There was a revealing exchange about cybercrime earlier this month in Dáil Éireann, the Irish Government’s lower house. Revealing because there is no official record for the cost of cybercrime in Ireland.
This is because the Central Statistics Office doesn’t publish cybercrime costs separately from overall crime figures.
Following an opposition question, the then Justice Minister Frances Fitzgerald (prior to a Cabinet reshuffle) responded:
Calculating the cost of a security incident can be difficult. In the case of CEO fraud or ransomware, the victim takes a direct financial hit which can be significant. In other cases, the costs are indirect: from business disruption or lost sales opportunities, to staff time spent on the clean-up operation.
Let’s suppose the latest crime stats had shown an increase in the number of break-ins at business premises. An organisation that stores valuable goods overnight in a warehouse might take that as a cue to employ an extra night watchman, or install a more sophisticated alarm system. In the light of a clearly identified risk, extra security spending becomes a sensible investment.
This is why the absence of accurate cybercrime data is unfortunate. ‘What gets measured gets managed,’ as the saying goes. Without official figures on the cost of computer-enabled crime in Ireland, how can we gauge the extent of the problem? How can we be sure there are sufficient resources to combat cybercrime?
There’s also the related question of whether those resources are focusing on the right things. Many businesses struggle with this problem. The 2017 Thales Data Threat Report found that organisations continue to spend on certain security technologies, despite doubts over their effectiveness in addressing the risks those organisations face.
The situation made me remember security conferences that featured a jarring contrast in perspectives of cybercrime between law enforcement agencies and security vendors.
In the blue corner, the police forces would refer to PBX fraud as a prominent high-tech crime, based on reports from victims. In the red corner, technology companies would talk up the risks of zero-days or advanced persistent threats.
Good luck to any IT professional or security staffer who’s supposed to figure out what lessons apply to their own organisation or industry. In the meantime, let’s hope Ireland follows the lead of the UK Office for National Statistics, which has begun breaking out cybercrime as a standalone category.