How much does it cost to launch a cyberattack?

Just like in regular business, cyber criminals have a cost of operation and a return on investment to worry about. Unfortunately, a new report from Deloitte has found the cost of committing cyber crime is incredibly low.

Companies spend big to defend their networks and assets from cyber threats. Kaspersky Labs has found security budgets within enterprises average around $9 million per year. On top of that, data breaches cost companies millions of dollars. Yet, cheap, relatively easy-to-use off-the-shelf hacking tools make the barrier to entry for cybercriminals incredibly low. 

Cyber attacks are cheaper than cybersecurity

The math of attack versus defense are simply unfair. Attackers can afford to sell records for peanuts, yet the cost to both the business (and the individual victim if their information is exploited) is much higher.

Top10VPN estimated the cost of person’s entire digital identity – including log-ins for online staples such as Amazon, Uber, Spotify, Gmail, Paypal, Twitter and even GrubHub and match.com – is barely worth $1,000 if a criminal wanted everything. Individually, everything except an online shopping or finance account such as PayPal is worth less than $100.  

Armour’s Black Market report found personally identifiable information (PII), while costlier, is still worth less than $200 per record on the dark web. Visa and Mastercard credit card information available for $10 per record. Even banking information for whole accounts is only worth $1,000, even if said account has up to $15,000 in it. In many cases, old information is simply given away for free. This contrasts sharply with the penalties to businesses of losing records. According to IBM’s latest Cost of a Data Breach report, the average cost to a business per record lost is $233 and can be much higher in tightly-regulated industries.

Top10VPN’s Hacking Tools Price Index found malware available for as little as $45, while tutorials on how to construct attacks are available for just $5. The rare times criminals will be required to pay more than $1,000 for any single component would be for a zero-day exploit (as little as $3,000) or a cell tower simulator kit to intercept call data, which would cost over $28,000.

But buying an individual piece of malware or even a full phishing kit isn’t enough to launch an attack: attacks require hosting, distribution channels, obfuscation for malware, account checkers and more. In a new report, Black-market ecosystem: Estimating the cost of “Pwnership,” Deloitte has gone beyond just listing the piecemeal costs and instead calculated the total cost of operations — from malware and keyloggers to things like domain hosting, proxies, VPNs, email distribution, code obfuscation and more — for threat actors to launch a full campaign against organizations.

“The groups behind these types of large campaigns need multiple layers of services,” says Loucif Kharouni, threat intelligence leader at Deloitte Cyber Risk Services. For an operation to deliver a banking Trojan, you would need to use at least five or six services.”

To continue reading this article register now

FREE Download: Get the Spring 2019 digital issue of CSO magazine today!