Cost of cybercrime to double to $6trn by 2021

October 23, 2018

JEDDAH — Connected devices (IoT and non-IoT) are set to grow from c18bn in 2018 to c34bn by 2025 (source: IoT Analytics 2018). Computers are no longer simply devices in which we process data; they are used to store food (smart fridge), operate factories (smart warehouses), drive us around (smart cars), and even play with our children (smart toys). By 2025, we will interact with a connected device every 18 seconds vs. every 6.5 minutes in 2015 (source: IDC 2017) ...but it comes with serious threats, BofAML reported.

Privacy is a growing source of conflict as the vulnerabilities of consumers are increasingly being exposed in today’s technology-driven world. Scandals, from political manipulation with Cambridge Analytica to Google storing location data despite ‘location history’ being turned off, mean 57% of US adults surveyed were more concerned about data privacy following the Facebook, Cambridge Analytica scandal (source: Janrain 2018). Privacy concerns have a big impact - leading to 73% of under 35s uninstalling or failing to download an app (source: WEF 2017). As the connected world continues to intrude on previous private settings and personal interactions, privacy pressures will keep driving change.

Cybercrime is a key threat to the transition. 16.6bn records have been breached or potentially scraped by malicious actors since 2013 with nearly 5,000 records stolen every minute (source: Breach Level Index 2018, Yahoo). The financial impact is substantial - cybercrime cost the global economy $3tn in 2015. This is set to rise to $6tn+ by 2021E as potential gains from cybercriminal activity grow from trends, including 1.8bn additional people connecting to the internet by 2025E, the rise of the IoT, increasing sophistication of attack threats, and cybercrime-as-a-service (source: GSMA, McAfee 2018, Cybersecurity Venture 2017).

The connected world and 5G will be key enablers of megatrends, including Big Data & AI, Future Mobility, Virtual and Augmented Reality, the Sharing Economy, and Smart Cities. The connected world will collect 163ZB (1ZB = 1 trillion GB) to feed the big data needed to develop AI, enable autonomous vehicles to collaborate, and personalize healthcare. Real-time data is set to grow at 1.5x the rate of total data creation growing from under 5% of the global datasphere to over 25% with IoT devices accounting for 95%+ of generation. Living in the modern world without data will become a near impossible task, with nearly 20% of the 163ZB of data generated critical to daily lives by 2025, driving demand for deployment of 5G (source: IDC 2017).

The Internet of (Insecure) Things keeps growing. There will be 34.2bn connected devices by 2025, with IoT posting a 17.4% CAGR vs 2.3% for non-IoT. This growing penetration is attracting cybercriminals. In 2017, attacks on IoT devices jumped 600% (source: IoT Analytics 2018, Symantec 2018). The effect of these attacks will be compounded by IoT’s major vulnerabilities, long lifecycles of devices, and connectedness producing both physical threats and greater access to steal data from other devices. This has a material impact - in 2017, cardiac devices could be hacked to deplete their batteries, while a casino’s high-roller database was hacked through its smart fish tank’s thermostat. The recent acquisition of specialist automotive cyber security firms such as Towersec and Redbend (Harman, $75mn and $200mn) and Argus (Continental, $430mn, 2017) shows the rising importance of such services to auto suppliers.

Surveillance enters the home through voice. Already 20% of households in the US own at least one smart speaker, up from just 12% in November 2017, and a further 10% expect to buy one in 2018 (source: comScore 2018, 03/2018). This highlights the transition to an always-monitored society, providing tech companies with growing volumes of data (4,800 interactions/capita/day by 2025E from 218 in 2025).

Privacy awareness is growing. Recent data breaches eg, Equifax, Facebook, Google) and exposés on the ways companies use data (eg, Cambridge Analytica) have meant that privacy awareness and questions about how companies use data are now at highly elevated levels (75% of consumers are more worried about cybersecurity than they were five years ago) (source: Harris Insights & Analytics, IBM 2018). This could lead to meaningful consequences for companies failing to address privacy risks. As of June 2018, 74% of US adult Facebook users claimed to have changed their behaviour in relation to Facebook in the past 12 months (source: Pew Research 2018).

Rising volume and sophistication of attacks through automation. As more people come online (61% globally by 2025E vs 43% in 2017) and the internet is integrated further into people’s lives, the attraction of attacking online services will grow (source: GSMA 2018). Further, cyber criminals are using automation, machine learning, and AI to increase the number and sophistication of attacks. Ransomware, for instance, one of the fastest-growing cyberattack sectors, saw a 45% increase in variant strains in 2017, resulting in US$5bn costs up 15x from US$325mn in 2015 and set to grow to US$11.5bn by 2019E (source: Symantec 2018, Cybersecurity Ventures 2017).

The cyber skills shortage has grown. By the end of 2018, there will be 1-2mn unfilled jobs in cybersecurity, which needs 6mn analysts. This skills gap could rise to 3.5 million by 2021E (source: WEF 2018, Cybersecurity Ventures 2017).

Cybersecurity demands will increase. Growing volumes of IoT with major vulnerabilities will require fast development of cyber infrastructure (companies saw a rise in cost of breaches of US$5.4/record where extensive use of IoT devices occurred relative to an average cost of US$148/record) and to maintain confidence of consumers and reputation given the heightened risks of collecting data from inside homes. The cybersecurity market is set to grow at a 10.2% CAGR to US$248bn by 2023E from US$154bn in 2018 (source: Ponemon Institute, Markets & Markets 2018).

External cybersecurity companies will experience heightened demand as cyber risk becomes more widespread. Small companies will continue to experience a larger share of company attacks as criminals realise their vulnerabilities and they are unlikely to be able to pay for development of in-house cyber defences. Small businesses make up 58% of victims and accounted for 43% of spear phishing attacks in 2015 vs only 18% in 2011. Sixty-five per cent of small businesses would be incapable of staying profitable two months after permanent loss of essential data. This is a concern given that 61% of small and medium-sized business experienced a cyberattack in 2017 (vs 55% in 2016).

Cyber criminals, one step ahead of the defenders, are increasingly using automation and machine learning, bringing about the rise of cybercrime-as-a-service. Companies will need to develop their own machine learning and automated systems to deal with this sophistication and increasing volume of attacks. The Ponemon Institute estimated that companies with security automation experienced average costs of US2.88mn/breach compared with $4.43/breach for those without (source: Ponemon Institute 2018).

The privacy debate will be driven by legislation. Although consumers are concerned about what is being done with their data, they are still embracing the drive towards an integrated society (9.8% in the US want to buy a smart speaker this year) (source: 2018). Instead, legislation is likely to take centre stage. GDPR was implemented earlier in 2018, but the full impact is not likely to be understood for several months as business conduct is challenged and fines start to be handed out. US states are taking action - California has implemented a consumer privacy law and Vermont passed a law on data security for data brokers. However, the potential may be limited if light touch federal legislation that overrules state law is enacted. In 2017, Trump repealed an Obama era law on Internet providers’ use of data.

Growing number of start-ups with in-built privacy. There are at least 126 data privacy start-ups looking to respond to privacy concern). These include DataGrail, improving the visibility of data used by companies; Prifender, an automated data privacy platform;, allowing people to choose the adverts to which they are exposed; and privacy-by-design smart speakers, Snips Air and open source, Mycroft Mark II. If consumer backing of privacy rights translates into action, these start-ups could be long-term disrupters to the entrenched data usage models in play today.

Healthcare, financial, and services industries experience the highest per capita costs of data breaches at $408, $206 and $181, respectively. In comparison, financial services, utilities and energy, and aerospace and defenssece experienced the highest cost on an annualized basis. Privacy concerns will increase the risk profiles of tech and data based companies (Facebook’s share price fell 17.8% in 11 days after the Cambridge Analytica data misuse revelation taking just under two months to recover). In our view, compliance costs will also rise as government laws both defend consumer rights and aim to increase monitoring of their population through access to their online information. — SG

October 23, 2018
16 hours ago

SPARK gives energy investors access to global markets with Hutchison Ports alliance

19 hours ago

MIT Enterprise Forum launches Startup competition in Saudi Arabia and Arab world

19 hours ago

SAMA Governor inaugurates Standard Chartered first branch in Saudi Arabia