Cybercrime to Reach $23 Trillion By 2027: What Can We Do?

What is cybercrime?

Cybercrime is any criminal activity involving computers, networks and other digital channels. These attacks are reaching epidemic proportions. According to the FBI’s Internet Crime Report, cybercrime costs in the United States reached $12.5 billion in 2023. In a digital press briefing, Anne Neuberger, U.S. deputy national security advisor for cyber and emerging technologies, revealed that the average annual cost of cybercrime worldwide is expected to hit $23 trillion by 2027.

How does cybercrime affect small and medium-sized businesses (SMBs)?

Large companies aren’t the only victims of cybercrime. According to the United Kingdom’s Cyber Security Breaches Survey, 45 percent of mid-market companies can expect a cyberattack in 2024, with the most common attacks including phishing and ransomware.

Steve Tcherchian, chief information security officer (CISO) and chief product officer at cybersecurity solutions company XYPRO.com, has witnessed the devastating effects of cybercrime on SMBs and urges businesses to stay vigilant. “I was personally brought in as an expert during a ransomware attack on a high-end real estate firm in Southern California, which paralyzed their operations for nearly a month,” Tcherchian shared. “Despite repeated advice to implement best practices, the firm neglected proper security measures and budget allocation, fearing disruption or delays in their high-paced environment.”

The firm’s decision proved devastating, leading to significant financial losses and operational disruptions. It paid a hefty ransom but only recovered a portion of its data. “It took over a month to fully recover their systems and data, requiring the manual entry of thousands of records from paper files,” Tcherchian recalled. “In the end, the attacker received their payout, leaving the firm to painstakingly rebuild their business.”

What do cybercriminals target?

When they attack, cybercriminals usually target the following five value assets:

1. Commercial data:Commercial data includes trade secrets, corporate takeovers, intellectual property and research and development projects. This data can fetch millions of dollars on the open market as businesses try to gain a competitive advantage. Commercial data theft is akin to cyber-industrial espionage. [Related article: What Is Intellectual Property Insurance?]
2. Customer databases:A significant market exists for individuals’ personal and financial details. Even more worrying, there’s value in selling details of people’s health conditions, which is why adhering to Health Insurance Portability and Accountability Act (HIPAA) laws is so critical. 
3. Customer payment details:Credit and debit card details are lucrative. Though banks use artificial intelligence and machine learning to detect unusual payment patterns, cybercriminals can still extort millions of dollars and move the money offshore quickly.
4. Money in the bank:Two-factor authentication (2FA) and other security measures make it almost impossible to access the cash sitting in company bank accounts. However, with social engineering attacks and other tactics, criminals can still access your firm’s money.
5. Company identity: Cybercriminals can change company contact and decision-maker details at government agencies. They can then open trading accounts with retailers and banks to take out loans. Consumers have been affected by this type of scam for years and the number of businesses falling victim to it is growing fast.

How do cybercriminals conduct attacks? 

Cybercriminals pull off attacks in three primary ways:

1. Technological manipulation:Hackers gain access to data on vulnerable computer systems and cloud networks.
2. Employee manipulation:Employee manipulation in the form of social engineering takes advantage of typical decision-making shortcuts. For example, if the “boss” emails you asking you to transfer money, you’re unlikely to verify their identity because you don’t perceive the situation as risky.
3. Insider theft:According to the 2023 Insider Threat Report, 74 percent of firms are “moderately vulnerable” to insider threats. One significant threat is “privilege misuse,” where staff members use their access to company data and resources to carry out unauthorized activities. The survey found that 89 percent of inside actors were motivated by money, 13 percent had a grudge and 5 percent engaged in espionage.

What techniques do cybercriminals use?

Below are 16 of the most successful cybercriminal business scams: 

1. Business email compromise (BEC) scams: According to the FBI’s 2023 Internet Crime report, BEC scams cost U.S. companies an astonishing $2.9 billion annually in losses. In these scams, hackers pretend to be senior company executives via email or phone to trick lower-level staff members into transferring a company’s money or sensitive data to cybercriminals.
2. Cryptojacking: In a cryptojacking attack, hackers install malicious software on a victim’s computer to mine cryptocurrencies. This scam increases victims’ electricity costs and strains computing systems, often to the point of breaking.
3. Cyber extortion:In cyber extortion attacks, hackers gain access to commercially valuable or confidential information, such as data from law firms or health clinics. They threaten to dump the data online or sell it to a competitor if you don’t pay them a ransom.
4. Data diddling:Data diddling is a type of fraud that involves falsifying numbers. For example, say your restaurant receives 12 crates of wine and you enter that number into your inventory software. However, a dishonest worker changes that number from 12 to 10, steals and sells two wine crates and pockets the money. Data diddling is a common restaurant employee scam, but it can affect many business types.
5. Distributed denial of service (DDoS) attacks:In a DDoS attack, cybercriminals make millions of requests to access your websites, internet connections and computer networks, causing them to shut down because they can’t cope with the demand. Companies often must pay “release fees” to stop the attacks.
6. Evil twin attack: Many hospitality venues and travel hubs offer visitors free Wi-Fi access. However, hackers can set up rogue Wi-Fi networks that mimic the location’s name to trick unwitting users into choosing the sham network. If an employee logs onto the spoof network, their data can be intercepted and manipulated.
7. Identity theft: While identity theft is typically considered a personal cyberattack, businesses can also fall victim. Businesses are even more lucrative targets than individuals because they take larger loans and altering their ID details is easier.
8. Internet of Things (IoT) breaches:Companies often use the latest technology to prevent servers and terminals from being attacked. However, hackers often gain entry easily through poorly protected IoT devices like security cameras.
9. Malware:Malware allows hackers to alter or control computer behavior. Often, as with cryptocurrency mining, malware can damage a computer. Other times, it performs keystroke logging to send information to cybercriminals who try to hack passwords and break into the broader computer network.
10. Man-in-the-middle attacks:Man-in-the-middle attacks often involve impersonating professionals like lawyers to manipulate people into undesirable actions. For example, say you got an email from your lawyer telling you to transfer a deposit for a new home. The email may look legit, but it’s a bad actor attempting to steal your money.
11. Password attacks: Many varieties of password attacks exist, including brute-force attacks, in which hackers enter millions of passwords quickly, hoping to get lucky. Sophisticated attacks can occur when cybercriminals choose a victim and monitor their social media activity to glean password clues.
12. Phishing: Phishing emails (or texts) impersonate legitimate organizations like retailers and banks you typically do business with. They may say your account has a problem and urge you to log in. In reality, they’re diverting you to their website or platform to steal money or information.
13. Spear phishing: Standard phishing attacks are random and en masse while spear phishing is much more targeted. Scammers gather data on targets from social media, company websites and other sources. They use this information to impersonate the target and trick others into actions like revealing confidential information, similar to BEC fraud.
14. Software vulnerability exploitation:Cybercriminal gangs discover ways to breach and take over computer networks by exploiting security weaknesses in apps and programs.
15. Structured query language (SQL) injections: SQL injection attacks are sophisticated and work by exploiting vulnerabilities in the databases that power websites. For example, hackers may insert malicious code into query fields on a vulnerable e-commerce site. This code tricks the website into giving hackers access to the retailer’s database, allowing them to steal sensitive information like customers’ credit card details.
16. Watering hole attacks: In a watering hole attack, cybercriminals identify the websites that employees in a target company regularly visit and infect them with malware. Next, they infiltrate users’ computers using SQL code or cross-site scripting. For example, one gang targets luxury hotels, attempting to hack high-profile and high-net-worth individuals.

How can businesses prevent cybercrime?

Cybercriminals steal your company’s data, money and assets by looking for weaknesses in your information technology (IT) setup and catching your staff off-guard. To prevent and combat cybercrime, it’s essential to shore up your technology and train your team. 

1. Bolster your technology to prevent cybercrime.

Take the following 20 steps to improve your technological safeguards and protect your organization from cybercrime. These security tips can protect your business data and save your company from devastating consequences: 

1. Create a cybersecurity incident response policy: A well-thought-out cybersecurity plan can help you prevent attacks. However, cybercrime incidents can still occur. In these cases, you need an incident response plan in place to help you react appropriately to a data breach or other attack and mitigate the damage.  
2. Form a cybersecurity incident response team: You’ll need a team to carry out your plan. Assess the types of attacks your organization is most vulnerable to and form a team to address each aspect of your response. Appoint leaders for general areas like threat detection, incident containment and system recovery and provide them with the technical and human resources required to do the job.
3. Run emergency drills: Test your cybersecurity response plan and team with drills consisting of simulated cyberattacks. These drills will help you spot plan weaknesses, determine how best to reallocate resources and decide whether to bolster your response by incorporating outside experts.
4. Encrypt your data:Ensure your company data is encrypted. Encrypted data is “jumbled up” and indecipherable without a key. If a hacker breaches your system and doesn’t have the key, they can’t use the data.
5. Keep software and apps updated:Software vendors release updates periodically to protect clients against new and emerging cyberthreats. Apply patches the same day vendors release them and hackers will be much less likely to breach your system.
6. Restrict who can install software on your network:Your IT team can’t apply patches to apps and software programs they don’t know are on your network. Limit who can install software on your system and keep a record of everything installed.
7. Delete software you don’t use: Audit your system regularly, your data stored on cloud storage services and everything connected to your network to monitor unused applications. Uninstall any unused software apps to prevent them from becoming attack vectors in the future.
8. Delete unsupported software:Uninstall software that vendors no longer support, patch or update. Ask your team about programs they’d prefer to use and ensure their vendors support them.
9. Know what connects to your network:List and continually update every computer and device authorized to connect to your network. Hackers generally don’t have access to authorized devices, so your system will block them when they try to connect.
10. Limit account privileges:Use access control systems to allow employees to access only the apps, programs and data they need to do their job. Limiting access restricts the amount of damage a hacker can do if they steal someone’s credentials.
11. Use antivirus software:Install excellent antivirus and internet security software to stop ransomware and malware from infiltrating your network.
12. Implement strong firewalls:Firewalls can detect viruses and stop malware and phishing attacks. Select a firewall that monitors traffic patterns over time and alerts an IT team member when suspicious activity occurs. 
13. Back up data regularly:Use a backup service with cloud data encryption. A cybergang cannot threaten your data if you have a copy securely stored elsewhere. A secure backup also means you can get back to business much faster if an attack occurs.
14. Secure your company’s Wi-Fi network:Phones and other devices scan for “beacon frames” when looking for business Wi-Fi By switching off the beacon frame, you can make yourself invisible to outsiders.
15. Practice robust password management:People are notoriously good at choosing weak passwords. Ensure your team uses secure passwords and consider implementing an encrypted, centralized password-management system to better protect your network and terminals.
16. Implement 2FA: 2FA requires a second security element when logging into an account or device. For example, if you try to log into Google from a new device, Google sends a confirmation code to a known trusted device. 2FA makes it challenging for hackers to bypass your network’s defenses.
17. Protect IoT devices properly:IoT devices, including connected printers and cameras, present an opportunity for hackers to infiltrate your network. Secure every item connected to your network with the same diligence you use for terminals, laptops and mobile devices.
18. Consult white-hat hackers:White-hat hackers are reformed hackers who attempt to break into your computer network with your permission. They can tell you which areas are particularly vulnerable and how you should better protect yourself.
19. Use virtual private networks (VPNs) for remote access: Although 4G and 5G cellular signals are highly secure, employees may connect to Wi-Fi in coffee shops, airports and hotels. However, as mentioned earlier, these Wi-Fi networks can be spoofed. To ensure secure remote access, instruct all employees to connect to a VPN if they’re dialing into your network, apps and data.
20. Monitor network traffic: Network monitoring tools can be highly effective in determining whether a cyberattack is underway. They’ll alert you to signs like spikes in data transfer rates, repeated login failures and unfamiliar IPs trying to access your systems.

2. Train your team to prevent cybercrime. 

Tcherchian says SMBs often make the mistake of treating cybersecurity as an “IT issue” for the “IT guy.” However, every member of your organization can help shore up your cyber defenses. Invest in employee training to educate and empower your team and turn them into “human firewalls.” Impress the following tenets onto your staff members: 

1. Question everything out of the ordinary:Create a list of checks and balances within your company to detect phishing. For example, if the CEO calls accounts payable demanding money for an invoice, require the employee to report it to their manager immediately. Encourage staff to speak up if they get any suspicious requests by phone, email or text.
2. Don’t assume public Wi-Fi is safe:Although the old, insecure Wi-Fi Protected Access 2 protocol is being phased out, it’s still used in many places. Instruct employees to connect to the office using an encrypted VPN or 4G or 5G signals when they are out of the office. 
3. Be careful what you tell others:Many managers and employees use personal branding via social platforms to enhance their organizations and reputations. Instruct your team to be careful about how much they share on social media because cybercriminals could use that information to impersonate them.
4. Double-check remote desktop access requests:IT teams often connect to co-workers’ computers via the best remote PC access software to troubleshoot issues. Hackers know this and may pretend to be from your IT team. Instruct your team to check directly with the IT manager to ensure access requests are valid.
5. Understand the risks of cybercrime:Most employees don’t know how devastating a data breach’s financial and reputational damage can be. Train them on what to look out for and when to speak up. Monitor their performance, test them regularly and reward staff who raise the alarm.
6. Be careful with emails and websites: Train your employees to recognize suspect emails as potential phishing attacks. Teach them to be suspicious of emails with unexpected attachments and spelling errors. Instruct them not to click on URLs within emails that don’t match the sender’s email, as they’ll likely lead to a spoof site clone.
7. Understand the importance of data minimization: Data minimization means staff members can only access the data they need to do their jobs. It’s an important practice to implement because if a hacker gains entry to a user’s account, they will only be able to access that user’s data — not the greater company network. Get your team used to the idea of minimizing data storage and holding only the data they need to operate.
8. Strong passwords are critical: Some IT managers can manage employees’ passwords centrally to better control access. However, if this isn’t possible, insist that colleagues use strong, unique, hard-to-guess passwords for every account. The same goes for passwords required for dual-factor authentication systems.
9. Understand “bring your own device” (BYOD) policy risks: Many companies have a BYOD policy that allows staff members to connect to the company network using their personal devices. If you have a BYOD policy, ensure your team knows the risks involved, registers their devices and installs the latest encryption and antivirus software. Only allow registered employee devices to log in.

How should businesses respond to cybercrime?

You only have to be wrong once to fall victim to cybercrime. If your system is breached, take the following four steps:

1. Understand how the attack happened:Hackers are creative and often break into systems in ways companies didn’t anticipate. Ensure you know how they got in as soon as possible and shut down the threat quickly.
2. Go section by section through your network:You may have gotten the cybercriminals out of your system, but have they left any unpleasant surprises? Go through your network and devices one department at a time to ensure the threat won’t return.
3. Start the rebuild when a department is clear:As you declare each department clear, begin reinstalling apps and programs separately. Only reconnect network elements that have been cleared.
4. Download data from backup cloud locations:When it’s safe, reinstall your cloud connection to your company databases. At this point, you should be able to continue doing business securely.

Taimur Ijlal, former CISO of the Year and senior security consultant at Amazon Web Services, says preparation, including documented procedures, is the key to managing a cyberattack. “Having an incident response plan with designated leaders in place responsible for issues like recovering data and restoring the IT system makes all the difference,” Ijlal said.

Additionally, business transparency in these instances is crucial. “It’s important that you also notify stakeholders like customers and suppliers for full transparency and to avoid accusations of covering an incident up,” Ijlal advised.

A data breach can damage your reputation, leaving customers unwilling to entrust you with their data. Customers affected by the breach may even bring a class action lawsuit against you. Cybersecurity threats are too big for small companies to ignore, so start preparing now.