McAfee: Cybercrime Costs Companies $100B -- Or 500,000 Jobs -- A Year

Data breaches by cybercriminals are costing U.S. companies approximately $100 billion annually, which is roughly equivalent to 500,000 jobs, McAfee said in a report issued Monday.

The cybercrime report, sponsored by the security company and conducted by the Center for Strategic and International Studies (CSIS), a Washington, D.C.-based public policy research institution, outlined the estimated economic impact of cybercrime and cyberespionage on businesses in the U.S. -- estimated to range between $20 billion and $140 billion a year.

Tom Gann, vice president of government relations at McAfee, said the findings were very interesting and that the CSIS' involvement added weight to the report.

"It's a very credible organization who's been focused on cybersecurity for a while," Gann said. "They looked at the cost borne by the economy. It was really a 'bottoms-up' study: they looked at the different categories of cybercrime ... then added up those costs to derive the final number."

Sponsored post

[Related: Kaspersky: We're All Targets As Cybercriminals Get Smarter Every Day ]

In 2011, the Commerce Department estimated that $1 billion in exports equaled about 5,080 jobs -- putting $100 billion in lost revenue on-par with about 508,000 lost jobs, according to the report.

However, that number isn't a "net" loss of jobs as workers find new employment, but the concern is when the loss hits high-paying sectors, the report said.

This is a particularly important part of the study, according to Gann, who used a biotech company's loss of intellectual property as an example.

"If firms are being competed against as a result of those IP losses, good high-paying jobs could be put at risk," Gann said. "Scientists [and other highly paid professionals] may find that the next job they find is not as good. That's where the impact of the loss of IP can become so important."

Brent Allen, CEO of Falkor Group, a Chicago-based MSP, said he's seen this happen with job outsourcing.

"When people lose their jobs that are outsourced overseas, we see that they aren't necessarily finding the same high-paying jobs," Allen said. "Not as much anymore, but there was a couple years back where we were seeing it a lot."

Micah Teeters, head of Trust Development at Dayton Technology Group, a Vandalia, Ohio-based networking MSP, said that when it comes to cybercrime, companies are leaving some pretty big holes in security with mobility and the BYOD movement.

"You're allowing [employees] to receive all their emails and they're walking out the door with them," Teeters said. "That's a big concern when it comes to security. They're basically walking out with a computer in their purse and there's not a whole lot of talk about that."

Though the money lost after a cyberattack might be substantial, it's time that companies really end up losing, according to Teeters.

"Even for an IT company, it takes weeks to figure that stuff out: who hacked in, how they got in, what's missing," Teeters said. "It really takes some forensic digging."

NEXT: Difficulty In Measuring The Cost Of Cybercrime

In its report, McAfee addressed the differing range of estimates regarding cybercrime released over the years in various studies and called it a "startling variation" that ranged "from a few billion dollars to hundreds of billions."

Part of the difficulty in collecting data surrounding cybercrime comes from trying to quantify the "abstract" worth of intellectual property, according to the report.

"Companies conceal their losses and some are not aware of what has been taken," the report said. "Estimates are often based on anecdotes or surveys. These problems combine to leave some previous estimates open to question."

Falkor Group's Allen said that on the compliance side of security it's not as difficult to quantify the financial loss of a data breach because of regulations that penalize certain industries for losing compromising data.

"It's a little easier to quantify because we know what the penalties are," Allen said. "If you had a data breach or created unauthorized access to patient data, we know what those fines are and they're pretty stiff."

McAfee's current estimate of $100 billion is much lower than its own 2009 worldwide estimate of $1 trillion, cited in a White House review of U.S. cyberspace policy.

"In retrospect, it was a pretty good study," McAfee's Gann said of the extrapolated survey method used by professors at Purdue University, "[but] the CSIS study used a more sophisticated [macroeconomics] model. We're heartened by the results of the CSIS study, because we're hearing from peer groups that they did the best job possible."

A reflection of McAfee's latest report is that security is becoming more of a mainstream concern, according to Allen.

"It's just really echoing what we know out there," Allen said," that [cybercrime] is a problem and the industry is not reacting fast enough to it."

While data security isn't a new issue for companies, it's a changing field, according to Dayton Technology Group's Teeters.

"When the notebook first came out, they thought they could take it anywhere," Teeters said. "I think we're going through a second phase of that with mobile devices. I think there are huge opportunities in that realm for security audits."

Allen also said that security is a growing sector of the tech market that the channel is well-positioned to serve.

"We're definitely focused there and there's just a growing need at all levels for compliance security," Allen said. "If you're a vendor to a hospital or financial institution, there's a certain amount of compliance needed."

The latest McAfee report is the first in a series of tech security research studies set to come from the Santa Clara, Calif.-based company, according to Gann.

"The follow-on study will do a much deeper dive into the [issue] on a global basis and focus on the strategic implication of cybercrime and theft," Gann said. "Let's say something in the range of $100 billion is lost in IP, that's important, but what does that mean in five or 10 years? I think the follow-on study will be very interesting and will hopefully make a contribution to the public policy debate on cybersecurity."