Cybercrime is predicted to cost the world $9.5 trillion USD in 2024, according to Cybersecurity Ventures. If it were measured as a country, then cybercrime would be the world’s third largest economy after the U.S. and China.
We expect global cybercrime damage costs to grow by 15 percent over the next year, reaching $10.5 trillion USD annually by 2025, up from $3 trillion USD in 2015. This represents the greatest transfer of economic wealth in history, risks the incentives for innovation and investment, is exponentially larger than the damage inflicted from natural disasters in a year, and will be more profitable than the global trade of all major illegal drugs combined.
Cybercrime costs include damage and destruction of data, stolen money, lost productivity, theft of intellectual property, theft of personal and financial data, embezzlement, fraud, post-attack disruption to the normal course of business, forensic investigation, restoration and deletion of hacked data and systems, reputational harm, legal costs, and potentially, regulatory fines.
Wendy Thomas, CEO at Secureworks, told Fortune Magazine that cybercrime continues because hackers are opportunistic and their organizations are financially motivated; they need just one unlocked door to steal money from a company. “To break the hacker profit model, companies have to make themselves a hard target,” said Thomas. “Failure to do so is to await the inevitable day the adversary finds their way into your unlocked door.”
IN THE BOARDROOM
Knowledge is power in the war against cybercriminals. 25 facts, figures, predictions and statistics with supportive information arm boardroom executives globally with information for their meetings, presentations, and training programs having to do with protecting their organizations from cybercrime and cyberwarfare.
- RANSOMWARE. For a Board, the stakes of a ransomware attack could not be any higher. Ransomware, the fastest growing type of cybercrime, is predicted to cost its victims $265 billion USD annually by 2031, with a new attack taking place on consumers and organizations every two seconds. This is up from $20 billion USD in damages and an attack every 11 seconds in 2021. The dollar figure is based on 30 percent year-over-year growth in damage costs over a decade. Ransomware gangs now routinely demand millions of dollars and will go so far as to search for revenue and insurance documents once they infiltrate a network to ascertain how much their victim is able to pay. In the U.S., it is legal, yet controversial, to make a ransomware payment. The White House previously considered banning the practice, and paying ransoms is generally frowned upon by cybersecurity experts and law enforcement, yet there have been understandable exceptions.
- THREATS. This year’s PwC Global Digital Trust Insights survey finds that the top four most concerning cyber threats — cloud-related threats (42 percent), hack-and-leak operations (38 percent), third-party breaches (35 percent) and attacks on connected products (33 percent) — are the same ones security executives feel least prepared to address. The survey respondents consist of more than 4,000 business and technology executives based in 77 countries and territories, operating in a range of industries, including industrials and services, tech, media, telecom, financial services, retail and consumer markets, energy, utilities and resources, healthcare, government, and public services.
- SUPPLIERS. Cybersecurity Ventures predicts that the global annual cost of software supply chain attacks to businesses will reach $60 billion in 2025. Gartner predicts that by 2025, 45 percent of organizations worldwide will have experienced attacks on their software supply chains. “Unfortunately, most organizations are more vulnerable than they realize,” said Secureworks’ Thomas, on the Bloomberg Businessweek Podcast. “It may be that they’ve done a great job of protecting their own assets but they are inextricably linked with other vendors, other suppliers. Thinking about your security as having to secure those who are interoperating with your organization and your systems as much as you secure your own castle is probably the most important.”
- CRYPTOCRIME. Loose regulations, a lack of governance, and rapid growth in decentralized finance (DeFi) services are creating weak spots in global financial systems, fostering new methods of cryptocurrency-related crime. Cybercriminals, long associated with rug-pulls, exit scams and investment fraud schemes will, Cybersecurity Ventures predicts, cost the world an estimated $30 billion USD annually by 2025. In 2022, the U.S. government established the National Cryptocurrency Enforcement Team (NCET). The new branch has proven to be successful, with a number of cryptocurrency crime-related prosecutions under its belt. In 2023, NCET merged with the Computer Crime and Intellectual Property Section (CCIPS), ensuring its permanency as a federal investigation unit.
- AI. A 2024 survey of annual reports from the biggest U.S. corporations are increasingly highlighting artificial intelligence as a possible risk factor. Fortune Magazine reports that the number of Fortune 500 companies that cited AI as a risk hit 281. This represents 56 percent of the companies and a 473 percent increase from the prior year, when just 49 companies flagged AI risks. Certain companies are more worried than others. Leading the way was the media and entertainment industry, with 92 percent of Fortune 500 companies in that sector citing AI risks, according to research firm Arize AI. 86 percent of software and tech companies, 70 percent of telecoms, 65 percent of healthcare companies, 62 percent of financials, and 60 percent of retailers also warned. Just 19 percent of automotive companies flagged AI risks, along with 37 percent of energy firms and 40 percent of manufacturers. On the flip side of the coin, a Google survey indicates that 63 percent of IT and security professionals believe AI will improve corporate cybersecurity.
- HACKERS. It’s no surprise that the average age of a Fortune 500 chief information security officer (CISO) is 52 years, according to Hunt Scanlon, and the average age of cybersecurity specialists is 40+ years old, representing 60 percent of the cybercrime fighter population, based on data from career platform Zippia, with 11 percent of them in the 20-30 year old range. But boardroom and C-suite executives need to understand the far different (black hat) hacker demographic in order to knowledgeably throw their support and budget against it. The FBI Cyber Division reports that the average age of anyone arrested for a crime in the U.S. is 37, while the average age of someone arrested for cybercrime is 19. It is widely assumed that most cybercriminals are male, but a widely distributed and cited report by Trend Micro indicates that as many as 30 percent of cybercriminals are women when underground hackers are counted in.
- LABOR. The number of unfilled cybersecurity jobs worldwide grew 350 percent between 2013 and 2021, from 1 million to 3.5 million, according to Cybersecurity Ventures. We predict that in 2025, the same number of jobs will remain open. However, despite industry efforts to reduce the skills gap, the number of open jobs in our field is still enough to fill 50 NFL stadiums. Gartner projects that by 2028, the adoption of GenAI will collapse the skills gap, removing the need for specialized education from 50 percent of entry-level cybersecurity positions. Women now make up more than 25 percent of the cybersecurity workforce, although they hold just 17 percent of Fortune 500 CISO positions.
- REGULATION. For several years, the Federal Trade Commission (FTC) has urged the enterprise, and their boards, to take a stronger stance on cybersecurity. The SEC adopted new rules last year that require U.S. public companies to disclose “material” cybersecurity incidents and to report on their approach to cybersecurity risk management, strategy, and governance on an annual basis. As of Dec. 18, 2023, public companies are required to disclose cyberattacks and data breaches on Form 8-K within four business days. In its amended Safeguards Rule, the Federal Trade Commission (FTC) required that a company's board be directly involved – a qualified individual must report to the board regularly and include an overall assessment of the company's compliance with its information security program. Many new regulations are emerging globally this year. For instance, in Oct. 2024, New York State adopted regulations requiring general hospitals to report material cybersecurity incidents to the Department within 72 hours.
- OVERSIGHT. PwC’s 2023 Annual Corporate Directors Survey found that 49 percent of directors see cybersecurity as a significant oversight challenge. By now, all boards have allocated cyber risk oversight somewhere — either to a committee or the full board, according to PwC. But boards periodically should reassess their allocation to determine that it is effective. Current survey data indicates that 51 percent of S&P 500 company boards allocate responsibility to the audit committee. Given all the audit committee has on its agenda these days, boards should consider whether this committee has adequate time and the right skills to oversee this area. Some boards have deemed cybersecurity oversight a full board responsibility, taking it out of committee, while other boards have allocated this responsibility to a separate technology or cyber committee.
- COMPENSATION. In 2023, The Wall Street Journal reported that some companies were starting to tie bonuses for their chief executives and other top leaders to cybersecurity metrics, a move that governance experts said could make them more secure against hackers. Australian health-insurance giant Medibank Private didn’t have specific cybersecurity goals tied to pay for its top executives before a 2022 cyberattack that cost the company more than $46 million USD. In 2023, Medibank’s board canceled short-term incentive bonuses for the chief executive, CFO and two other top leaders because of the attack, which exposed personal, and in some cases medical, data of nearly 10 million people. The executives had to forgo $3.6 million in total. A report from ISS Insights indicates it’s only a few companies, 16 in the S&P 500 and 22 in the remainder of the Russell 3000, that include cybersecurity measures as part of either annual or long-term executive compensation incentive programs. In 2024, Microsoft is linking executive compensation more closely to cybersecurity after the tech giant came under fire recently from both the U.S. government and rival companies for its failure to stop a Chinese hack of its systems last year, according to CNBC.
- CYBERSECURITY. Cybercrime will propel global spending on cybersecurity products and services to $1.75 trillion USD, cumulatively, for the five-year period from 2021 to 2025, according to Cybersecurity Ventures. We predict expenditures for cybersecurity products and services globally will grow to nearly $459 billion USD on an annual basis in 2025. According to McKinsey, the corporate sector is poised to spend $213 billion on cybersecurity software in 2024. PwC finds that organizations cite investment in cybersecurity as a key differentiator for competitive advantage, with 57 percent citing customer trust and 49 percent citing brand integrity and loyalty as primary drivers for such investment. Gartner predicts that by 2028, enterprise spend on battling malinformation will surpass $500 billion, cannibalizing 50 percent of marketing and cybersecurity budgets.
- RESILIENCE. MIT Sloan Management conducted 37 in-depth interviews with the chief executives of large enterprises (with average revenues of $12 billion) in the U.S., Europe, and Asia. Nine of them had led their company through a serious cyberattack, which allowed MIT to compare their battle-tested views with those of CEOs who had not yet suffered such an attack. By far the most common regret they heard from CEOs was that they overemphasized cybersecurity to the neglect of cyber resilience. Only after the attack did they come to understand that trying to prevent cyberattacks is a losing game. These executives had focused on whether they would get attacked instead of on when they would get attacked and how they would respond when it happened. No company can have total protection against cyberattacks, no matter how much they invest. Organizations must base their cybersecurity strategies on resilience — the ability to weather an attack with minimal damage to data, finances, and reputation.
- CYBERINSURANCE. Cybersecurity Ventures predicts the cyberinsurance market is growing from approximately $8.5 billion USD in 2021 to $14.8 billion in 2025, and will exceed $34 billion USD by 2031, based on a compound annual growth rate (CAGR) of 15 percent over an 11-year period (2020 to 2031). Many policies offer first- and third-party coverage, and most companies need both, said Shruti Engstrom, an SVP at the risk-mitigation company Aon. While all policies are different, first-party insurance typically covers losses incurred because of a cyberattack. According to the FTC, it can also cover costs such as legal counsel, forensic-investigation services, recovery of stolen data, communication with customers, fees and penalties to regulatory bodies, crisis management, public relations, and lost income. Some policies also cover ransomware negotiation and payments to hackers, but this is a controversial aspect of cyberinsurance, as many believe it incentivizes criminals to continue launching attacks. Engstrom said third-party insurance covers legal fees and settlement costs when a customer, a vendor, or another third party seeks legal damages as a result of a cybersecurity incident. What cyberinsurance generally does not cover are stolen or damaged intellectual property, or cyberwarfare acts carried out by foreign nation state actors.
- REPORTING. A Harvard Business Review survey of 600 boardrooms revealed that just 69 percent of responding board members see eye-to-eye with their CISOs. Fewer than half of members serve on boards that interact with their CISOs regularly, and almost a third of them only see their CISOs at board presentations. This means that directors and security leaders spend far from enough time together to have a meaningful dialogue about cybersecurity priorities and strategies. “The State of Cyber Awareness in the Boardroom”, a report published in The Harvard Law School Forum on Corporate Governance, states that cybersecurity remains the most challenging area of oversight for corporate leaders. The report encourages companies to ensure that the CISO or leader of the security team is reporting to the board on a regular basis on the state of business and its risk mitigation efforts. According to Deloitte’s 2023 Global Future of Cyber Survey, 48 percent of boards in organizations with higher levels of cyber maturity address cyber-related issues quarterly, with 26 percent of survey respondents saying that cyber issues are discussed monthly. In comparison, 59 percent of low cyber performance board members address cyber issues on a monthly basis – but 15 percent also report that discussions only take place twice a year.
- DIRECTORS. The Hacker News reports that among major U.S. corporations, 51 percent of Fortune 100 companies have at least one director with a background in information security, while this figure drops to only 17 percent for S&P 500 companies and further declines to just 9 percent for companies listed in the Russell 3000 Index, highlighting a significant variation in cybersecurity expertise at the board level across different sizes of businesses. Cybersecurity Ventures predicts that by 2025, 35 percent of Fortune 500 companies will have board members with cybersecurity experience, and by 2031 that will climb to more than 50 percent. Research from Virginia Tech reveals that Boards without cybersecurity expertise rely too heavily on the CISO which can create a circular oversight environment that lacks independence or even encourages CISO’s to water-down problematic issues.
- LIABILITY. Executives and leaders are now often held culpable – at least, publicly – when a significant cybercrime occurs, and if Gartner is to be believed, then 75 percent of CEOs may be found personally liable for cyber-physical incidents by 2024. By 2027, two-thirds of global 100 organizations will extend directors and officers (D&O) insurance to cybersecurity leaders due to personal legal exposure. Cyber-physical systems (CPSs) incidents can quickly lead to physical harm to people, destruction of property or environmental disasters. Gartner predicts that the financial impact of CPS attacks resulting in fatal casualties will reach over $50 billion by 2023.
- RISK. Cyber risk quantification (CRQ) gives security leaders a clear understanding of the financial impacts of a successful cybersecurity attack. This helps organizations make better decisions about their cybersecurity investments and resources, based on their risk tolerance levels. CRQ lets the security team share a common language with key stakeholders, such as executives and board members. Gartner predicts that by 2025, 50 percent of cybersecurity leaders will have tried, albeit without success, to use CRQ to drive enterprise decision-making. In total, only 36 percent of security leaders have managed to achieve action-based results, including cutting costs, reducing risk, or having what the research firm calls “actual decision influence.”
- TURNOVER. The average tenure for a CISO is estimated at 18 to 26 months, a timespan far lower than the 4.9 years of the C-Suite. Gartner estimates that by 2025, nearly half of cybersecurity leaders will change roles — and 25 percent for different roles entirely — due to stress, psychological pressure, and burnout, among other factors. In the Heidrick & Struggles 2023 Global Chief Information Security Officer (CISO) Survey, 41 percent of respondents said their company does not have a succession plan in place – and 13 percent added that their organization is not in the process of developing one. Boardroom and C-suite executives should be planning for the inevitable turnover of their CISO.
- EMPLOYEES. The Harvard Business Review reports that only 67 percent of board members believe human error is their biggest cyber vulnerability, although findings of the World Economic Forum indicate that human error accounts for 95 percent of cybersecurity incidents. This might be an indicator that some boards do not see the organizational risk they face. Global spending on security awareness training for employees (previously one of the most underspent cybersecurity budget items) is predicted to exceed $10 billion USD by 2027, according to Cybersecurity Ventures, up from around $5.6 billion USD in 2023. The estimate includes human risk management (HMR) platforms. Gartner predicts that by 2026, enterprises that combine GenAI with an integrated platforms-based architecture in security behavior and culture programs (SBCP) will experience 40 percent fewer employee-driven security incidents.
- TRAINING. Some board members told The Wall Street Journal that they have never received training on how to shore up their own personal cyber defenses. What can boards do? First, cybersecurity education-and-training programs aimed at rank-and-file employees could be customized for directors. Second, customized tabletop exercises, in which board members are exposed to a hypothetical cyber incident and asked to respond, could be especially effective in terms of getting board members to recognize and prepare for direct attacks. Third, organizations might want to include board members in phishing simulations, in which they send fake emails to employees to gauge how many will react and to develop training tools to mitigate the effectiveness of such attacks. Finally, one-on-one consulting, where security experts are assigned to work with individual directors, might be the most effective training approach. These recommendations come from Jeffrey Proudfoot, associate professor at Bentley University and a research affiliate at the Cybersecurity at MIT Sloan (CAMS) research consortium, Keri Pearlson, executive director of CAMS, and Stuart Madnick, founding director of CAMS.
- CULTURE. Research from Accenture found that 91 percent of CEOs treat cybersecurity as a technical, compliance issue and see it primarily as the purview of the CIO or CISO. This hands-off attitude is a prime example of poor leadership that can leave a business vulnerable to cyberattacks. When asked how they would characterize their working relationship with the board of directors, 40 percent of CISOs said fair or poor – a harmful and risky situation, according to research conducted by TechTarget’s Enterprise Strategy Group and the Information Systems Security Association (ISSA). 85 percent of CISOs believe the board should offer clear guidance on their organization’s risk tolerance for them to act on, according to the IANS State of the CISO 2024 Benchmark Report. The U.K.’s National Cyber Security Centre (NCSC) believes that there must be strong executive buy-in that is communicated and championed by the board and that sets the tone when it comes to cybersecurity culture.
- INSIDER RISK. Nearly a decade ago, the Harvard Business Review reported that according to various estimates at the time, at least 80 million insider cyberattacks — involving connected companies or direct employees — occurred in the U.S. each year — but the number may have been much higher, because they often went unreported. Today, the business landscape is digital-first, with scores of employees and contractors working remotely and handling corporate data through personal devices, creating an increasingly complex technological ecosystem underscoring the growing risk of insider threats, presumably an order of magnitude greater than they were in 2014. Identifying and managing insider threats effectively is now imperative for business success, particularly considering that one in three data breaches now involves insiders. CISOs consider insiders as among the most difficult threats to detect and prevent.
- CYBERWARFARE. Nation-state threat actors are well-resourced groups with a wide variety of political and economic motivations, according to InformationWeek. Government agencies and critical infrastructure entities are obvious targets for these groups, often leading CISOs of other types of organizations to consider nation-state actors a minimal risk (to large corporations). Nation-state actors can target vulnerable enterprises in any industry, but some industries are more commonly attacked than others. For example, Information Technology is the most commonly targeted industry (22 percent), according to Microsoft. Attacking an IT company can give nation-state groups access to its customers, allowing them to widen the blast radius of the attack. Other critical infrastructure sectors like think tanks/NGOs, education, government, finance, media, and health care are also common targets.
- Y2Q. Cybersecurity Ventures predicts that Y2Q (aka Q-Day) will arrive on or around Jan. 1, 2031. The Y2Q (“Years to Quantum”) large-scale threat relates to the algorithms that currently secure systems against cyberattacks, according to the World Econonic Forum (WEF). These algorithms are based on complex mathematical problems that are practically intractable for traditional computers, but large and sufficiently capable quantum computers, which make use of quantum mechanics, have the potential to solve them in hours or even minutes, which would render modern data encryption obsolete. If malicious actors have access to such quantum computing power, they could break the security of government and enterprise systems, disturb or even damage public services and utility infrastructure, disrupt financial transactions and compromise personal data.
- PQC. Post-quantum cryptography (PQC) provides a new generation of cryptographic algorithms designed to withstand attacks by future quantum computers, according to Google. The National Institute of Standards and Technology (NIST) recently finalized standards for PQC, paving the way for its widespread adoption. HPC Wire reports that one worry is the so-called Harvest-Now-Decrypt-Later strategy in which bad actors steal and store existing encrypted data and simply store it until sufficiently powerful quantum computers become available. Today, virtually all data — financial, medical, personal, etc. —is encrypted somehow, much of it using RSA methods (at risk of being defeated when Y2Q arrives). It’s been reported that perhaps more than 20 billion devices will need to upgrade their software to PQC.
C-suite executives, CIOs and CISOs, are encouraged to borrow generously from this report when they enter the boardroom.
– Steve Morgan is Editor-in-Chief at Cybercrime Magazine. The 2024 Boardroom Cybersecurity Report is produced by Cybersecurity Ventures.
SPONSORED BY SECUREWORKS
Secureworks protects organizations with battle-tested, best-in-class cybersecurity solutions that reduce risk, optimize IT and security investments, and fill security talent gaps. We deliver solutions by security experts for security experts to prevent, detect, and respond to continuously evolving and diversifying threats.