The attackers can execute a cyber attack for as little as $34 per month compared to the extraordinarily high impact and associated expense, thousands to millions of dollars, incurred by a victimized organization that needs to remediate and recover from it, said a report from Deloitte.
In its newly released report – Black Market Ecosystem: Estimating the cost of ownership – consulting firm Deloitte estimates that some common criminal businesses can be operated for as little as $34 month and could return $25,000, while others may routinely require nearly $3,800 a month and could return up to $1 million per month.
According to the cyber security practice arm of the Deloitte, phish kits continue to be the overall most affordable approach both in terms of low estimate and average cost, while banking trojans are costlier, on average. The report said that a multiple payload campaign, unsurprisingly, is potentially the most expensive criminal business.
The study said that for every category of criminal, a product almost certainly exists which caters to their needs. The cost of these products does not necessarily correlate to the skill level of the threat actors who purchase them. Regardless, all are extraordinarily low cost compared to the resulting impact to the compromised organization.
“If you haven't noticed, criminals don't file tax returns. And while challenging, it's still important to be able to review and compare these criminal businesses to help identify which exploits are the most affordable and lucrative for them to pursue — both from a cost of entry and routine operations standpoint,” stated Keith Brogan, managed threat services leader for Deloitte cyber risk services, and managing director with Deloitte & Touche LLP.
“There's a definite correlation to the investment level in terms of a sum cost. You have to spend money to make money even as a criminal,” he added.
The report emphasised that the ingenuity of cyber-criminals practically guarantees that there are always exceptions to the findings, but organizations need to have some level of understanding as to how these incidents are occurring to effectively shift their cybersecurity posture.
The impact of a cyberattack as experienced by the compromised organization is, in many ways, intangible and more difficult to quantify. This includes costs associated with loss of intellectual property (IP) or contracts, operational disruption, credit rating impact, or damage to the value of a trade name. Still, in dollars and cents, it is widely reported that the cost of a data breach is upwards of $4 million to an organization with the potential to cost hundreds of millions even billions of dollars in long-term resulting impact.
“In the realm of cyber everywhere, companies will only continue to introduce more digital innovations, which will require them to also continuously adopt and adapt cybersecurity measures commensurate with the growing threats they'll face,” said Andrew Morrison, strategy, defense and response leader for Deloitte cyber risk services and principal with Deloitte & Touche LLP.
“Cyberattacks are inevitable but the extent of their damage is not. Organizational transformation is needed to reprioritize and refocus investments on mitigating likely outcomes, based on a broad understanding of attackers' motives and the ability to anticipate high-impact scenarios,” said Morrison.