The Real Cost of Cybercrime and Cyberattacks
A US security company recently estimated the annual cost of cybercrime to companies with more than 1,000 employees at an average of US$504,000 and companies with fewer than 50 employees experienced losses of $24,000.
For some organisations, the costs are much greater than these averages might suggest. In its 2019 Internet Organised Crime Threat Assessment, Europol cites the example of a ransomware attack on Norsk Hydro AS that cost the company €35 million (p. 24). Several individual costs add up to billions of dollars or euros a year. In February 2018, the Center for Strategic and International Studies (CSIS) and the security firm McAfee calculated cybercrime’s annual cost at around $600 billion a year. [*]
To put this into perspective, economists believe that the Internet generates between $2 trillion and $3 trillion a year of the world’s GDP. That means that perhaps as much as one-fifth of the Internet’s total value is disappearing due to cyber theft each year, according to US security expert John P. Carlin. 
That was in 2018.
Two years later, the EC has said that the annual cost of cybercrime to the global economy in 2020 is closer to €5.5 trillion, double that of 2015 and that it represents the largest transfer of economic wealth in history. 
As astonishing as these numbers are, the true cost of cybercrime and cyberattacks is more than the cost to businesses of cleaning or replacing infected code, compromised computers, of network downtime and reputational damage. The true cost of cybercrime and cyberattacks has to take into account the costs to individuals, the 19,000 patients who have missed surgeries because the National Health Service was a victim of the WannaCry ransomware attack or the customers who become stressed when they find lots of big items on their credit cards of which they have no knowledge. The cost of cybercrime should take into account not only the lost time of having to deal with attacks, but also the damaged morale and stress it causes, an unknowable. There’s also the opportunity cost, when time and money spent responding to cybercrimes could have been spent doing something more productive.
There are still other social costs arising from cybercrime and cyberattacks, notably, the polarisation of society, as we saw arising from Russian interference in the 2016 US election, the loss of trust in our institutions and the fracturing of alliances. It is a challenge to quantify these costs: they may be invisible, but they are real.
Despite these real costs, more than half those 1,500 businesses surveyed by the CSIS for its 2020 report said they do not have plans to prevent and respond to a cyber incident.  Due to under-reporting, it is a challenge to gauge the real impact and costs of cybercrime. Responding to and preventing cybercrime obliges everyone – individuals and companies – to follow good practices and to understand that being a victim of cybercrime should not be regarded as an individual failure or cause for shame.
In the CC-DRIVER project, we are conducting a socio-economic impact assessment of cybercrime, in which we will take account of the visible and invisible costs, while bearing in mind Carlin’s observation that “(t)oday it’s impossible to truly capture the cost of cyber crime.” Moreover, our consortium recently completed a report exploring divergences between cybercrime typologies and recommending greater harmonisation in this area. This would facilitate more accurate assessments of the costs of cybercrime on a global scale.
Whatever the true cost, we can see it is of mind-boggling proportions. Unfortunately, the burden of these costs will fall not only on government and businesses, but everyone else too. Also, unfortunately, individual cyber criminals can cause huge social and economic damage with little blowback – which is why it behooves all of us – governments, companies, universities, the media, citizens – to be constantly on the alert for cybercrimes and cyberattacks and to press for effective deterrent policy options.
[*] In their Dec 2020 report, they estimated the cost at more than $1 trillion.
 Carlin, John P., Dawn of the Code War, Public Affairs, New York, 2018, p. 88.  EU Cybersecurity Strategy, Brussels, Dec 2020, p. 3.  Zhanna Malekos Smith and Eugenia Lostri, The Hidden Costs of Cybercrime, CSIS and McAfee, 2020, p. 4.