Truths, Bad Truths, and Cybercrime Statistics

By Phil Reitinger


If you have worked in cybersecurity or law enforcement for more than a moment, you already know that cybercrime is not the crime of the future, it is the crime of the now.  Last week, the UK Government published some great data that confirms what you already knew.

According to the Crime Survey for England and Wales (CSEW), conducted by the UK Office for National Statistics, adults aged 16 and over in England and Wales experienced 3.8 million incidents of fraud for the year ending in March 2016, and an estimated 51% of those incidents were online related.  That’s an estimated 1.9 million incidents of online fraud, affecting about 42 out of every 1,000 adults.  There were also about 2 million computer misuse incidents involving viruses or unauthorized access to personal information, affecting about 44 out of every 1,000 adults.

That isn’t shocking or even surprising.  I’m not sure I have talked to anyone in the US recently who hasn’t received one or more breach notification letters that his or personal information may have been compromised.  Nevertheless, let’s look at this a bit more in depth.

  • These statistics only address crimes against individuals, and not crimes against businesses.  So the real incidence of cybercrime is much higher.
  • In comparison, the number of incidents of robbery, theft from the person, or other theft of personal property were much lower than cybercrime, at 3, 8, and 17 incidents per 1000 persons respectively.  For example, a resident of England is about 14 times more likely to face an online fraud, or have his or her computer attacked or personal information stolen, than he or she is to be robbed.

The prevalence of cybercrime is driven by simple economics.  We have insecure, connected systems, business practices that are not up to date with the risk environment, and an interconnected, threat-enabled infrastructure that brings perpetrator and victim virtually side by side.

This is the new normal until we decide that it is not.  Government, companies, and individuals are making progress against cybercrime, but it is not enough.  We need systemic change to mitigate systemic risk.  It’s time we all started treating cyber insecurity as a global imperative.  It’s time to do something.

The author, Phil Reitinger, is the President and CEO of the Global Cyber AllianceYou can follow him on Twitter @CarpeDiemCyber.