The Depository Trust and Clearing Corporation, the organisation that processes securities transactions in the USA, has described cyber-crime as "arguably the top systemic threat facing global financial markets and associated infrastructure".
A study in 2015 found that the average cost of a cyber-crime incident in the USA was £15.4 million - a 19% increase on 2014. And even though cyber-crime incidents in the USA cost more than in any other country, globally the average figure per incident is still $7.7 million.
According to the Belfer Center in the USA, "the Netherlands has shown that cyber-crime costs Dutch society at least 10 billion Euros per annum, or nearly two percent of their GDP. Germany and the United Kingdom report similar losses." As well as direct, quantifiable losses, the damage to brand and reputation can take months or years to gauge.
So cyber-crime is expensive. Yet as digital footprints and reliance on technology grows, the target surface available to cyber-criminals widens. Incidents cover a range of activities, including industrial espionage, loss of intellectual property and theft of identity and sensitive data belonging to both companies and their customers. Attackers are also increasingly focusing on smartphones, many of which are used for work as well as personal use, thus opening up the potential for attacks on corporate data. At the same time, the growth of IoT will open up a new range of possible attack zones.
As a consequence, companies are spending larger amounts of money on pro-active methods for reducing the number and severity of attacks. This makes clear business sense, as fewer successful attacks means lower losses.
The question is: can security costs be capped while still reducing attacks and therefore the losses caused by attacks
In the financial sector, banks now routinely share information about attacks and how they manage to prevent them, on the understanding that such sharing - although initially inimical to this instinctively tight-lipped sector - benefits all.
Understanding of the company's vulnerabilities helps to cap costs because defences can be focused on particular areas. Intelligence about potential vulnerabilities can be gathered by deploying so-called white hats - security experts who may be reformed hackers - to explore the security perimeter and receive payment for each gap they discover.
And security technology companies are increasing the accuracy of their attack forecasts: one found in 2014 that seven of its eight predictions for the previous year were accurate. In general, criminals have shifted towards more targeted attacks instead of high volume distributions of malware. They have also moved towards attacks on cloud-based data, in response to corporations' relocation of assets and applications to the cloud.
Yet according to consultants CapGemini, companies have three roadblocks on the route to improved security:
1. Their lack of agility compared to attackers
2. Flat security budgets leave them unable to face threats effectively
3. Lack of cyber-security specialists
Is cloud the answer?
While prediction helps to cap the costs, the number of attacks will increase: they have done so every year and there is no reason to assume this trend will change.
The good news from a budget perspective is that the cost of basic products such as anti-virus software is fairly stable, as the market is maturing and competition keeps a lid on prices. The less good news is that the cost of most other protective measures is unlikely to stay static - including those essential security staff.
One way to help cap the cost is to employ a cloud security service provider, which saves having to find and employ highly qualified security staff. Greater defence precision will help too but the budgets of the attackers - especially those who are state-funded - is continuing to grow. Moreover, concentrating purely on cost-capping in an environment where attacks are growing in numbers, complexity and precision, seems a strategy unlikely to deliver enhanced security in the medium to long term.