Don't be fooled by study's dramatically lower cyberthreat estimate, experts say

A recent study that greatly reduces an often-cited estimate on the economic impact of cybercrime and cyberespionage should not give companies a reason to spend less on security, experts say.

The McAfee-sponsored report, released on Monday, found that Internet-based crime and spying cost the U.S. economy as much as $100 billion a year, not the $1 trillion originally estimated by the Intel-owned security vendor. The study was done in conjunction with the nonprofit Center for Strategic and International Studies.

The analytical approach used in the latest findings is closer to reality than the previous methodology based on notoriously imprecise corporate surveys. McAfee acknowledges that the earlier figure, included in President Barack Obama's 2009 cybersecurity speech, was inflated.

"There were some methodological challenges with the [original] study and we felt that the right thing to do was to work with the top think tank in the world focused on security and come up with a better study to set the record straight," Tom Gann, vice president of government relations at McAfee, said on Tuesday.

But whether the macroeconomic figure is $100 billion, $1 trillion or somewhere in between, it should not affect how much a company decides to spend on security, experts say.

Avivah Litan, an analyst with Gartner, compared security spending to preparing for a natural disaster, such as Hurricane Sandy that devastated parts of New Jersey and New York in 2012. Such events may happen once in decades, but if you are not prepared, the losses could be staggering.

"When you build security defenses, you don't know if you're going to get attacked, and if you're going to wait until you get attacked, then it's too late," Litan said.

[Also see: Markets at risk from cyberattacks on exchanges, report says]

Stewart Baker, a former assistant secretary for policy at the Department of Homeland Security (DHS) and a co-author of the study, said companies should not take comfort in the fact that $100 billion is less than 1% of the U.S. gross domestic product (GDP).

"I'm skeptical about treating [cyberintrusions] as a manageable cost unless a company has done an informed analysis of who wants their data and what the long term consequences of letting them have it might be," Baker said. "If you're not of interest to foreign governments or state-owned competitors, or a target for criminals seeking money, then I think you probably can treat it as a tolerated cost.Ã'Â But that's a big if."

In deciding how much to spend on cybersecurity, a company should first determine how likely it is to be a target of cybercriminals, hacktivists or cyberspies, Baker said. A company should then figure out the worst that can happen if a network is compromised by one of these adversaries.

The study's macroeconomic numbers are most valuable as a description of the broad cybersecurity challenges companies face, which should be helpful in conversations between chief security officers and chief executives, Gann said.

"It creates a more thoughtful kind of dialogue," he said.

In estimating losses, the study considered the cost of cybercrime and service disruptions, the theft of IP and sensitive business information and the damage to reputation. In addition, the report considered the cost of securing networks, insurance and recovery from cyberattacks.

On a worldwide basis, the report found that cybercrime and espionage cost as much 1.4% of the global economy, or between $300 billion and $1 trillion a year.

Read more about malware/cybercrime in CSOonline's Malware/Cybercrime section.