Flipping the Economics of Attacks

How can an organization make it difficult enough for an attacker that they dissuade or prevent an attack? Time-wise? Cost-wise? Potential profit-wise?

In Flipping the Economics of Attacks, sponsored by Palo Alto and conducted by Ponemon Institute, threat experts in the United States, United Kingdom and Germany were surveyed about what motivates attackers. The research revealed that most attackers are in it for the money.

To fight back against adversaries enterprises need to harden their organizations so it takes attackers longer to achieve their mission. Most malicious attackers are opportunistic when choosing a particular organization to attack and will quit the attack when the targeted organization presents a strong defense. Specifically, the majority of attacks can be stopped if more than about two days are needed for a successful attack.

The following are recommendations from the report that will help steel the organization against malicious actors:

• Create a holistic approach to cybersecurity, which includes focusing on the three important components of a security program: people, process and technologies.
• Implement training and awareness programs that educate employees on how to identify and protect their organization from such attacks as phishing.
• Build a strong security operations team with clear policies in place to respond effectively to security incidents.
• Leverage shared threat intelligence to identify and prevent attacks seen by your peers.
• Invest in next-generation technology such as threat intelligence sharing and integrated security platforms that can prevent attacks and other advanced security technologies.

There are many questions that the cybersecurity community needs to answer: What are the typical annual earnings of a cybercriminal? What is the attacker’s cost of conducting a breach? Does crime pay? Are cybercriminals getting rich?

While many attackers may hope for a big payout, the reality can be quite different. The findings of the survey reveal attackers on average receive $28,744 for an average of 705 hours spent on attacks annually. Of course, some attackers do “earn” more than the average. However, this compensation is 38.8 percent, or one-quarter, less than the average hourly rate of IT security practitioners employed in the private and public sector.

We also learned that attacks are increasing because of the availability of low-cost and effective hacker toolkits. Technically proficient attackers are spending an average of $1,367 for specialized tool kits to execute one attack. The only other cost is their time.

For more information attend the ISACA webinar: Flipping the Economics of Cyber Attacks, 11 A.M. (CST), Tuesday, 26 January, presented by Scott Simkin is Sr. Manager, Threat Intelligence at Palo Alto Networks, and Dr. Larry Ponemon is the Chairman and Founder of the Ponemon Institute.

Dr. Larry Ponemon
Chairman & Founder, Ponemon Institute

[ISACA Now Blog]