White hat, black hat, and the emergence of the gray hat: the true costs of cybercrime

This post was written by Michael Osterman of Osterman Research.

Osterman Research recently completed a major survey on behalf of Malwarebytes to determine the actual cost of cybercrime to businesses. Many studies have focused on the cost of lost reputation, lost future business, and other consequences of cybercrime—and while these are certainly valid considerations—we wanted to understand the direct costs of cybercrime. To do so, we surveyed mid-sized and large organizations on a variety of issues, but focused on three cost components:

• Security budgets
• The cost of remediating “major” events, e.g., events like a widespread ransomware infection or major data breach that would be highly disruptive to an organization and might take it offline for some period of time
• The cost of cybercrime perpetrated by “gray hats;” those employees who dabble in cybercrime without giving up their day job as a security professional

Here’s what we discovered:

Cybercrime isn’t cheap

Organizations of all sizes can expect to spend significant amounts on various cybersecurity-related costs. For example, our research found that an organization of 2,500 employees in the United States can expect to spend nearly $1.9 million per year for cybersecurity-related costs (that’s nearly $760 per employee).

While the costs are lower in most of the other countries that we surveyed, the global average exceeds $1.1 million for a 2,500-employee organization.

Gray hats are a problem

Globally, one in 22 security professionals are perceived by their security-professional peers to be gray hats, but this figure jumps to one in 13 for organizations based in the United Kingdom. Mid-sized organizations (500 to 999 employees) are getting squeezed the hardest, and this is where the skills shortage, and the allure of becoming a gray hat, may be the greatest.

Underscoring the depth of the gray hat problem is the fact that 12 percent of security professionals admit to considering participation in black hat activity, 22 percent have actually been approached about doing so, and 41 percent either know or have known someone who has participated in this activity. This is by no means a rare or isolated problem!

Once more unto the breach

We found that the vast majority of organizations have suffered some type of security breach and/or attack during the 12 months preceding the survey. The most common avenue of attack was from phishing, but others that were experienced included adware/spyware, ransomware, spearphishing, accidental and intentional data breaches, nation-state attacks, and hacktivist attacks.

Only 27 percent of organizations reported no attacks during the 12 months leading up to the survey, and even that figure may underestimate the depth of the problem: some organizations can be infiltrated by stealthy attacks that may not be discovered for several months after the initial infiltration.

The middle child syndrome

Corroborating what Osterman Research has discovered in other research, mid-market companies—those with 500 to 999 employees—face the most difficult challenges from a security perspective. They encounter a higher rate of attack than smaller companies and similar rates of attack as their larger counterparts, but they have fewer employees over which to distribute the cost of the security infrastructure.

In short, mid-market organizations have big company problems and small company budgets with which to solve them.

Major attacks

We found that a “major” attack occurs with alarming frequency. Globally, we found that during 2017, such attacks occurred to the organizations we surveyed at an average of once every 15 months. But US organizations were the hardest hit in 2017, with an average of one attack every 6.7 months. These are highly disruptive events that can take a company off-line for days or weeks.

As just one example of such an attack, consider the City of Atlanta that was infected with ransomware in April 2018 and has spent more than $2.6 million on remediating the compromise. The attack impacted five of the City’s 13 departments and the police department’s records system, as well as causing other mayhem for city employees and the public.

The bottom line is that cybercrime costs enormous amounts that go well beyond the annual security budget. And if companies don’t find a way to put a stop to the cybercrime happening both inside and outside of their walls, they’ll have to pay the price.