Putting a Cost to Cybercrime

When it comes to cybercrime, telcos find themselves not just being fired upon, but also carrying the crossfire. That leaves telcos with double the stakes in this particular fight. Telcos need to defend themselves from criminals, but we can anticipate that governments will also put an increasing burden on telcos to defend the users of their networks. How big is the problem? Figures have been quoted that put the cost to the US and UK economies at USD1 trillion and GBP27 billion respectively. Wow. But step back for a moment; the Israeli security consultant Danny Lieberman has poured scorn on these numbers in his eminently readable blog. In particular, he finds fault with how Detica, the security firm, comes up with its numbers of UK cybercrime. Although Detica’s report for the UK government received widespread coverage (see here for the BBC’s story), Danny took a closer look at the report than the average reporter (see Detica’s summary here and download the full report from here). Danny’s conclusion on Detica’s report is that they

put together a fancy model, put [their] fingers in the air and picked a number.

Danny argues that the real costs are suffered by consumers, and that the way to help them is to focus efforts on educating them about the dangers and how to avoid them. He is right, but that does not make for comfortable business decisions. To use Danny’s words, Detica are “hyping the numbers of the damage of cyber crime to big business and government”. There is sound business logic for behaving like that. Hyping threats to big business and government is a way to make money, so long as you sell solutions those same big businesses and governments. Hyping threats to consumers, however, is far less attractive a proposition. They might react by buying less, not buying more. This is the major mental block that prevents telcos from being more proactive in guiding their customers about how to be safe online.

Whatever the total cost of cybercrime, telcos need to play their part in fighting it. If consumers lose confidence in using networks, the inevitable result is a depressed market for communications services. In contrast, good information, without hype, means consumers can be recruited to the battle against cybercrime, instead of being its victims. The challenge for telcos is to find the sweet spot between the positive and negative effects of education. Education may raise consumer anxiety. However, if education leads people to be safer and more confident, it will reduce anxiety, not least because there will be fewer bad headlines in the press. That sweet spot is correlated to the real cost of cybercrime, and it will sit somewhere between fear-inducing hype and the more reassuring messages given by businesses to their consumers. In the final reckoning, valuations are balanced if they consider not just what you spent in the past to get something, but also what you are prepared to spend in future in order to safeguard that something. What we spend on preventing crime – and ‘spending’ may include using our credibility and reputation, as well as our money – is also a measure of the value we put on crime’s consequences.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.