When hackers tap into a database and steal the personal information of thousands of users, there's always a cost associated with the breach. Now, a McAfee-sponsored report is offering insights into the broader economic impact of cybercrime.
In an effort to eliminate the guesswork from estimates on cybercrime costs, McAfee hired the Center for Strategic and International Studies (CSIS), a international policy institution for defense and security , to build an economic model and methodology to accurately estimate these losses.
The results are revealed in a report called "Estimating the Cost of Cybercrime and Cyber Espionage." And the numbers are staggering. The firm estimates a minimum of a $100 billion -- and as much as a $500 billion -- annual loss to the U.S. economy. What's more, about 508,000 U.S. jobs are also lost in the wake of malicious cyber activity.
How Accurate Are the Numbers?
"We believe the CSIS report is the first to use actual economic modeling to build out the figures for the losses attributable to malicious cyber activity," said Mike Fey, executive vice president and chief technology officer at McAfee. "Other estimates have been bandied about for years, but no one has put any rigor behind the effort. As policymakers, business leaders and others struggle to get their arms around why cybersecurity matters, they need solid information on which to base their actions."
So how did CSIS come up with the figures? The firm used real-world analogies like figures for car crashes, piracy, pilferage, and crime and drugs to build out the model. CSIS believes this is a better approach than surveys because companies that reveal their cyber losses often cannot estimate what has been taken -- intellectual property losses are difficult to quantify and the self-selection process of surveys can distort the results.
In its report, CSIS classified malicious cyber activity into six areas: the loss of intellectual property; cybercrime; the loss of sensitive business information, including possible stock market manipulation; opportunity costs, including service disruptions and reduced trust for online activities; the additional cost of securing networks, insurance and recovery from cyberattacks; and reputational damage to the hacked company. What about the jobs estimate?
"Using figures from the Commerce Department on the ratio of exports to U.S. jobs, we arrived at a high-end estimate of 508,000 U.S. jobs potentially lost from cyber espionage," said James Lewis, director and senior fellow, Technology and Public Policy Program at CSIS, and a co-author of the report. "As with other estimates in the report, however, the raw numbers might tell just part of the story. The effect of the net loss of jobs could be small, but if a good portion of these jobs were high-end manufacturing jobs that moved overseas because of intellectual property losses, the effect could be wide ranging."
What This Means for Enterprises
We caught up with Tom Cross, director of security research at Lancope, to get his take on the results. He told us a key takeaway from an enterprise security perspective is that breaches have an ongoing cost that can take a long time to manifest as intellectual property continues to be stolen from the organization and is put into practice competitively in global markets.
"This fact underlines the importance of disrupting, ongoing compromises inside of corporate networks even after perimeter security has been breached. Attacks are not over once the network has been compromised -- when an attacker breaches your network his work has just begun," Cross said.
"Attackers may seek to control and observe corporate networks for years in order to continuously collect strategically valuable intellectual property," he said. "Every organization should be engaged in efforts to identify compromises of this sort on their networks and disrupt them."