Online crime 2021

Just how big a threat is online crime? 2021

July 12th, 2021 Posted in Information Security

2021 update

Online crime is a potent problem that isn’t going away. Two years ago, when we published the first instalment of this blog (see below), estimates showed that cyber incidents cost the world $600bn. The same report, for 2020, found that cyber crime now costs over a staggering $1 trillion.  

If cyber criminals continue operating at their current rate, then, by 2025, research indicates that global cyber crime costs will reach $10.5 trillion.  

So, what exactly has happened in the last two years to see the exponential rise of online criminal activity? There are a few factors at play: 

  • The digital evolution works both ways: Just as businesses have embraced technological innovation, so too have cyber criminals. As one KPMG blog explained, more sophisticated attacks have arisen, including using artificial intelligence for Business Email Compromise and conducting phishing attacks in the cloud.

  • The Covid-19 pandemic: The pandemic has been taxing for both businesses and individuals. In the last year, cyber criminals preyed on Coronavirus anxiety levels for their own benefit. The Council of Europe noted a rise in phishing scams, where cyber criminals impersonated official health bodies in a bid to steal sensitive data, as well as an increase in ransomware attacks targeting medical organisations. Further research shows that phishing attacks increased more than 660% from 2019. 

  • The changing nature of work: The pandemic accelerated the shift towards remote working and, with it, created a host of new cyber threats. The increased attack surface, employee mistakes and weak authentication practices are all factors that cyber criminals have been able to exploit when looking to breach a company. On top of this, the UK Government’s Cyber Security Breaches Survey 2021 found that just 23% of businesses have cyber security policies in place to cover remote working, underscoring the vulnerability of many home working setups.

  • The human factor: There’s a reason why phishing scams remain such a popular technique for cyber criminals: they rely on human error. A lack of knowledge and carelessness are often the difference between a successful or thwarted cyber attack. In fact, human error caused 90% of cyber data breaches in 2019, according to a CybSafe analysis of data from the UK Information Commissioner’s Office (“ICO”).

  • The digital supply chain: The increasing interconnection of business means that third party suppliers can enable domino-effect-style breaches, whereby a hacker gains access to one organisation, and then hops from there to client and supplier systems. As an example of this, 2021 research indicated that 82% of UK organisations, who had experienced a cybersecurity breach, stated that the breach originated from vulnerabilities in their vendor ecosystem. 

What can be done?

No organisation is completely safe from an attempted cyber breach. However, the success of a breach is dependent on an organisation’s cyber maturity. As Mimecast research shows, 79% of organisations suffered a data breach due to their lack of cyber preparedness.  

The good news is that awareness of this risk is growing. PwC research indicates that 56% of UK organisations will increase their cyber budgets this year, although only 38% are confident their budgets are being allocated to protect against the most significant risks.  

For businesses, what’s needed is a comprehensive risk management strategy, which incorporates the right security tools, incident response procedures and employee training to protect against the worst-case scenario.  

Where to start?

As a starting point for creating your strategy, we advocate the National Cyber Security Centre’s (“NCSC”) flagship standard, Cyber Essentials, which provides five foundational steps for effective protection. A step further would be to achieve Cyber Essentials Plus, which requires a qualified, independent assessor to validate that these five steps are in place.  

For supply chain security, the NCSC offers 12 principles, designed to enable effective control of the supply chain. Other broad cyber security standards to consider, particularly in the case of large organisations or those who process a lot of data, are ISO27001 or the NIST Cyber Security Framework. We also offer a free guide to supply chain security.  

If you would like guidance with improving your security posture, we are happy to help. From assessments to implementation, we can help you to bolster your defences. 

Original blog post April 24th 2019

The largest bank heist of all time took place in Brazil in 2005 and the cash stolen was estimated at nearly $70m. A gang of 6-10 robbers, previously ‘operating’ as a landscape company in a nearby building dug a tunnel measuring 78 m (256 ft) long, 4 m (13 ft) below street-level, which ended directly below the Banco Central in Fortaleza, Brazil. On the weekend of 6-7 August 2005, the robbers broke through a meter-thick, steel-reinforced concrete bank vault and seized five containers of 50-real ($24) notes, weighing 3.5 tonnes. A truly monumental physical effort. Very few bank robberies are this ‘successful’.

This may sound like a life-changing amount of cash, but in reality, it does not even register when you consider the scale of plundering that’s taking place online. The biggest declared loss of $850m took place between 2013 and 2018 by Russian hackers who managed to break into the computer systems of over 100 financial institutions.

The costs of cyber crime

In their report of the extent and economic impact of global cyber crime in 2018, McAfee estimated that it costs the world almost $600bn per year, the equivalent of 14% of the worldwide internet economy. It goes onto report that cybercrime is the third largest type of criminal activity after government corruption and the illegal drugs trade.

Cybercrime is the third largest type of criminal activity after government corruption and the illegal drugs trade.

Top of the list of tools used by cybercriminals is ransomware. There are more than 6,000 online criminal marketplaces selling ransomware products. Even ‘ransomware-as-a-service’ (RaaS) is becoming more widespread.

The costs to businesses of this criminal activity takes many forms;

  • Loss of intellectual property and business-confidential information
  • Identity theft – online fraud and financial crimes, often the result of stolen personal data
  • Manipulation of financial market data
  • Opportunity costs, including disruption in production or services and reduced trust in online activities
  • Cost of cyber security – securing networks, purchasing cyber insurance and paying for recovery from cyber-attacks
  • Damage to organisational reputation and brand value

Devices and connectivity

The rise in cybercrime is inextricably linked to the growing pervasiveness of connected devices. The surge in ‘Internet of Things’ (IoT) devices opens up many more ports for online hackers to exploit as a gateway to breaking into other more lucrative targets. This obvious weakness is exacerbated by widespread acceptance and reliance upon default security settings (user names and passwords) and failure to update security patches.

When botnets infect multiple devices, and all of these are joined together in a coordinated attack on web servers the result can be disastrous. In several examples, major social media websites have been taken off line by distributed denial of service (DDoS) attacks; in 2016 the Mirai botnet crippled several major players such as Twitter and Netflix.

Cyber attacks are on the increase

And the scale of online attacks is on the increase. The estimated number of malicious, ‘black hat’ penetration tests per day are a staggering 80 billion and the creation of new viruses each day are believed to be between 300,000 and one million. The prevalence of this is driven by the online collaboration that makes it now possible for organised crime gangs to share hacking tools and ‘plug-ins’ on the dark net.

The list of prominent attacks grows relentlessly, some high-profile cases are;

  • Equifax exposed personal and financial records of 140m people in US, Canada and UK in 2017, which brought about hundreds of legal claims on the company.
  • FaceBook announced in September 2018 that attackers exploited a vulnerability in Facebook’s code which allowed hackers to steal Facebook access tokens of 50 million user accounts which they could then use to take over people’s accounts. FaceBook faces a potential data protection bill of $1.6bn.
  • In November 2018, Marriot Hotels suffered a data breach of 383 million people on its hotel guest reservation systems.
  • In January 2019, sensitive data belonging to hundreds of German politicians, celebrities and public figures was published online via a Twitter account in what is thought to be one of the largest leaks in the country’s history.

Human error

It’s easy to think that cunning hackers will always find even more complex methods to detect vulnerabilities and that data breaches are inevitable; however, the other significant weakness is the online users themselves. Hackers capitalise on the gullibility of individuals.

A carefully scripted email that mimics an online service familiar to the user is the trojan horse into someone’s private life. Disguised as someone thought trustworthy to the target and with a simple click of a mouse the hacker can obtain details of passwords, bank details, etc. In 2017, it was estimated that around $130bn was stolen from unsuspecting users worldwide, with nearly $5bn of that sourced from UK citizens.


Identity theft stands prominent in the list of perceived concerns an individual may have when using online services. Read our Ten Online Safety Tips for some useful information on protecting yourself online. This fear may be a little over-exaggerated in terms of financial loss. The Internet Theft Resource Centre estimated that the average personal loss was about $500. Not a great amount on average, however, some will be hit with large costs. Even if you don’t suffer massive losses, the disruption and irritation caused in the aftermath can last for days, even months.

Phishing catches out even the most technically astute online companies

For this to happen to the gullible individual is to be expected, however phishing catches out even the most technically astute online companies. Take for example the massive brazen fraudulent success of one bogus supplier to Facebook, Forbes and Google, who swindled them out of a combined $100m over two years by convincing their accounts departments to wire funds across to Eastern Europe. We have a free guide on identifying phishing and what to do if you have clicked on a suspicious link.

Be prepared

But despite the scale of the threat, the degree of complacency towards data security appears staggering.  Many companies at risk of cyberattacks remain unprepared to deal with them. 44% percent of the 9,500 executives in 122 countries surveyed by the 2018 PWC’s Global State of Information Security Survey reported they do not have an overall information security strategy. Further, 48% percent say they do not have an employee security awareness training program, and 54% say they do not have an incident response process.

It’s not that governments are silent about cyber defence. The UK’s National Cyber Security Centre (NCSC) has published substantial guidance to organisations on building defence strategies against hacking.

An information risk management regime is central to your organisation’s overall cyber security strategy, which should be linked to your business strategy, as explained in our recent blog. You should follow an established security management framework. If you’re starting out, then we recommend the NCSC 10 Steps to Cyber Security framework. If you wish to demonstrate strong security management then consider implementing an information security management system and having it certified to the ISO 27001: 2013 standard.

Securing your business can appear time-consuming and may be expensive, but as the old adage goes, ‘fail to prepare, then prepare to fail’.

Need help?

We can help you assess and improve your security posture. Even if you just want some initial guidance then please do contact us.

Phil Harris Evalian 250x250

Written by Philip Harris

Philip consults on data protection and acts as outsourced DPO for clients. He has a long history of working with innovative, technology led businesses and in technology licensing. He is experienced in building and supporting operational and compliance business functions, including HR, ICT, H&S and Quality Management Systems. Phil is also Operations Director at Evalian™. His qualifications include IAPP CIPP-E, ISO 27001 Lead Implementer, CIPD and APM. He also holds an MBA from Imperial College.