When you hear the words "data breach," you tend to think in large numbers.
For example, 80,000,000 records were stolen in last year's Anthem hack. Cybercriminals made off with 70,000,000 records in the Target breach. And hackers accessed 145,000,000 records from eBay. If you look at the World's Biggest Data Breaches graphic from Information is Beautiful, you will see a lot of zeros.
Therefore, it is logical to think that all those zeros would translate to even more zeros when it comes to hacker paydays, right? Surprisingly, not so much.
According to a new report, "Flipping the Economics of Attacks," released by the Ponemon Institute and commissioned by Palo Alto Networks, the average hacker makes less than IT security professionals - about 75 percent less. The study, which surveyed 304 threat experts in the United States, United Kingdom and Germany, revealed that on average, attackers earn $28,744 per year in annual compensation, or one-quarter of a cybersecurity professional's average yearly wage.
This figure may also surprise hackers, since the report showed that 69 percent of respondents are motivated by money when it comes to cyberattacks.
So if the cybercriminals' return on time investment is not as lucrative as they think, why then are we seeing an increase in successful attacks?
The answer is attacker technology is improving, making it easier for hackers to execute a successful attack, according to the report. In addition, the cost of hacker tools are decreasing and attacker skills are increasing, which enables criminals to quickly gain access to their targets - emphasis on "quickly."
The longer an organization can keep an attacker from executing a successful attack, the stronger the odds are that the attacker will give up and move on to another target. Sixty percent of respondents answered that if an attack took longer than 40 hours, they would move on to another potential victim. Furthermore, cybercriminals will not waste time on an attack that will not yield a large amount of high-value information.
Since attackers are seeking a "quick and easy payday," organizations can use this information to effectively discourage most hackers.
The report recommends that companies strengthen their security effectiveness by:
- Creating a holistic approach to cybersecurity, which includes focusing on the three important components of a security program: people, process, and technology.
- Implementing training and awareness programs that educate employees on how to identify and protect their organization from such attacks as phishing.
- Building a strong security operations team with clear policies in place to respond effectively to security incidents.
- Leveraging shared threat intelligence in order to identify and prevent attacks seen by peers.
- Investing in next-generation technology such as threat intelligence sharing and integrated security platforms that can prevent attacks and other advanced security technologies.
Just like car thieves, if hackers really want to break in and steal your data, they will find a way to do so. The objective is to slow things down and make it so difficult for the attackers that they rather not waste their time on your company and your information.
