Updated at 4:53 p.m.
Cybercrime costs the global economy a whopping $400 billion a year and affects millions of people in the United States alone, according to a new study.
The study out Monday from the Center for Strategic and International Studies calls cybercrime “a growth industry.”
“The returns are great, and the risks are low,” CCSI says in its report. The think tank called its cost estimate conservative and said annual losses could actually reach $575 billion.
Importantly, in establishing the parameters of its study CSIS defined cybercrime fairly narrowly.
“We felt like if the crime couldn’t have occurred without the Internet we shouldn’t count it,” CSIS Senior Fellow Jim Lewis told TIME. Only a very small part of the sharp increase in cybercrime—like the massive data breach at Target last year—is the result of computer crimes supplanting analog crimes, Lewis said. “The guys who did Target don’t live in the United States and there’s no way they could have done Target without the Internet,” he said.
Losses from cybercrime accounted for in the report include the cost to hundreds of millions of people who have their personal information stolen—including 40 million in the U.S. in the last year—as well as losses of intellectual property, theft of money and sensitive business information, and the cost to a company of recovering from a cybercrime.
The report estimates that the cost to the American economy from cybercrime could include as many as 200,000 jobs.
Part of what makes combating cybercrime particularly difficult is that it often goes unreported by companies reluctant to disclose breaches. “When Google was hacked in 2010,” the report says, “another 34 Fortune 500 companies in sectors as diverse as information technology and chemicals also lost intellectual property.”
Sign up for Inside TIME. Be the first to see the new cover of TIME and get our most compelling stories delivered straight to your inbox.
