Are cybercriminals winning? That was the question posed by Marcin Kleczynski, founder and CEO of Malwarebytes, during his presentation “Is the New Cybercriminal Mafia Winning? Recruitment, Retention and the Hire” at Cyber Security Chicago on Sept. 26, 2018. This presentation, along with the recent release of an Osterman Research white paper titled “White Hat, Black Hat and the Emergence of the Gray Hat: The True Costs of Cybercrime,” sponsored by Malwarebytes, paints a troubling picture of the current state of cybersecurity, the cybersecurity profession and the resulting costs to organizations.
Cybersecurity Budgets on the Rise for Businesses
Large organizations in the U.S. were queried by Osterman Research in 2017 about their then-current security budgets and their projected 2018 budgets. These companies reported a 21.2 percent increase in spending from 2017 to 2018, averaging growth from $697,000 to $845,000.
“Cybersecurity has become a board-level discussion,” says Kleczynski. “With all of these breaches in the news, I’ve seen chief security officers come to board meetings with articles printed out, showing the board members and CEOs what could possibly happen.”
This increase is promising for security teams, which have traditionally been an afterthought in the corporate budget hierarchy. But it can also be a bad sign for businesses, reflecting an increase in cyberthreats and a growing need to address them.
“While security budgets are increasing, the amount of security needed to protect an organization is increasing, as well,” Kleczynski explains.
Breaches and Remediation Continue to Cost Companies
When you take a closer look at where that budget is going, these organizations spent 14.7 percent of it addressing active compromises, according to the report. This refers to costs associated with day-to-day remediation, fixing active breaches caused by phishing attacks, malware and the like.
“Nearly 15 percent of these budgets are being spent on remediation,” Kleczynski says. “They spend all of this money on prevention, and yet 15 percent is still being used to remediate. So, this raises an interesting issue: Is protection just never enough and remediation is always necessary? Or do businesses need to reinvest more money into protection in the first place?”
The survey also asked about a hypothetical catastrophic security event, such as a widespread ransomware attack. The survey results calculated that these companies would spend an average of $429,000 to remediate such an event. That’s more than 50 percent of their projected 2018 budgets. This heavy cost factors in a variety of expenses tied to major event remediation: direct IT and labor costs, software and hardware solutions, direct costs such as paying a ransom, fines and legal fees.
And, make no mistake, catastrophic breaches are going to happen. The survey reveals that these organizations experienced an average of 1.8 major security events in 2017 — with the U.S. seeing nearly three times as many attacks, on average, as European countries. Budget allocated for catastrophic remediation will not go untouched.
Calculating the Total Cost of Cybercrime
Security budgets are rising, but it still may not be enough to cover the cost of breaches and mitigate growing risks. The survey also looked at the cost to an organization of directly dealing with cybercrime, breaking down costs into three areas: the security infrastructure itself, the off-budget costs tied to major security events and costs tied to insider threats:
- $1.9 million: total costs for U.S. organizations
- $697,000: total infrastructure costs
- $759,000: total remediation costs
- $440,000: total insider-threat costs
According to these cost breakdowns, there is a significant gap between what organizations are budgeting to address security ($845,000) and what they are actually paying ($1.9 million); not even half of the total costs of cybercrime are covered.
The Rise of the Gray Hat Hacker
Insider threats, specifically black hat activity, represent a notable portion of cybercrime. Among U.S. cybersecurity professionals, 50 percent have known someone that has participated in black hat activity, and 22 percent have been approached about engaging in it. One in 20 of surveyed cybersecurity professionals identified themselves as gray hats — holding down a white hat job as a professional while also engaging in black hat activity on the side.
Much of the motivation of gray hats lies in the belief that it’s easy to engage in cybercrime without getting caught or prosecuted.
“A lot of cybercriminals aren’t being prosecuted very vigorously,” says Kleczynski. “There were only 47 prosecutions in the U.K. last year under the Computer Misuse Act.”
The other obvious motivation is money: There’s greater financial opportunity wearing a black hat than there is wearing a white hat.
“Part of the problem is a lot of companies are not paying their cybersecurity professionals enough, or they’re not giving them enough challenging tasks. They’re not being engaged,” says Kleczynski. “If you put a more lucrative package in front of them, with very little risk of being caught or prosecuted, it’s understandable that they will consider it.”
This makes for an interesting dynamic within the cybersecurity profession at the moment, Kleczynski notes. On one hand, there is a shortage of security professionals and security is only growing as a driver and concern within the corporate world. On the other hand, budgets do not align with the reality of cybersecurity needs. Companies have not yet come around to seeing the connection between the risks they are facing and the need to put out money for security talent to protect them.
“The situation is odd, because you have a massive shortage of personnel in the white hat industry, so companies should be paying for top talent and retention, but they’re not,” says Kleczynski. “That dynamic is not sustainable.”