Deloitte has found that criminals can carry out cyberattacks from as little as $34 a month, according to a new study.
Black Market Ecosystem: Estimating the cost of ownership is a report conducted by Deloitte to explore how much it costs to attack and to protect. While attacks cost a little over $30, expenses cost thousands to millions of dollars to remediate and recover from the attack.
The study explored cybercrime from a business perspective, with the most common hacking tools, services and enables.
By completing the investigation, Deloitte hoped to answer: What are the most commonly used tools and services sold on underground markets? What are the average estimated costs of these tools and services? Which tools are required to operate real world criminal businesses? What are the estimated operating costs of various cyber-criminal businesses?
Its findings indicate that a criminal business could operate from as low as $34 a month and see returns of $25,000. If its output is increased and it spends $3,800 a month, returns could be up to $1m each month.
Phish kits are the overall most affordable approaches in terms of low estimate and average costs – banking trojans tend to have higher average costs.
On the opposite side, impacts on costs for the victims of attacks can vary depending on the scale; however, a data breach is expected to be upwards of $4m.
The takeaway from the study is that organisations should monitor systems with ‘well-developed and well-defined threat intelligence, Deloitte said. Continuous monitoring will help to better detect and prevent malicious activity.
Monitoring and tuning security controls based on tactics, techniques and procedures will better serve threat detection.
Deloitte cyber risk services strategy, defence and response leader Andrew Morrison said, “In the realm of cyber everywhere, companies will only continue to introduce more digital innovations, which will require them to also continuously adopt and adapt cybersecurity measures commensurate with the growing threats they’ll face.
“Cyberattacks are inevitable but the extent of their damage is not. Organizational transformation is needed to reprioritize and refocus investments on mitigating likely outcomes, based on a broad understanding of attackers’ motives and the ability to anticipate high-impact scenarios.”
Copyright © 2018 RegTech Analyst
