Full Report
How much does cybercrime cost? What are the average costs associated with a single attack? And what is the cumulative annual cost of cybercrime?
Analysis Summary
# Main Topic
Analysis of the calculation methodologies, scope, and resulting magnitude of global and regional cybercrime costs, emphasizing the lack of standardization and high variability in reported figures.
## Key Points
- **Lack of Standardization:** There is no standardized methodology for calculating cybercrime costs, leading to wide variations in estimates between reports.
- **Vendor Incentives:** Cybersecurity vendors are incentivized to use the highest available cost estimates in their communications to maximize sales appeal.
- **Inclusion Scope:** Comprehensive cybercrime costs cover direct costs (e.g., ransom, investigations, lost funds, legal fees) and significant indirect costs (e.g., lost productivity, reputational harm, increased insurance premiums, loss of competitive advantage).
- **Global Projections:** One projection estimates the global cost of cybercrime at $10.5 trillion for the year (May 2025), rising from $1 trillion in 2020, potentially plateauing around $12.2 trillion by 2031.
- **UK Regional Costs:** Cybercrime costs in the UK were reported at £64 billion annually, split between £37.3 billion in direct costs and £26.7 billion in indirect costs.
- **Metric Skepticism:** Reports (e.g., Atlantic Council) criticize current cybersecurity metrics for their reliance on intuition and anecdote, preventing measurement of policy efficacy and the true state of security.
## Threat Actors
- Not specified. The analysis focuses on the economic impact across the ecosystem rather than attributing specific costs to named threat actors or campaigns.
## TTPs
- Not applicable. The article does not detail specific technical tactics, techniques, or procedures (TTPs) used by threat actors.
## Affected Systems
- The scope of impact is broad, affecting global economies, businesses, and governments, particularly regarding the security landscape and data integrity (data loss, intellectual property theft, operational disruption).
## Mitigations
- **Targeted Investment:** Businesses should focus on making smart, targeted investments in cybersecurity and cyber insurance to reduce organizational risk exposure.
- **Vulnerability Assessment:** A critical need exists for accurate assessments of an organization’s specific vulnerabilities based on trending attacks and expanding attack surfaces.
- **Policy Metric Improvement:** High-level recommendations suggest significant changes in how cybersecurity metrics are conceptualized to better assess policy effectiveness.
## Conclusion
While the exact figures for cybercrime costs should be treated with skepticism due to calculation variability and vendor bias, the threat intelligence narrative confirms that cybercrime imposes massive and escalating economic damage globally. Businesses should prioritize risk reduction through specific vulnerability assessments and tailored security investments rather than relying solely on generalized cost statistics for decision-making.