Kylie Jenner recently became the world’s youngest billionaire in history and the youngest self-made billionaire of all time. Her success drove me to think about the millionaires and potentially billionaires in cybercrime, and what the numbers look like as an industry in 2019.
In recent years, the definition of cybercrime has evolved from traditional calculations based on the cost of stolen information and to now factoring in ransomware and attacks on industrial control systems and IoT devices. These device-driven attacks don’t seek to make their profits based on a direct payout, but more so on business disruption. Ransomware, which aims to lock, copy, or destroy data for the benefit of a financial payout, also creates a timely and flourishing revenue stream. Ransomware, in itself, is estimated to be an $11.5bn industry, demonstrating how this new endeavor of crime pays.
The Costs
The Ninth Annual Cost of Cybercrime Study by Ponemon has pegged the average cost of cybercrime at $13.0m per organization, an increase of $1.4m over the past year. Risk IQ also conducted research that placed the cost of cybercrime on the global economy at $2.9m every minute, for a total of $1.5tn. These are just a couple of the many different estimates, which range from billions to trillions. Some would argue that these numbers are all potentially underrepresented because a fair amount of cybercrime simply goes undetected, particularly with industrial espionage where the theft of confidential documents is difficult to track.
Breaking this down further, a single malware attack in 2018 cost, on average, more than $2.6mi, and other attacks such as malware, web-based attacks, denial-of-service, and malicious insiders all tracked at average costs exceeding one million dollars related to information loss and business disruption.
The Momentum
Throughout 2019, financial services, governments, consumer goods, retail and utilities remained top targets with a dramatic rise in attack percentages in the areas of automotive, life sciences and travel. The results ultimately show that no industry is immune from an attack.
Are we getting ahead and will attacks slow down or stop? It’s highly unlikely given the following reasons:
- The economic benefits, which are attracting organized crime
- Interests in political interference and disruption by nation states
- Limited prosecutions facilitated by the anonymity of the internet
From 2019-2023, analysts are now projecting that $5.2tn in global value will be at risk from cyber-attacks, creating a financial mecca for attackers and a daunting task for defenders to stop them. This unfortunate trend shows no sign of slowing and as long as cybercrime pays, it is going to remain a significant challenge.
“Throughout 2019, financial services, governments, consumer goods, retail and utilities remained top targets”
The Defense
In 2019, estimated spending on information security products and services reached over $124bn. However, according to the Identity Theft Resource Center, the number and severity of breaches is still increasing. Throughout 2018, 1244 breaches were recorded and year-to-date in 2019, we have already seen 1272 .
How do we get ahead, when it feels like for every two steps forward that we take, we also seem to take one step back? The dynamics for winning this battle are challenging, with the advantage generally tipped towards the adversary who carries the benefit of time, resources, the element of surprise and a commercialized marketplace for doing business. Shifting power, or as some would call ‘the home-field advantage,’ back to the defender will require new thinking.
Getting Ready for 2020
In addition to upkeeping hygiene and employee training, here are some considerations for defenders as we close out 2019 and prepare for 2020.
- Prevention alone is not enough. Get eyes inside of the network with an early detection infrastructure. Deception technology has been taking its place as a de facto detection security control based on its ability to slow down and derail attacks across all major attack vectors and attack surfaces
- Use a security framework to assess security efficacy and reliability
- Look at the MITRE ATT&CK framework to see how well attacks are addressed throughout the attack phases
- Double-down on reducing credential risks related to theft and Active Directory harvesting. Understand lateral movement attack paths based on exposures
- Artificial intelligence (AI) is here, and attackers are already using it to their advantage. Consider how to use AI and machine learning to understand threats better and automate operations
- Track dwell-time, mean-time-to-respond, contain and restore operations
- Run red team and purple team tests in addition to having ongoing controls that assess whether existing infrastructure is performing reliably
- Update and test out incident response playbooks for all attack scenarios, including data theft, ransomware and other disruption of operations
- Study prior attacks on your industry and review how your organization would have fared if they had been the victim
- Validate how well security plans hold up against insiders and suppliers in addition to external adversaries
- Check cyber insurance coverage and understand its requirements and restrictions
The odds are inherently against our information security teams, who are expected to operate flawlessly with limited resources, while protecting over 26 billion devices, with over five million applications and the more than six billion connected people behind them. The worldwide information security staffing shortage only serves to compound these challenges further. As we ramp up for the beginning of a new decade, we should learn from the attacks that have come before us. We should also actively seek out and embrace smarter technologies that improve our ability to detect threats early and that leverage the benefits of automation for responding to threats more efficiently. It’s a new decade and with it comes great opportunity to shift the tides and make 2020 the year of the defender.