The ‘Net losses: Estimating the global cost of cybercrime' report was carried out by the Center for Strategic and International Studies (CSIS) and sponsored by McAfee and it reveals that cyber-crime costs range from £223 nillion to £342 billion with £265 billion being the median.
The costs are broken down as IP theft, financial crime, confidential business information and market manipulation, recovery cost and ‘opportunity cost' – such as investment R&D and increased spending on network defences.
But away from the headline figure – which would represent as much as 0.8 percent of global annual income, the report highlighted that cybercrime costs can also be hidden, such as the effect on business deals, unemployment and even national economies.
The study indicated that cybercrime annually resulted in the loss of 150,000 jobs in the EU – representing a one percent drop in annual employment - and 200,000 in the US. G20 countries suffered the ‘bulk of the losses' with cybercrime losses from the four largest economies in the world US, China, Japan, German reaching US$ 200 billion (£119 billion).
Losses from low-income countries were significantly smaller although that is expected to change as more of these countries, particularly in Africa, start using the Internet.
“The most important cost of cyber-crime comes from its damage to company performance and to national economies,” reads the report. “Cyber-crime damages trade, competitiveness, innovation, and global economic growth.
“Studies estimate that the Internet economy annually generates between US $2 trillion and US $3 trillion (£1.2 trillion to £1.8 trillion), a share of the global economy that is expected to grow rapidly. Based on CSIS estimates, cyber-crime extracts between 15 and 20 percent of the value created by the Internet.”
McAfee EMEA CTO Raj Samani, speaking in London late last week ahead of the report's release, added that the loss of IP property and data cannibalisation is ‘so subjective' and can be a part of these hidden costs.
“You don't know the impact of the lost opportunity costs,” he said. “In many cases, you're not aware that IP property theft has even happened.”
The CSIS report indicates that IP costs are as high as £120 billion to £150 billion per annum.
Samani added that many businesses are unaware what recovery costs – the ‘digital and electronic clean-up' are involved on major breaches, as evidenced by the Sony and the State of Utah data breaches.
“It's one of the areas rarely talked about. Recovery costs can be incredibly high – the state of Utah in Texas had £120 million for consultancy and repairs for an open port in a store in Canada.”
As further evidence of these costs, the study highlighted that while actual hacking costs totalled £520 million in Italy, the recovery or clean-up costs reached £5 billion. In other words, there can be a tenfold increase between the actual losses directly attributed to hackers and the recovery companies must implement in the aftermath of those attacks.
Available for hire
McAfee says that there are approximately 20 to 30 cybercrime groups of “nation-state level of capacity”, with many of these carrying on industrial or governmental espionage. For Samani, the biggest concern is that many of these groups are available for hire at the right price.
“The most concerning about that statistic is that those particular groups are also available for hire. Quite frankly, they would be available for cyber-criminals or nation states - basically anyone willing to pay the highest.”
Paul Gillen, head of operations at the European Cyber Crime Centre (EC3), added that organised crime groups are running botnets to take over citizen computers, steal bank credentials and may then carry out DDoS attacks to disrupt financial services while they take out the money.
He added that the same botnets are used to send spam and even solicit with other criminals for ‘crime-as-a-service', where third-parties are paid per infection rate for malware.
“So it's quite a sophisticated business model. They've got people that can write the malware and those people obviously need to test it, deploy it and perfect so it's not seen by common anti-virus products,” said Gillen.
“The business model is quite complex and obviously, as we can see from the report here, it's certainly quite profitable. It's going to flourish.”