Cybercrime drains about $445 billion from businesses each year, according to a new study -- and that cost trickles down to consumers in the form of job losses and other repercussions they may not realize.
The think tank Center for Strategic and International Studies (CSIS) conducted the study, which antivirus company McAfee sponsored and released on Monday.
"The problem with the $445 billion number is that it's so big and so encompassing," Raj Samani, the chief technology officer for McAfee's EMEA region, told NBC News. "But when this crime occurs, it hurts our jobs. It hurts our economy. And we're seeing ideas being stolen."
Those three issues are intertwined, Samani said, and they aren't just a business problem.
Consumers don't always make the connection that company losses, from big breaches like Target and smaller unreported incidents, can seriously affect national economies -- and the citizens who depend on them.
"When this crime occurs, it hurts our jobs. It hurts our economy. And we're seeing ideas being stolen."
In America alone, losses from cybercrime could cost as many as 200,000 jobs, according to the study. And high-income countries like the U.S., which depend more on intellectual property, lost as much as 0.9 percent of gross domestic product due to cybercrime, CSIS found.
A 2009 report by McAfee that estimated the global cost of cybercrime at $1 trillion was widely criticized; a report four years later that was commissioned by McAfee and conducted by CSIS put the figure at about $300 billion.
The ripple effect is so large in part because the effects of a breach can continue to plague companies long after the attack is over, both financially and otherwise.
CSIS cited a study of cybercrime's toll in Italy: The actual losses due to the attack were $875 million, but "recovery costs" reached a whopping $8.5 billion.
"It’s staggering at first, but it makes sense when you look at all of the implications," Eric Chiu, president and co-founder of security firm HyTrust, told NBCNews. "You're looking at potential fines, loss of revenue, hiring people to fix the problem, paying for [affected consumers'] credit monitoring ... that can sink a business when you add it all up."
"All of the core assets of a company, or even a nation, is data."
Even companies with deep enough pockets may find themselves sunk if enough proprietary information that's vital to their business is stolen in a breach.
Last month, the U.S. Department of Justice charged five officers of the Chinese People’s Liberation Army for allegedly stealing trade secrets that cost U.S. companies billions of dollars each year and undercut American jobs.
"All of the core assets of a company, or even a nation, is data," Chiu said. "At a certain point, some companies -- especially the smaller ones -- aren't able to come back. And that's not good for any of us."
That domino effect isn't necessarily obvious to consumers, pointed out Kevin Johnson, the CEO of security company Secure Ideas. After a breach, most people simply order a new credit card and get their money restored, and it's hard to see how the merchant's losses could eventually affect more people.
"The reality is, that was money that the company budgeted for something else," Johnson said in an interview. "All of that affects the next hiring season. Maybe this retailer doesn't end up opening that store in your town, or hiring a bunch of seasonal workers."
But that type of indirect result is difficult to trace, Johnson said. He once worked at a health care company that was forced to shut down for four days because of a malware incident. But regulations demanded that the company respond to claims within three days, so the firm was forced to pay fines.
"A few months later, projects were getting canceled and people were eventually laid off," Johnson said. "We don't see that direct line to the breach, but that money spent on the fines could have gone someplace else."
Other companies may not even know to take precautions because they're unaware that a breach has occurred. In March it was revealed that federal agents told more than 3,000 U.S. companies last year that they had been the victims of attacks.
"The 3,000 number is mind-boggling even to me, and I'm in the industry," Johnson said. "The hard part is that a lot of this collateral damage isn’t directly attributable. But it doesn't just cost businesses. It costs all of us."
First published June 6 2014, 12:02 PM