In our second piece of the ‘Cyber Serious’ series, we look at the economic impact of cybercrime. Be sure to follow the next two pieces of the ‘Cyber Serious’ series over the coming weeks.

In May 2018 a study undertaken by global research giants, Frost & Sullivan, and commissioned by Microsoft, revealed that the potential economic loss across Asia Pacific in 2017 due to cybersecurity incidents could have hit a whopping US$1.745 trillion. This is more than seven percent of the region’s total GDP (US$24.3 trillion) and a figure so big it’s difficult to comprehend.

Economic loss from cybercrime comes in various ways, but generally there are three types of loses that happen during a cybercrime incident. Direct losses; these are financial losses associated with the cybercrime incident including the loss of productivity, fines, the cost of fixing the problem, etc. Then there are indirect losses; these include the opportunity cost to the organisation for not performing, the loss of a customer as a result of the breach, or reputational damage which could last for many years. Lastly there are the induced losses which are the impact of the cyber breach on the broader ecosystem and economy, such as the decrease in consumer and enterprise spending in a specific sector.

Talking about the differences, Edison Yu, Vice President and Asia Pacific Head of Enterprise for Frost & Sullivan, said in the report: “Although the direct losses from cybersecurity breaches are most visible, they are just the tip of the iceberg. There are many other hidden losses that we have to consider from both the indirect and induced perspectives. The overall economic loss for organisations suffering from a cyberattack can often be underestimated.”

Closer to home, the same report said that the economic loss as a result of cybercrime to Australia could be as much as $29 billion per year, the equivalent of 1.9% of the country’s entire GDP. For an Australian organisation that has more than 500 people working in it, a direct loss from a cyberattack could cost the company over $30 million.

On the other end of the scale, according to a report by cybersecurity software, Norton, over half a million small businesses fall victim to cybercrime every year with the average cost to a small business being at a staggering $1.9 million.

Of the Australian respondents to Norton’s research, over half of them said they had experienced a cybercrime incident in the past five months, however many victims of cybercrime never report it in an attempt to mitigate indirect losses such as reputational damage, so the figure could be much higher.

A New Hope

Sounds gloomy and expensive, doesn’t it? Well it kind of is, however there is hope out there.

Recent developments in AI have led to much better security systems than we previously had, that now have the ability to learn autonomously and adapt to new threats. Improved software in the AI space now has the capacity to keep pace with the big data that a cybersecurity system produces.

Instead of looking for matches with specific signatures, something that modern cyberattacks have already got past, AI works on cyber protection by first assessing what ‘normal’ looks like and then searching for abnormal events and detecting attacks by using unsupervised learning algorithms.

A second approach in AI is to use supervised algorithms (algorithms that it has been trained on) to detect threats. Thousands of examples of malware code is provided and even if the malware mutates, part of the code will remain and will be picked up by the AI program.

In addition to detecting complex attacks, AI allows security teams to scale their operations for monitoring cyber systems and detecting cyber breaches. The level of data in systems today means that humans can only play a limited role in detecting attacks themselves. Having a computer search the data is much more effective and also provides insights on what is found.

Of course humans are still required to decide which action to take and how best to protect the business through integrated decision making.  Humans still do a better job of prioritising actions, using common sense and seeing the bigger picture that decisions are made in.

Meanwhile, advances in deep learning – a step beyond machine learning – allows AI to mimic the working of the human brain to assist AI to reason better. Tech giants such as Facebook are pumping money into deep learning frameworks such as TensorFlow and PyTorch that have far wider applications than just cybersecurity, however the quantum leap that deep learning is expected to bring to cybersecurity is bound to have an effect on the economic impact of cybercrime.

Cybersecurity deep learning will soon detect and prevent any threat, then it’s increased prediction capabilities will become instinctive for further similar threats without any human intervention at all. Deep learning AI will offer a more sophisticated approach to security dealing with larger datasets such as hundreds of millions of malicious and legitimate files. Deep learning AI has the capacity to analyse and clarify the exact type of malware in real time – a job that usually requires a group of experts.

So is AI going to take over like in The Terminator movies? Well, artificial intelligence and human intelligence must work together for the best possible results, and without turning into an army of robots.

James Cameron’s Skynet and Arnie in sunglasses are not on their way. At least not any time soon.

Interested in knowing more? Next up in our ‘Cyber Serious’ series we discuss complex threat landscapes. Follow KJR on LinkedIn to see it first.

As we continue our focus on optimal cybersecurity within organisations, it’s important to remain robustly aware of all the elements in the digital ecosystem and their significance for our digital future – artificial intelligence, robots, data, ethics… KJR is a proud sponsor of a unique event series happening in Brisbane in March, Night Nomads – rising above the darker side of digital, where conversations topics include: The ethics of robot servants, Exploring the tech behind intimacy, and The simplicity of data weaponisation.