How can an organization make it difficult enough for an attacker that they dissuade or prevent an attack? Time-wise? Cost-wise? Potential profit-wise?

In Flipping the Economics of Attacks, sponsored by Palo Alto and conducted by Ponemon Institute, threat experts in the United States, United Kingdom and Germany were surveyed about what motivates attackers. The research revealed that most attackers are in it for the money.

To fight back against adversaries enterprises need to harden their organizations so it takes attackers longer to achieve their mission. Most malicious attackers are opportunistic when choosing a particular organization to attack and will quit the attack when the targeted organization presents a strong defense. Specifically, the majority of attacks can be stopped if more than about two days are needed for a successful attack.

The following are recommendations from the report that will help steel the organization against malicious actors:

•Create a holistic approach to cybersecurity, which includes focusing on the three important components of a security program: people, process and technologies.

•Implement training and awareness programs that educate employees on how to identify and protect their organization from such attacks as phishing.

•Build a strong security operations team with clear policies in place to respond effectively to security incidents.

•Leverage shared threat intelligence to identify and prevent attacks seen by your peers.

•Invest in next-generation technology such as threat intelligence sharing and integrated security platforms that can prevent attacks and other advanced security technologies.

There are many questions that the cybersecurity community needs to answer: What are the typical annual earnings of a cybercriminal? What is the attacker’s cost of conducting a breach? Does crime pay? Are cybercriminals getting rich?

While many attackers may hope for a big payout, the reality can be quite different. The findings of the survey reveal attackers on average receive $28,744 for an average of 705 hours spent on attacks annually. Of course, some attackers do “earn” more than the average. However, this compensation is 38.8 percent, or one-quarter, less than the average hourly rate of IT security practitioners employed in the private and public sector.

We also learned that attacks are increasing because of the availability of low-cost and effective hacker toolkits. Technically proficient attackers are spending an average of $1,367 for specialized tool kits to execute one attack. The only other cost is their time.

(About the author: Dr. Larry Ponemon is the Chairman and Founder of the Ponemon Institute, and a member of the ISACA. This post originally appeared on his ISACA blog, which can be viewed here).


Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access