By Guy Higgins
I recently read a post, Flipping the economics of attacks. This post referenced a new study conducted by The Ponemon Institute for Palo Alto Networks. The study found that:
- “… the average hacker makes only $15,000 on average per attack”
- The average hacker generates an “income of less than $29,000 per year”
- Seventy-two percent of hackers interviewed “won’t waste time on an attack that will not quickly yield high-value information”
- “The vast majority (73%) stated that attackers hunt for easy, cheap targets”
The post quoted Dr. Larry Ponemon (founder of the Ponemon Institute), “The survey illustrates the importance of threat prevention. By adopting next-generation security technologies and a breach-prevention philosophy, organizations can lower the return on investment an adversary can expect from a cyber attack by such a degree that they abandon the attack before it’s completed.”
Let’s take a critical look at the findings, specifically findings 1 and 2 above:
- The average hacker makes $15K on an average attack. I find that to be a relatively useless piece of information. The average NFL team earns an average record of 8 – 8 every year. But the regular season spread of win – loss records is fairly extreme, running (this year) from the Carolina Panthers at 15 – 1 to 3 – 13 for both the Cleveland Browns and the Tennessee Titans. The average record is not a meaningful number. The average hacker take is, similarly, not terribly meaningful (albeit more meaningful than the average NFL record) for two principal reasons:
- There is no guarantee that the victim of an attack (that would be you, notionally) is going to be the victim of an average The attack may be meaningless in terms of loss, or it may be catastrophic. If it’s a catastrophic attack, there is no referee to whom you can complain about “not getting hit by an average attack.” You suffer the actual catastrophic damage.
- The value to the hacker is not identical to the cost to the victim. If a thief burgles my home and takes my 2011 MacBook Pro, the small teak chest made from the quarterdeck planking of HMS Illustrious in 1940 that my mother received from a Royal Navy lieutenant in 1942, and the spare change in a dish on my dresser, that thief can probably get $30 for the lot. The cost to me is much much more. The spare change is the spare change. The teak chest is, literally, irreplaceable. The MacBook Pro replacement cost is $1300 (not counting tax, etc. and the inconvenience of insurance claims, and loss of use). The point is that the cost/impact to the victim of a cyber attack can be many times the value to the hacker, and it isn’t the hacker’s earnings that you or I care about but what it costs us.
- The average annual earnings of a hacker ($29,000) is equally meaningless. If that’s the average, then the total earnings by all hackers, worldwide, is $29,000,000,000 for each million hackers, and there are likely at least a couple of million of them in the world (population 7,000,000,000 [give or take a few tens of millions]). Again, this is only the value to the hackers, not the cost to the victims. The cost to the victims could easily be several hundreds of billions of dollars.
Now, points 3 and 4 above. I agree that maintaining a robust IT security capability is important. I also agree that if your IT security is excellent, you are less likely to be hacked than a similar company with poorer IT security. The question is, how do you know your security is better than a similar company with an equally attractive hoard of hacker-attractive data? Further, how do you know how attractive your data is? You simply cannot afford to bet that your IT security is “good enough” to protect you or that “nobody would be interested in my company.”
That takes us to Dr. Ponemon’s quote that seems to imply that you can deter hackers with security. I agree with the doctor in that tough security is a deterrent, but is it a good enough deterrent? The hackers are always proactive and always have the advantage. They have to find only one weak spot, while your security is reactive and you have to defeat every attack – not just almost all of them, and not just the average ones.
From my perspective, the message is that you need to be prepared for cyber attacks in two ways:
- You need to maintain the best security protocols you can – this includes, most particularly, the education of your people and the disciplined adherence to those protocols. Most successful hacks are the result or poor processes/protocols and human error – not technological failures.
- You need a solid plan to respond to a successful cyber attack, because a good response can limit the financial and reputational damage/cost. A good plan that is practiced and well executed can avoid much of the cost of a successful attack.
You need to have good security and be prepared. You will be the victim of the very specific attack that you experience – not an average one – and you need to be ready for it.