The Total Global Cost Of Cybercrime? $400 Billion A Year And Growing

The losses associated with attacks on corporate networks and intellectual property theft cost businesses an estimated $400 billion annually, according to a new report, which warns that the global economic impact will continue to increase.

Cybercrime also could cost as many as 200,000 American jobs and Europe could lose as many as 150,000 jobs, according to the report, "Net Losses – Estimating the Global Cost of Cybercrime,’ (.PDF) which was conducted by the Center for Strategic and International Studies (CSIS), a Washington, D.C.-based think tank. The study was commissioned by Intel Security (formerly McAfee).

The report, whose findings were revealed at a Washington, D.C., event Monday, analyzed open-source data on security incidents and losses to calculate a global annual toll on cybercrime. It then interviewed officials in 18 countries to arrive at the estimate. A conservative assessment would be $375 billion in losses, the report said, while the maximum could be as much as $575 billion.

[Related: Verizon 2014 Data Breach Report: The Bad Guys Are Winning ]

Sponsored post

Several factors are fueling the increase, the report said. Businesses are severely underestimating the risks associated with intellectual property theft and cybercriminals are acting faster to monetize the stolen information, the study found. Law enforcement globally suffers from inadequate resources to investigate cyberattacks. Meanwhile, the cost of conducting attacks is inexpensive for criminals who rely on social engineering tactics and exploiting widespread software vulnerabilities and configuration weaknesses to gain access to systems.

Businesses frequently fail to adequately identify and protect the most sensitive data, relying on broad security strategies to protect an increasingly porous network, solution providers told CRN. The study cites a lack of in incentives for businesses to report intellectual property theft and a poor perception of the value of stolen IP. When businesses do make an investment in information security, it often lacks funding for adequate incident response.

"The delay between theft and production can be measured in years for technology products," the report found. "This means that companies underestimate loss and therefore underestimate their risk."

However, a sense of urgency is growing, said William Loupakos, senior vice president at Arlington Heights, Ill.-based reseller American Digital. Businesses often get the message following a serious security incident, he said, citing a recent client that traced the source of a serious infection to a USB drive an employee brought back from China that contained image files with embedded malware.

"We know the Chinese have normal working hours on the security side attempting to hack into corporate customers," Loupakos told CRN. "We're seeing a sense of urgency about security from customers that we haven't seen in the past enterprise server storage discussions."

NEXT: Opportunity, Recovery Costs Weighed Heavily In Loss Estimate

Law enforcement agencies interviewed in the study consistently cited inadequate resources to probe security incidents and apprehend those suspected of carrying out attacks, said James Lewis, a co-author of the report and director of the Strategic Technologies Program at CSIS. The combination of relatively low risks in being prosecuted and high return on investment makes cybercrime a lucrative business, Lewis said, speaking to reporters and researchers attending the CSIS event, which was streamed live on the CSIS website.

"Police forces around the world told us they simply can't keep up," Lewis said. "It looks like this is a place where countries can do more to improve the ability to catch criminals."

The costs involved are having a serious impact on the global economy, according to the report, as businesses reduce investment in research and development and increase spending on network defenses.

Recovery costs associated with data breaches also are adding to the tally. Businesses that have suffered a data breach suffer from brand damage and the subsequent impact on customer relations and retention.

The report emphasized a longstanding mantra in the security industry that stronger private and public sector partnerships are needed to share threat information and more quickly identify vulnerabilities. The losses are projected to increase, said Stewart A. Baker, a partner at Washington, D.C.-based law firm Steptoe & Johnson LLP and a distinguished visiting fellow at CSIS.

"Even if losses stabilized in developed countries they will continue to grow in undeveloped countries," Baker said. "If you are looking for a future business line, cybercrime looks as if it will continue to pay off and we are going to have continued losses."

The government is best suited to spearhead information-sharing initiatives because its own standards are often inadequate or outdated, said Paul Rosenzweig, CEO of Red Branch Consulting. The inability of government to keep pace with the constantly evolving threat landscape and rapid technology changes makes it a difficult participant in attempts to reduce losses, Rosenzweig said. He cited the National Institute of Standards and Technology’s voluntary framework for improving critical infrastructure cybersecurity as a plan with good intentions that falls short.

"It sets a bare minimum standard that doesn't address a lot of the advanced threats we see today," Rosenzweig said. "Government’s best role would be to get out of the way of the private sector in terms of actual activity in developing new tools to combat cybercrime because I don't think they are quite nimble enough to do that on a consistent basis."