Government-Backed Report Gets The Cost Of Cyber Crime Wrong

A government-backed report which says cyber crime costs British small businesses £800 million a year is based on highly questionable data, and is probably an over-estimate, according to security experts.

Online crime is having a huge impact on smaller businesses, says the report, which was signed by two government ministers and has been reported in high profile publications such as the Daily Telegraph.

However, the figures don’t stand up to scrutiny, according to experts. It’s not the first time time the government has been accused of hyping security dangers, with an earlier report saying cyber crime costs the UK economy overall around £27 billion a year.

Hyping cyber crime

“Cyber security is a crucial part of the Government’s National Cyber Security Strategy and we need to make sure that all businesses, large and small are engaged in implementing appropriate prevention measures in their business,” says James Brokenshire, under secretary for security in the Home Office, in a Foreword to the report. While most people would agree with that, some would doubt his comment that: “This report will help give a greater understanding of how online security and fraud issues affect small businesses. ”

Professor Ross Anderson, professor of security engineering at the University of Cambridge, described the report as “the usual hype” and “government blah”.

David Willetts, minister for universities and science, also signed the report, which is based on a survey of 2,667 members of the Federation of Small Businesses (FSB).

The FSB survey found that 41 percent of its sample were affected by either fraud or online crime in the last 12 months, and reckoned that the average cost reported was £4,000 per year for each business. The £800 million total cost was ascertained by multiplying £4000 by 200,000 – the size of the FSB membership base, which includes companies with up to 249 employees.

That extrapolation was questionable for two reasons.  Firstly, 59 percent of the sample did not experience any crime, and of those who were hit, 49 percent did not suffer any costs as a result of breaches. It seems the FSB derived its average from the 1105 who were hit, not from the whole survey base.

There was little in the way of differentiating between the respondents either. One could have been a plumber, another a decent-sized tech vendor, likely to suffer much heavier losses as the result of a breach.

To add to the confusion, the FSB has calculated what would appear to be an estimate of the total cost to its members – when there are actually many more small businesses in the country. FSB told TechWeek there are over 4.5 million small to medium-sized businesses in the UK – so if the organisation really believes in an average cost of £4000, it could have got away with multiplying £4,000 by 4.5 million – and claimed an annual cost of £18 billion.

Colleagues of Professor Anderson, however, suggested that standard statistical techniques should be applied to reduce the figure to below £3,000 per firm.

The FSB said it stodd by its £800m figure.

Small businesses getting hacked

In 2011, when a Detica report claimed the UK economy was losing £27 billion a year as a result of online crime, the security supplier and government came in for plenty of stick for similar statistical games. 

Many debunked the research, saying the figure was “ludicrous” and was based on assumption rather than solid research. Professor Peter Sommer, digital forensics specialist, said it was full of “fake precision”, and was an “unfortunate item of British Aerospace puffery”.

However, that £27bn figure lives on – and is even quoted in the FSB report despite the heavy criticism it has faced.

Professor Anderson told TechWeek the latest piece of research may have been carried out by the FSB, but it “had all the hallmarks of a government report”.

“This is the usual hype, in that they mix up a whole lot of things that are not really all that commensurate,” he said. “Overall, we’re not really impressed by this latest piece of Home Office co-branding… it’s yet another piece of government ‘blah’.

“Every time you see the £27 billion figure you know there’s someone who doesn’t know what they’re talking about. It’s like when you used to see the acronym ICT – anybody who used it was either talking out of their arse or was trying to suck up to the government to get some of our tax money. Real computer people never used it.

“This undead figure of £27 billion is now an automatic self-accusatory factor in any report that claims it. That probably means everything coming out of the Home Office and Cabinet Office will simply not be believable.”

Sommer told TechWeek that useful research should be clear about what is being measured. “Now that so much of what we all do is mediated via computer, definitions of cyber crime become ever vaguer. When it comes to valuations – that is easy enough to do when money is taken from an account, rather more difficult when goods are lost,” Sommer added.

“But in relation to industrial espionage and the consequences of IP theft – which were £16.8bn within the absurd Cabinet Office/Detica estimate of £27bn annually in 2011, you are making guesses about no more than lost business opportunities.”

BIS said it did not collect the data, so any questions around erroneous data should be directed towards the FSB. The Home Office said much the same.

The good bits

Anderson said there were certain aspects of the FSB report that were noteworthy, however, especially the sections calling on banks and police to “get off their arse”.

Some of the data was interesting too. Customer or client fraud was the most prevalent kind of fraud, with 13 percent saying they had experienced it in the past year. Card fraud was second on 10 percent.

Two in ten said they had been hit by malware, with eight percent admitting they had been hacked. “Concerning also is the fact that the vast majority of members feel they haven’t been a victim (73 percent) but may not know that their system has been compromised or the victim of hacking or denial of service,” the report read.

What do you know about Internet security? Find out with our quiz!