the impact of the cybercrime on the International and European perspective with a special focus on the Italy.

The main research findings are as follows: 

• All interviewees highlighted the need to invest in building capabilities through training programs as well as the need to remove cultural barriers that hamper awareness of the risks of cybercrime. The lack of awarenes on the main cyber threats is one of the key factor for the success of the cybercrime.
• Significan increase of targeted attacks (i.e. Spear phishing).
• In order to implement countermeasures and concerted policies every employee in the companies must be informed of the cyber threat and related risks.
• The study revealed the lack of information sharing and cooperation among companies. The experts ay UNICRI urges companies and governments to create networks for the sharing of data and best practices.
• Countering cybercrime is very difficult due to its transnational character, the fight against cybercrime requires appropriate tools and cooperation, as well as a shared law framework for the persecution of threat actors on a global scale.

Unfortunately cyber security is still perceived as a cost to reduce, especially for SMEs. It is necessary a change of mindset, it is important to spread that the concept that cyber security is an added value, an indicator of the reliability of SMEs that must be carefully evaluated by customers and investors.

The information sharing is a key element for security posture of private companies and government entities, both in prevention and in response to cyber Attacks, the sharing of data related to threat actors and their TTPs is essential to increase the resilience to the incidents.

“The cross-border nature of cybercrime requires action at both the international and national level. In this regard, the European Union, in 2013, adopted its cyber strategy and invited Member States to do likewise. In 2014, Italy also published its National Strategic Framework for Cyberspace Security (Quadro strategico nazionale per la sicurezza dello spazio cibernetico). To counter cybercrime, training and information sharing are crucial.” states the research.

The data collected in the research allowed the UNICRI to design and create a strategy based on the development of two complementary projects:

• A first project aims to increase awareness of cyber threats and improve the information exchange among various actors.
• A second project to improve information sharing and to facilitate the creation of a leading cross-sectoral community in the fight against cybercrime.

I have contacted the Dr. Flavia Zappa Leccisotti for a couple of Q&A that are reported below:

PP: What are the main issues raised in the research?

Dr. Flavia Zappa Leccisotti: All interviewees highlighted the need to invest in building capabilities through training programs as well as the need to remove cultural barriers that hamper awareness of the risks of cybercrime. One important concern which emerged is that vulnerabilities associated with people’s lack of capabilities and knowledge are considered more dangerous than those related to technical issues. The human factor is, in fact, crucial in this type of crime, as cyber criminals often exploit human weaknesses for their own purposes. Organizational culture is also an issue that needs to be addressed, and many preventative mechanisms can be implemented with limited costs. In order to implement countermeasures and concerted policies, it has been underlined that not only should IT managers be informed of the risks of cybercrime, but also administrators, business owners, and boards of directors. The  research  highlights  a  lack  of  information  sharing  and  cooperation  among companies  and stresses the need to create networks between companies of the same sector or size in order to increase dialogue and the sharing  of best practices.

PP: Do you have planned a phase 2 for the research?

Dr. Flavia Zappa Leccisotti: To  counter  cybercrime,  training  and information  sharing  are crucial.  The  information  collected  in  the research  study  allowed UNICRI  to  design  and  create  a  strategy  based  on  the  development  of  two complementary projects on which we are working. Moreover, given the need for a coordinated response at the national level we are working on the possibility to expand the research to the national territory.

The measures mentioned in the report urge a rapid application, cyber attacks are attacks are becoming even more frequent and sophisticated, despite it is quite easy for cyber criminals to run malicious campaign, also thanks to model of sale like cybercrime-as-a-service.

Enjoy the “Cybercrime and the risks to the economy and enterprises in the European Union and Italian level” report!

Dr. Flavia Zappa Leccisotti: Researcher in the field of cybercrime and cyberwarfare. Graduated in Political Science at the University of Macerata with a master’s thesis on policies for combating terrorism in Italy from the years of lead to the post-September 11. In her studies she worked mainly in sociology of deviance, political security, counter-terrorism and public policy analysis. During her studies she developed different experience and she participated in the creation of numerous research projects, coordination of training courses, organization of seminars, and she worked as researcher. She obtained her master’s degree at the University Campus Bio-Medico of Rome in Homeland Security and Critical Infrastructure Protection with a thesis on the evolutionary analysis of the doctrines and strategies in Cyberwarfare, Cyberdefense and Cyberattack in reference to the national States.

Pierluigi Paganini

(Security Affairs – UNICRI, cybercrime)