According to the latest data from Deloitte, the cost of committing a cybercrime is so surprisingly low that anyone and everyone can afford to be a bad guy.
When you picture a cybercriminal organization today, you should be thinking about a group of individuals who run their operations like a business; concerned with profit and loss, looking for ways to execute as inexpensively as possible, while yielding the largest return. But what you don’t necessarily need to have in that vision is an organization with a large cash reserve.
According to Deloitte’s newest report, Black-market ecosystem: Estimating the cost of “Pwnership”, the cost of running a campaign is so low, it’s downright reasonable as a business model for even the smallest cybercriminal business.
Some examples from the report include:
- DDOS attack (single website) – as low as $10/hour
- Compromised RDP credentials/IP – as low as $5
- Complete phishing kits – $300
- Ransomware kits – uses affiliate model, as low as 20% of ransom
- Remote Access Trojan – as low as $8/month
- Banking Trojan – as low as $141/month
All of this pricing data – and the tons more found in the report – makes the case that a) some cybercriminals are simply in the business of building evil tools and selling off their use, and b) it’s incredibly cheap for anyone wanting to engage in cyberattacks to do so without incurring a ton of cost up front.
Organizations can no longer rely on simple security measures to protect themselves. Cybercriminal organizations are competing for the purchase of their wares (just like the good guys) – and that means making the most effective and impactful bad guy software possible, improving on it daily.
To counter the growing onslaught of attacks, organizations need to have a layered defense in place that includes protecting the perimeter (logically speaking, email and web), the endpoint (think AV, endpoint protection, etc.), and the user (with Security Awareness Training). Using a layered defense that includes the user, organizations reduce the risk of the majority of attacks that rely on social engineering (e.g., phishing, vishing, and smishing) to compromise endpoints or users.
Participating in a cyberattack is no longer a cost-prohibitive proposition. So, organizations need to ensure proactive measures are in place to minimize the success of what is sure to be a expanding threat.