​Flipping the economics of attacks

News   •   Feb 02, 2016 16:18 GMT

Our news channels are constantly filled with stories of large organizations that have suffered the consequence of a cyber attack, either their networks are taken down or data stolen. The reputational damage is high and the fines are sometimes astronomical. Cyber attacks on Adobe, JP Morgan and Sony were all estimated to have cost the companies in excess of $1 billion and even the Business Continuity Institute's latest Horizon Scan Report identified cyber attack as the number threat according to business continuity professionals.

The costs may not be as high as first thought however, according to new study by the Ponemon Institute carried out on behalf of Palo Alto Networks which found that the average hacker makes only $15,000 on average per attack and generates an income of less than $29,000 per year, a quarter of what a cyber security professional could make during the same period.

Flipping the economics of attacks, the result of a survey carried out among the 'attacker community', found that 72% of respondents won’t waste time on an attack that will not quickly yield high-value information, and that a similar percentage of respondents believe attackers will stop their efforts when an organization presents a strong defence. The vast majority (73%) stated that attackers hunt for easy, cheap targets.

An increase of approximately two days (40 hours) in the time required to conduct successful cyber attacks can eliminate as much as 60% of all attacks. On average, a technically proficient attacker will quit an attack and move on to another target after spending approximately a week (209 hours) without success. It takes double the amount of time (147 hours) for a technically proficient cyber attacker to plan and execute an attack against an organization with an ‘excellent’ IT security infrastructure versus 70 hours for ‘typical’ security.

Davis Hake, director of cyber security strategy at Palo Alto Networks, commented: “As computing costs have declined, so too have the costs for cyber adversaries to infiltrate an organization, contributing to the growing volume of threats and data breaches. Understanding the costs, motivations, payouts, and finding ways to flip the cost scenario will be instrumental in reducing the number of breaches we read about almost daily and restoring trust in our digital age.

Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, added: “The survey illustrates the importance of threat prevention. By adopting next-generation security technologies and a breach prevention philosophy, organizations can lower the return on investment an adversary can expect from a cyberattack by such a degree that they abandon the attack before it’s completed.

The report presents a number of recommendations including that organizations should make themselves a 'hard target'. Adopting a security posture with a breach prevention-first mindset, instead of a detection and incident response approach, can slow down cyber attacker enough for them to abandon the attack in favour of an easier target.