Why Cybercrime Panicked the Davos World Economic Forum
Cybercrime was the top criminal threat discussed at the Davos World Economic Forum. Not drugs, not weapons, not human trafficking. World of Crime explains why.
A few scary facts to get us started.
Cybercrime cost the world around $8 trillion in 2023.
That could triple to almost $24 trillion, or roughly 23% of the global economy, according to Statista’s Cybersecurity Outlook.
Attacks are getting worse at an alarming rate. In August 2023, Google blocked the biggest DDoS (direct denial of service) attack ever seen, which peaked at 398 million requests per second (rps) In 2022, the record DDoS attack generated just 46 million (rps).
In 2023, successful attacks leaked more personal data than ever before from electoral commissions, banks, casinos, phone companies, and public government records. Even cars are now routinely being hacked.
Cybercrime is now a major driver of human trafficking, with hundreds of thousands of people forced to work on cyber fraud in Southeast Asia, the Middle East, Africa, and Eastern Europe.
And generative AI is making life easier for cybercriminals and harder for their targets.
It is therefore no surprise that cyber insecurity was the fourth-largest global risk as seen by the World Economic Forum (WEF). World of Crime breaks down how policymakers, activists, and tech giants debated cybercrime in Davos, how bad the situation is, and what can be done to prepare.
Cybercriminals are adapting too fast for companies to keep up
With the awareness of cybercrime growing and software providers regularly promising better cybersecurity protection, one could imagine that companies are better prepared than ever to stave off these attacks.
For larger players, sure. The percentage of high-revenue companies that consider themselves to be “cyber resilient” increased from 16% to 51% in two years.
But smaller and medium enterprises (SMEs) are simply outgunned.
Cybercrime is progressing so quickly that the number of SMEs able to maintain the minimum level of cybersecurity dropped by 30% in a year, according to WEF data. And the situation is unlikely to improve soon. CEOs reported that, despite rafting up investment in cybersecurity and personnel training, they were increasingly vulnerable to all major types of cybercrime (phishing, malware, ransomware, deepfakes, etc.)
Allegedly cybersecure companies in the world are getting hit
2023 saw some truly spectacular data breaches and cyberattacks.
The worst came down to carelessness.
Cybersecurity firm, Darkbeam, left its clients’ customer data in an unprotected database. Over 3 billion data sets were leaked, including hundreds of millions of joint email and password details. Worse, many of the people whose information was leaked had been previously hacked, only compounding their misery.
The personal information and medical records of over 81 million Indian citizens were put up for sale online, after a breach of the Indian Council for Medical Research.
The centralization of Internet access was also exposed. Colombian Internet provider, IFX Networks, was hit with a ransomware attack in September. The problem was that virtually the entire Colombian public sector relies on IFX Networks. The attacks knocked over 20 state agencies and public companies from the Internet. They were not directly targeted but suffered anyway.
Why don’t companies and governments hire more cybersecurity staff?
The US had 700,000 vacancies for cybersecurity staff in 2023. But this demand has put the ball firmly in the court of cybersecurity professionals. On average, cybersecurity staff in the US get paid almost $120,000 a year in the United States. That’s double the average salary in an SME.
The situation isn’t easier elsewhere in developed economies. Cybersecurity staff get paid $127,000 a year on average in the United Kingdom, and over $150,000 in Switzerland. One solution for Western companies has been to search abroad for graduates from highly tech-literate countries like India. But, in turn, this only leaves companies in those countries more vulnerable.
Cybersecurity solutions are also too expensive
Companies spent 12% more on cybersecurity in 2023 than the year prior. But this is not just because of increased awareness. When they are unable to afford the right staff, companies spend more on technology.
And that technology is getting ever more specific.
Anti-phishing software, network security monitoring tools, encryption tools, public-key infrastructure, packet sniffer…if you want to make sure your security actually works, tack on the cost of a penetration tester.
Is it any wonder companies and public institutions get overwhelmed? And the price of all of these is only rising.
The response from many cybersecurity companies hawking their wares is that their programs are not too expensive when you consider the millions of dollars companies stand to lose if their data is held to ransom. Indeed, the average data breach cost in the US in 2023 stood at $9.48 million. But this is cold comfort for a company trying to figure out how to keep the lights on or how to avoid drastically raising its prices.
Is cyber insurance the solution? That’s too expensive as well
Cyber insurance sounds wonderful on paper. It can cover loss of income from hacks or leaks, repairs to infrastructure, ransom costs paid to cybercriminals, the cost of an investigation into how a data breach happened, and even pay fines and legal action such as if a data leak causes a company to be in violation of GDPR regulations.
But the demand for cyberinsurance has seen it soar to eye-watering levels. Cyber insurance costs in the UK soared by around 130% in just three months in 2022. (It is difficult to provide estimations about the average cyber insurance policy for companies, as they can vary so widely.)
The WEF found that only a quarter of SMEs worldwide have cyber insurance, as opposed to 75% of larger companies. Insurance providers feel justified. Firstly, profit margins from cyber insurance premiums are not great, they say. The average cyber insurance claim by American SMEs is worth $345,000.
The global cyber poverty gap is identical to the economic poverty gap
While small and medium-sized companies are struggling to keep up and pay for cybersecurity in the US and Western Europe, the situation is much worse in Latin America and Africa.
In 2022, the Atlantic Council wrote “cyber poverty exhibits dynamics very similar to real-world poverty: simply providing money or free expertise does not necessarily address poor technological designs, poor market incentives, misaligned sociocultural attitudes towards security, or other barriers.”
And finally, cybercrime is a driver of human trafficking and slavery
The WEF was focused on finding solutions to the rampant threat of cybercrime. But this criminal economy is now having very real human consequences.
Over a quarter of a million people have been forcibly recruited to work in cybercrime farms in Southeast Asia alone. The outstanding Al Jazeera documentary, Cambodia’s Cyber Slaves, describes how people from across Asia are lured in with the promise of jobs to find themselves press-ganged into working in scamming compounds.
Disused casinos, malls or office buildings have been turned into slave quarters, where people are beaten, threatened, and tortured if they do not work to satisfaction.
While Cambodia and Myanmar are the worst offenders for cyber-slavery, Laos, Indonesia, the Philippines, Dubai, Nepal are also involved, according to Humanity Research Consultancy.