Chief Marketing Officer at ERP Maestro
The Cost of a Data Breach for Cybercriminals
Companies must pour copious amounts of money into their cybersecurity strategies and post-breach recoveries, but what is surprising is how little it costs cybercriminals to commit their acts. As it turns out, the cost of data breaches for perpetrators is quite low.
Dan Swinhoe of CSO Online reports in his article just how much it costs for a cybercriminal to not only buy the tools to perform a data breach but also to purchase stolen data. A kit to carry out a phishing scam costs as low as $30. An information-stealing/keylogging campaign can cost as little as $183. Now compare that to the actual value of accessing a business’s entire customer database or ERP system.
Ponemon Institute estimates that the cost of a lost or stolen record containing sensitive and confidential information is $148 per record. The costs aren’t very high for cybercriminals to infiltrate the same systems employees log into every day; however, the potential payout is enormous for cybercriminals and potentially devastating to companies that fall victim to it.
Cybercrime was expected to generate $1.5 trillion of profit in 2018 and was estimated to be the 13th largest GDP in the entire world. Cybercrime operations can be as large and organized as nation-state groups or as small as one person. Bigger operations generate profits of over $1 billion per year, and an individual cybercriminal can make upwards of $1 million annually. Individual attackers may be external hacker, or worse yet, internal employees.
Since the cybercrime barriers of entry are incredibly low, all that cybercriminals really need are the time and resources to penetrate your company’s defenses. Consider, then, the cost of committing fraud or a breach for insiders: zero. Employees already have access to your systems and if companies don’t practice the principle of least privilege (PoLP) or have solid access controls in place, an internal attack can be quite easy. Additionally, unlike external attacks, internal breaches or cases of fraud may go unnoticed for years if detection and prevention tools are not in place, allowing the cost to escalate over time for the business.
External criminals may obtain sensitive company information to sell on the black market or they may use it themselves, as is the case of culprits who steal personal identifiable information (PII) to apply for loans or credit cards, transfer money illegally or commit blackmail. Fraud and embezzlement are top concerns regarding insiders, but they, too, may take company information for similar money-making schemes. In one instance, Memorial Health Services employees stole patients’ PII to make money filing phony tax returns. That incident was quite costly. Memorial Health paid a record $5.5 million settlement. Both fraud and data pilfering are big business for insider criminals.
Insider attacks are on the rise. The number or incidents attributable to insiders increased five percent in 2017, and such incidents can be even more costly than outsider attacks. If companies fail to protect themselves with automated controls, we can expect insider threats to continue to rise while companies pay the price. Moreover, executives are becoming more liable for insider risks. In February 2018, the SEC issued guidance to assist companies in disclosing cybersecurity risks, meaning that companies that don’t have controls in place to spot risks, including internal threats, or do not disclose these risks or actual incidents to the SEC can be held liable. In addition to facing hefty fines and potential litigation from the SEC, companies’ executive leadership can be held personally accountable for failing to disclose cybersecurity risks, not having the proper disclosure controls or not conducting timely remediation even if risks were identified and disclosed.
Knowing that cybercrime is getting easier to accomplish, what can organizations do to thwart both internal and external cybercriminals from stealing valuable data? The answer lies in the popular saying: In order to stop a criminal, you have to think like one. The biggest investment companies can make into their cybersecurity efforts is simply understanding the cybercriminal mind and the business they operate in.
Start with determining what data would be most valuable to a cybercriminal looking for a big payout. Then consider what tools or services available on the dark web they could use to get it. Also consider if the cybercriminal already has internal access to the system, like an employee account. How easy would it be for them to steal data without any blocks and not leave a trace? These are just a few the scenarios to map out and test as part of your company’s holistic cybersecurity strategy. Whatever you can do to make the cybercriminal prolong their efforts, the less likely they are to keep trying to break in. Time is money for a cybercriminal.