How bad is online theft from our banks? Years ago I was consulting for the largest regulators for U.S. banks. I asked how bad cyber crime was against banks. No one seemed willing to answer publicly, but on a break, one of the senior managers told me that online fraud was 2 to 6 percent of a bank's revenue. That's huge! U.S. bank revenues are measured in the hundreds of billions of dollars.
How much faster would the Internet be if cyber crime didn't exist? Spam makes up most of the email sent and has for more than a decade. How much less bandwidth could we buy and still get the same speed if bad things didn't exist? Wouldn't it be nice to buy and sell on the Internet without having to worry about cyber crime? Instead, most of the people sending me emails about my Craigslist items are from scammers and phishers. I know many people who have lost tens of thousands of dollars to online scammers and they don't get that money back.
One in every four to eight people have their online identity stolen each year. Many have their credit ruined and spend up to 90 hours (on average) to clear their name. Many of the exploited people never clear their name or credit record. So don't tell me how the banks replacing their stolen money means no harm was done.
According to the FBI, in the United States alone in 2011, more than 300,000 people lost $1.1 billion. Only one in every 21,000 criminals involved in these crimes got caught and prosecuted. This is just the crime that was reported.
If we're trying to figure out the real overall cost of cyber crime, we need to include the accumulated revenues of the entities that are mostly sustained by fighting cyber crime. You must add up the revenues of Symantec, McAfee, CheckPoint (now just a subdivision), Cisco (for firewalls), every anti-malware vendor and every anti-spam, anti-virus, anti-phishing product. Every company and even person I know has purchased some of these products. What is the cost? In the billions each year.
My whole existence as a security professional is a cost. I get paid well. The companies that hire me pay my company more than my company pays me. When I show up to consult, usually the company has a team of people that meet to listen, discuss, and to deploy our recommendations. That is a real cost. Those people are getting involved in something that they would otherwise not need to be involved in, if it had not been for cyber crime.
My entire industry (fighting cyber crime) is a burden on society. We cost a lot, and we do not bring any real value. Well, we bring value in that our customers are successfully exploited less than if we didn't exist, but we don't add productivity above and beyond what the customer would have if cyber crime didn't exist. Every second a company has to spend to deal with cyber crime, every dollar they have to pay, decreases real productivity and increases the cost of the product and service delivered. The cost is very difficult to estimate, but it must be in the trillions.
I make a good living doing what I do, but the reality is that I'm really just part of a huge burden placed on society by criminals. I even like what I do. I find the work interesting. But I really wish that I spent my professional life making people's lives more productive, instead of just helping them to fight what they shouldn't need to fight just to try and be a little productive. There is not a single person in this world, online or not, who isn't affected by cyber crime and who bears some part of the burden and some part of the cost.
This story, "Cyber crime not a big deal? Get real," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.