A new report on cybercrime shows mid-market companies — 500 to 999 employees — experience greater losses than smaller or larger ones.
The report, published by the internet security company Malwarebytes and the market research firm Osterman Research, was based on a survey of 900 security pros — 200 of which worked in the US, with 175 each in the UK, Germany, Australia, and Singapore. Each of the surveyed professionals belonged to an organization that had between 200 and 1000 employees.
According to the report, an organization of 2,500 employees spends up to $1.9 million on security. This includes expenditure on three fronts: a) costs for setting up cybersecurity infrastructure, including labor costs; b) costs involved in dealing with security compromises like ransomware events; c) expenditures for dealing with insider security breaches.
The survey also found that mid-market companies, were the worst affected. This was mainly because mid-scale companies were attacked almost as frequently as large organizations, but they invested less in security infrastructure while smaller ones were not often targeted.
Of the surveyed organizations, 73 percent were impacted by a security threat in the past 12 months. A majority of the reported cases were phishing attacks, followed closely by adware or spyware attacks.
Only 27% of businesses reported no #cybersecurity attacks in the last 12 months. Learn what the top form of attacks are. | Osterman Report https://t.co/qwnC7WdfqO @mosterman #cybercrime#infosec #security pic.twitter.com/1fdjZfg6Gk
— Malwarebytes (@Malwarebytes) August 10, 2018
It was found that on average, a company spends about $290,000 remediating a security compromise. This expenditure ranges from about $166,000 in Australia to about $429,000 in USA. The spending includes cost meted out for replacing software or hardware, IT and labor cost of remediation efforts, legal fees, fines, and direct costs like paying ransom in the case of ransomware attacks.
The survey revealed that different industries were vulnerable to different threats. The healthcare industry was more affected by ransomware attacks while government agencies were primarily threatened by Advanced Persistent Attacks (APTs) from nation-states, and financial service firms were affected largely by Distributed Denial of Service (DDoS) and Trojan attacks.
The survey also found that a significant number of security professionals could be living double lives as cyber criminals. Globally, one in 22 security professionals perceived to be hackers. The figure jumped to one in 13 in the UK.
Chris Calvert, a cyber security expert and CEO of Respond Software Inc., said that the survey report on organizational costs to cybercrime was reasonable, and “somewhat statistically representative.” However, he cautioned that the figure of one in 22 professionals being involved in crime could be exaggerated. Calvert said:
My three decades of experience does not confirm this, while I have seen some “grey hats” in the security community, they are usually recognized and removed from positions of trust rapidly. Many vulnerability researchers do sell their vulnerabilities to commercial entities for “bug bounty” but that is not illegal or immoral, and they are a small minority of security professionals.
Calvert also added that the loss calculated in the report only takes into account monetary losses while breaches may also damage the reputation of companies among shareholders and investors, and fail to generate viable investments in the future. Considering some of these factors, it was only last year that the magazine Cybersecurity Ventures published an article predicting that cybercrime will cost the world $6 trillion annually by 2021.