The annual cost of cybercrime is either staggering, or a mere blip on the world\u2019s economic bottom line, depending on how you look at it.It is notoriously difficult to quantify, since a majority of cybercrime incidents go unreported, some companies don\u2019t even realize they have been compromised and many are not able to put a dollar value on intellectual property (IP) that they still have, but is now also in the hands of a competitor, a thief or another nation state.But most estimates put global losses in the hundreds of billions of dollars. One\u00a0report\u00a0released last month, by the Center for Strategic and International Studies (CSIS) and titled \u201cNet Losses: Estimating the Global Cost of Cybercrime,\u201d puts it between $375 billion and $575 billion.That, on the high end, would make it more than the U.S. defense budget. It would be more than the entire economies of many countries. And the report\u2019s authors say while it is possible they have overestimated that cost, they believe it is far more likely they have underestimated it.Even so, the losses for most individual countries, including the U.S., amount to less than 1% of gross domestic product (GDP). For the U.S. it is estimated at 0.64%. The worst of the G20 countries is Germany, at 1.6%. By some reckoning, that could be viewed simply as another minor cost of doing business.That, in essence, is the view of Jason Healey, director of the Cyber Statecraft Initiative of the Atlantic Council. \u201cWhen I hear about the massive cybercrime problem, I want to know what specifically do you mean?\u201d he said. \u201cIf we are going to take the IP loss as seriously as they want us to take it, we need to know how it was actually used.\u201dI say let\u2019s start with market solutions.Healey said that estimating the real economic cost of cybercrime has been almost impossible for decades. He said it has had a range of two orders of magnitude since 1988. \u201cWe really don\u2019t have a good answer,\u201d he said.But he does agree with other experts and with reports that say the raw number matters less than the trend, which is that losses from cybercrime are increasing.TK Keanini, CTO of Lancope, is among them. \u201cThe important point here is that it is trending in the wrong direction and the rate is increasing year over year,\u201d he said.He added that some companies were damaged so badly by cybercrime that they are no longer in business. So, for individual companies, \u201cthat is a much greater number than 0.64% in my book,\u201d he said.Treat cybercrime as a business problem\u2014as a competitor or disrupter to one's business continuity.More worrisome is that a majority of companies, while their leaders express heightened concern about cyber attacks, are not taking security measures that have been recommended by experts for years.A second report\u00a0by PwC, also released in June, titled, \u201cUS Cybercrime: Rising Risks, Reduced Readiness\u201d (CSO is a cosponsor of the report, along with the CERT Division of the Software Engineering Institute at Carnegie Mellon University and the U.S. Secret Service), did not attempt to estimate total global or U.S. losses, but found that, \u201c7% of U.S. organizations lost $1 million or more due to cybercrime incidents in 2013, compared with 3% of global organizations; furthermore, 19% of US entities reported financial losses of $50,000 to $1 million, compared with 8% of worldwide respondents.\u201dThere are a number of reasons suggested for the growth in cybercrime. One is that defenders are, effectively, outgunned. The PwC report, based on a survey of more than 500 U.S. executives, security experts, and others from the public and private sectors, was blunt: \u201cThe cybersecurity programs of U.S. organizations do not rival the persistence, tactical skills, and technological prowess of their potential cyber adversaries,\u201d it said.According to the CSIS report, the incentives are with the attackers. \u201cCybercrime produces high returns at low risk and (relatively) low cost for the hackers,\u201d it said, while for companies, it is a business decision based on their perception of their risk.\u201cThe problem with this is that if companies are unaware of their losses or underestimate their vulnerability, they will underestimate risk,\u201d the report said.Many are indeed unaware of their risk, according to PwC, which reported that, \u201cthe FBI last year notified 3,000 US companies \u2013 ranging from small banks, major defense contractors, and leading retailers \u2013 that they had been victims of cyber intrusions.\u201d In other words, they didn\u2019t discover the intrusions on their own.And that lack of awareness apparently leads to broad failures to implement even fundamental security practices \u2013 practices that have been recommended by the U.S. Commerce Department\u2019s National Institute of Standards and Technology (NIST). The PwC survey found that 54% of respondents don\u2019t provide security training for new hires, and only 20% train on-site first responders to handle potential evidence.Only half reported having a plan to respond to insider threats, and fewer than 40% reported that they have a mobile security strategy, encrypt devices and have mobile device management.It found that many organizations, including utilities and operators of other critical infrastructure, are using outdated software like Windows XP, which is no longer supported, even though the warnings about the end of support were issued six years in advance.And relationships with third parties are lax, and getting worse. The survey found that only 44% of companies have a process for evaluating third parties before they launch business operations with them. That is down from 54% the previous year.Only 31% reported including security provisions in contracts with external vendors and suppliers, and a mere 27% conduct incident-response planning with supply chain providers.To counter, or even slow the growth of cybercrime, experts agree that a much larger percent of organizations need to implement those basics \u2013 what most of them call \u201csecurity hygiene.\u201d Tom Bain, senior director at CounterTack, said it is important to remember that much cybercrime is not all that sophisticated, such as SQL injection and basic malware, \u201clike a Trojan that has been around in millions of variants for years. It doesn't always have to be a sophisticated attack, or executed with precision and stealth,\u201d he said.But beyond that, Bain said companies could actually turn the tables by, \u201capplying stealth methods of monitoring, and doing that at-scale, so that organizations can essentially spy on attackers.\u201dBusinesses should turn the tables by, \u2018applying stealth methods of monitoring, and doing that at-scale, so organizations can essentially spy on attackers.\u2019Keanini recommended, \u201ctreating cybercrime as a business problem \u2013 as a competitor or disrupter to one's business continuity is the first step.\u201cAttackers are more than anything beating defenders by their innovation and creativity,\u201d he said.\u201d\u00a0It is time that defenders meet them on these terms and outplay them for once.Healey believes that the market, not government regulation, has the best chance of making companies take cybersecurity seriously, and that the most effective way to achieve it is though shareholder pressure.In a recent column\u00a0in U.S. News & World Report, he argued that the road to real reform should start in Omaha, Nebraska, home to the iconic \u201cOracle of Omaha\u201d Warren Buffett; and then proceed to Sacramento, Calif., home to one of the nation\u2019s most activist investor groups \u2013 CalPERS (California Public Employees Retirement System).If Buffett, famously risk averse, were to reject investments in companies that didn\u2019t take cybersecurity seriously, \u201cevery other investor, corporate board director and executive would take notice,\u201d he wrote. \u201cPerhaps not even President Obama could command such attention on the issue.\u201dCalPERS, he said, even when it is a minority shareholder, has been effective in a grassroots way in pressing companies to change policies or actions that they believe will hurt the long-term value of its shares.\u201cI think that\u2019s a great approach,\u201d Healey said. \u201cConvince shareholders that they\u2019re at the risk of losing.\u201d Companies are much more likely to respond to that kind of pressure than to another round of government regulations, he said.\u201cI say let\u2019s start with market solutions,\u201d he said.