When Detica, the security technology and services vendor, released its government-backed report on the economic cost of cyber crime earlier this year, its £27 billion headline figure was front-page news.
This number – comprising a £3.1 billion annual cost to UK citizens, £2.2 billion to the government and a staggering £21 billion to businesses – was met with incredulity in some quarters.
"Pretending they’ve got reliable figures out of this is nonsense," LSE information security professor Peter Sommer told Information Age at the time. "It’s a great pity the government has allied themselves to a grubby piece of puffery."
There were, of course, a number of assumptions and estimates behind the £27 billion figure. One conspicuous example is the highly speculative claim that cyber criminal intellectual property theft alone costs UK businesses £9.2 billion per annum.
According to Detica’s technical director Henry Harrison, that figure includes "an estimate of how much money the people who had stolen the [IP] would be able to make from it, and the consequent loss to UK businesses".
Harrison defends the report as a "first effort" to put a price tag on what is undoubtedly a serious issue. "There’s no good saying there’s an economic problem without putting a quantity on it," he says. "And some government commentators said it might be an underestimate."
It was, Harrison explains, an attempt to bridge the ‘information gap’ that conceals the true economic impact of cyber crime.
"There’s a real information issue in the market," he says. "Most of the stuff that is going on out there isn’t being reported, either because it isn’t being detected or because the victims don’t want to talk about it."
But recent cyber attacks on high profile victims including Google, security firm RSA and the French finance ministry are beginning to change that, he adds.
These incidents were all examples of a certain kind of cyber attack that the enterprise IT security industry, including Detica, is currently very keen to warn businesses against.
They are defined by the fact that the attackers used previously undetectable vulnerabilities to gain entrance to their victim’s infrastructure, and that once the network had been breached a human being could navigate that infrastructure looking for valuable information to steal.
Despite the news coverage of a few incidents, is still difficult for outsiders to assess the scale of this particular issue. Victims usually wish to remain anonymous and there is only ever circumstantial evidence to suggest who the perpetrators might be.
According to Harrison, it is rife. "From our work, the majority of organisations we have gone to look at have had someone inside their infrastructure that wasn’t supposed to be there," he says. "We have had private sector organisations who have seen attacks clearly targeting the results of their investment projects."
In April 2011, Detica launched a service offering named Treidan that it says will protect customers against this very threat. It works by analysing log messages from within the customers’ infrastructure; when Detica’s proprietary algorithms identify suspicious activity it is flagged up to security professionals in the company’s operations centre for further analysis.
One might say that the fact that Detica has this offering to sell means it is in its interest to exaggerate the risk and potential impact of cyber criminal IP theft. But one might equally say that it would not have invested in the offering unless there was genuine market demand.
For now, anyone who is not privy to these cyber attacks as they happen only has the word of insiders like Harrison to go on – and he says they are beginning to listen. “We think that there is a huge mind shift going on in the private sector as people start to realise this is not science fiction,” he says.