Only 27 percent of businesses reported no cyber attacks in the past 12 months, and mid-sized companies (500 to 999 employees) suffer greater losses than smaller or larger ones, according to a new report on cybercrime.
The report, by internet security company Malwarebytes and Osterman Research, was based on an in-depth survey of 900 security professionals in the United States, United Kingdom, Germany, Australia and Singapore.
“The goal of the research was to understand the organizational costs associated with cybercriminal activity, and to understand what motivates some security professionals to join the ‘dark side’ — i.e., to become either ‘gray hats,’ who participate in criminal activity while also working as legitimate security professionals; or full-fledged ‘black hats’ who operate solely within the realm of the cybercriminal underworld,” the report said.
“White Hat, Black Hat and the Emergence of the Gray Hat: The True Costs of Cybercrime” offered six major takeaways.
The total, direct cost of cybercrime is enormous
Organizations of all sizes can expect to spend an enormous amount on cybersecurity-related costs. The survey found that an organization of 2,500 employees in the United States can expect to spend nearly $1.9 million per year for cybersecurity-related costs. The global average exceeds $1.1 million for a 2,500-employee organization.
Most organizations have suffered security breaches
The vast majority of businesses have suffered some type of security breach during the last 12 months. Phishing was the most common attack, and others included spearphishing, adware/spyware, ransomware, accidental and intentional data breaches, nation-state attacks and hacktivist attacks.
Only 27 percent of organizations reported no attacks they were aware of during the previous 12 months.
Mid-market companies get the worst of both worlds
Cybersecurity is most challenging for mid-market companies — those with 500 to 999 employees. They face a higher rate of attack than smaller companies and similar rates of attack as larger businesses, but they have fewer employees over which to spread the cost of the security infrastructure.
Major attacks occur frequently
The study found that a significantly disruptive or “major” attack — like a major ransomware attack upsetting normal operations or completely shutting down a company’s computing infrastructure for a day more — are frequent.
“Globally, we found that during 2017, 0.8 such attacks occurred to the organizations we surveyed — an average of one attack every 15 months,” the report said, “but U.S. organizations were the hardest hit: an average of 1.8 attacks during 2017, or one every 6.7 months.”
The total cost of cybercrime includes the growing attraction of cybercrime, which motivates some cybersecurity professionals to become gray hats
“A significant proportion of security professionals are suspected of being ‘gray hats’ — those who continue as security practitioners while also getting involved in cybercrime,” the report said. “Globally, one in 22 security professionals are perceived to be gray hats, but this figure jumps to one in 13 in the U.K. Mid-sized organizations (500 to 999 employees) are getting squeezed the hardest, and this is where the skills shortage, and the allure of becoming a gray hat, may be greatest.”
Gray hats are a serious threat
“Globally, we found that security professionals believe that 4.6 percent of their fellow security professionals are ‘gray hats,’ or more than one in every 22 people working in a cybersecurity capacity. …” the report said. “Underscoring the depth of the problem is the fact that 12 percent of security professionals admit to considering participation in black hat activity, 22 percent have actually been approached about doing so, and 41 percent either know or have known someone who has participated in this activity.”