Consumers Lost $19.4 Billion to Cybercriminals in 2017

Consumers are confident they’re safe online, but hackers have proven otherwise, stealing $172 billion from 978 million consumers in 20 countries in the past year, according to the 2017 Norton Cyber Security Insights Report, by Norton by Symantec.

Globally, cybercrime victims share a similar profile: they are everyday consumers who use multiple devices whether at home or on the go, but have a blind spot when it comes to cyber security basics. This group tends to use the same password across multiple accounts or share it with others, it said. Equally concerning, said the report, 39 percent of global cybercrime victims despite their experience, gained trust in their ability to protect their data and personal information from future attacks and 33 percent believe they had a low risk of becoming a cybercrime victim.

In the United States, 143 million consumers were victims of cybercrime – more than half the U.S. adult online population. Losses totaled $19.4 billion and each victim lost an average of nearly 20 hours (19.8 hours) dealing with the aftermath.

“Consumers’ actions revealed a dangerous disconnect: Despite a steady stream of cybercrime sprees reported by media, too many people appear to feel invincible and skip taking even basic precautions to protect themselves,” said Fran Rosch, executive vice president, Consumer Business Unit, Symantec. “This disconnect highlights the need for consumer digital safety and the urgency for consumers to get back to basics when it comes to doing their part to prevent cybercrime.”

The report found that consumers used device protection technologies such as fingerprint ID, pattern matching and facial recognition, with 45 percent using fingerprint ID, 21 percent using pattern matching, 19 percent using a personal VPN, 14 percent using voice ID, 16 percent using two-factor authentication and 16 percent using facial recognition. However, consumers who adopted these technologies often still practice poor password hygiene and fell victim to cybercrime.

Consumers express confidence, but are more prone to attacks as they protect newer and more devices. Forty-six percent of U.S. cybercrime victims owned a smart device for streaming content, compared to about one quarter of non-victims. They were also three times as likely to own a connected home device.
Despite experiencing a cybercrime within the past year, nearly a quarter of victims in the U.S. used the same online password across all accounts and 60 percent shared their passwords for at least one device or account with others, negating security efforts. By comparison, only 17 percent of non-cybercrime victims reuse passwords and 37 percent share their passwords with others. Additionally, 41 percent write their passwords down on a piece of paper and are almost twice as likely to use different passwords and save their password to a file on their computer/smartphone than non-victims.

According to the report, 81 percent of U.S. consumers believe cybercrime should be treated as a criminal act. However, when pressed, contradictions emerged. Nearly one in four believe stealing information online was not as bad as stealing property in ‘real life.’ When presented with examples of cybercrime, 41 percent of consumers believed it’s sometimes acceptable to commit morally questionable online behaviors in certain instances, such as reading someone’s emails (28 percent), using a false email or someone else's email to identify their self online (20 percent) and even accessing someone’s financial accounts without their permission (18 percent).

Despite this year’s cyberattacks, Americans generally continue to trust the institutions that manage their data and personal information, the report said. However, they are not as trusting of some institutions and organizations.

Consumers gained or maintained trust in organizations such as banks and financial institutions (76 percent), and identity theft protection service providers (71 percent) despite the attacks that made headlines this year.
Alternatively, more than half of U.S. consumers (53 percent) lost trust in their government to manage their data and personal information within the past year. 39 percent lost trust in social media platforms.
More than one third (37 percent) of U.S. cybercrime victims gained trust in themselves to manage their data and personal information.

Commenting on the results, Dana Simberkoff, Chief Risk, Privacy and Information Security Officer at AvePoint, said: "The real culprit, according to Norton's study, was overconfident end users, who felt they already had enough cybersecurity knowledge and protections in place." To avoid this from plaguing your company in 2018, Simberkoff offers a few actionable tips to ensure data security.

Understand the data you have and where it’s stored. Knowing what information your organization collects, creates, uses and shares is essential to helping your IT professionals create stronger security systems and controls, because these will ultimately be instrumental in protecting your organization from a cyber attack or data breach. You cannot protect everything from everyone, but understanding and managing the lifecycle of valuable data within your organization is critical to building and maintain a robust security framework.
Arm employees with the knowledge and tools to be secure. Make it easier for your end users to do the right thing, rather than the wrong thing when it comes to safe IT habits. Don’t build security barriers that push your employees towards shadow IT practices. Instead, empower them to do their jobs properly by building security and privacy built by design and by default into your corporate networks and systems. Specifically, create policies, rules and permissions that make it seamless for your end users to do their jobs effectively with the designated systems and controls that you have approved.
Engage in constant security and protocol education. Security and privacy must be embedded into your company’s culture. Employees must understand that they are each individually responsible for properly handling information, and should be trained on everything accordingly – from what they can save on personal devices and how to share files externally, down to what potential malware might look like. To be successful, IT education and training must be integrated into employee onboarding, everyday practices and yearly company seminars.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.

How can security leaders charged with investigations handle the management of interviewers and interrogators, as well as handle interviewing, including dealing with false confessions and misleading information?