Skip to content

Has Cybercrime Surpassed Physical Crime?

THERE’S A PERVERSE competition over who’s got it tougher: IT or physical security professionals. The latest salvo in this battle was fired by respondents to an IBM survey, most of whom were chief information officers.

Almost 60 percent said that cybercrime is more costly to their business than physical crime. That’s becoming the conventional wisdom. But what do the numbers say?

It’s difficult to nail down because studies that attempt to quantify security losses across sectors and types of crime are based on extrapolation and guesswork. But what numbers there are show that the toll of physical crime in the United States still easily outpaces the cost of cybercrime.

For example, the FBI estimates the annual cost of cybercrime to be about $400 billion annually. Occupational fraud alone—which generally doesn’t include schemes using the Internet—is estimated at $660 billion per year by the Association of Certified Fraud Examiners. That might include setting up fictitious payees, altering checks, or overstating corporate assets. Counterfeit goods carve another large chunk out of the U.S. economy—$250 billion, according to the FBI.

A bevy of other numbers add to the physical-crime total. Cargo theft is estimated at “tens of billions” of dollars annually, says William Corley, former director of the International Cargo Security Council. In the retail sector, expert Read Hayes says the industry uses a figure of $40 billion lost via shrinkage and inventory loss. Some $700 million is drained by check fraud, according to the American Bankers Association.

Data on physical crime excludes indirect or ancillary costs stemming from that crime. For example, businesses spend untold dollars defending and paying judgments on legal claims related to third-party crimes on the property and workplace violence.

The argument may be purely academic. “I don’t know that it matters” which costs more, says Dan Geer, vice president and chief scientist at data-protection firm Verdasys, Inc.

Then again, if you think you are most at risk for cybercrime, that’s likely where you will devote your resources. And if the risk lies elsewhere, that could mean that the company’s more costly vulnerabilities will not be adequately addressed.