CISOs: What the New CSIS and McAfee Global Cost of Cybercrime Study Means for Your Business

Want to give your executives a quantified picture of cybercrime risk? A new study by McAfee and CSIS (The Center for Strategic and International Studies) has put boundaries and rigorous methodology around a hyperbole-shrouded topic. In this McAfee-sponsored deep dive, they’ve assembled a global assessment of the tangible costs—in money and jobs—of online criminal activities.

These pearls of wisdom may be perfect to drop into your next executive or governance review:

If your company plans to grow by:

…Digitalization, or digital transformation, cybercrime extracts between 15% and 20% of the value created by the Internet. Extrapolation says 1 in 5 or 6 companies or new Internet-centric lines of businesses within companies will fail because of data theft and fraud.

…Globalization, developing countries are disproportionately vulnerable, often very immature in their Internet security infrastructure and intellectual property protections.  So your service design and service success may be affected.  According to the report, “One official we interviewed said that once a country (in Africa) gets broadband connectivity, usually without adequate defenses, cybercrime spikes within a few days. The overall effect of the spike on global losses is limited, as the less developed countries do generate the bulk of global income, but the regional effect is significant. Wealthier countries are more attractive targets for hackers but they also have better defenses. Less-developed countries are more vulnerable.”

If a high proportion of your business value and market share depends on protecting intellectual property (IP), such as software source code, product design documents, or chemical constructs:

…IP theft is the number one business impact of cybercrime. In industries where IP is easy to implement – in a manufacturing design or pharmaceutical formula, for instance – IP is most heavily targeted and most rapidly monetized.

… Hackers are targeting the startups and small entrepreneurial firms that create innovation as well as big, established companies. Losing IP to cybercrime taxes business health, competitiveness, and market progress in a process the report dubs “innovation cannibalism.” The report says, “In most cases, the value of research and development is the head start it gives companies in the market…If the research is stolen, and the lead lasts only three months rather than a year, then the return on investment is a quarter of what it would have been absent cybercrime.”

…Recovery costs can be 10X the value of the data itself. The McAfee-CSIS report indicated that “while we know criminals will not be able to monetize everything they steal, the victim has to spend as if they could monetize all the data or PII [personally identifiable information] that was taken.”

If you process money as part of your business operations:

…Financial fraud is seen as “penalty-free,” making fraud the second largest source of loss based on cybercrime. The largest incidents can hit $100 million, but, in this business, “petty theft” is still big money – with thefts adding up to hundreds of millions in many countries. The report documented broad underreporting that makes these loss numbers likely on the low side.

…This really is organized crime.  “There are ‘20 to 30 cybercrime groups’ that have ‘nation-state level’ capacity. These groups have repeatedly shown that they can overcome almost any cyber defense. Financial crime in cyberspace now occurs at industrial scale.”

…It’s not just organized, this cybercrime industry is mature, with an impact on par with the criminal core competencies of drugs and money. In the CSIS research, cybercrime came in just below narcotics and counterfeiting /piracy in terms of impact on gross domestic product (GDP).  For a sense of scale, the Organization for Economic Development (OECD) estimated that counterfeiting and piracy costs companies as much as $638 billion per year.

image for bk blog


If these stats make you think your company should devote its new business development to cyber espionage, the report offers a deterrent: the cyber thief’s company never develops skills and discipline in research and development, hindering its ability to ever build a business around innovation and intellectual property.

To read the whole report, visit:

Leave a Comment

6 − four =