HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Economics of Cyberattacks Explored

A Ponemon Institute survey commissioned by Palo Alto Networks has explored the motivations behind cyber-attacks and offers some insight into how organizations can develop defenses to thwart attackers.

The survey was conducted in the United States, United Kingdom, and Germany and asked 304 threat experts their opinions on the reasons why criminals chose to attack organizations, how targets are selected, and how much attackers actually make from their criminal acts.

In the majority of cases, the main motivation for conducting an attack is money. Respondents indicated that in 67% of cases, attacks are conducted for financial gain. The average earnings for conducting those attacks were determined to be $28,744 per year. In order to earn that amount, hackers spent an average of 705 hours attacking organizations. The figures show that hacking far less profitable than working as a private or public sector security professional, with earnings of four times that figure possible.

The report, Flipping the Economics of Attacks, indicates that the majority of hackers look for easy targets. 72% of respondents said hackers are opportunistic and will not waste time on an attack that will not quickly result in a payout. 69% of respondents said attackers will give up and move on to another target if an organization has particularly strong security defenses.

Please see the HIPAA Journal Privacy Policy

The report suggests that if organizations implement more robust security defenses and can increase the time it takes to breach their defenses by more than 40 hours, six out of ten attackers would give up and move on to another target.

It takes around 70 hours for a hacker to plan and conduct an attack on an organization with a typical IT security structure; however, a competent hacker would need to spend at least 147 hours attacking an organization with an excellent IT infrastructure.

53% of threat experts said it now takes less time to conduct a successful attack. The decrease was attributed to an increased number of exploits and vulnerabilities being available (67%), as well as attackers’ skills improving (52%), improved hacking tools being available (46%), improved collaboration between hackers (22%), and improved intelligence on targeted companies (20%).

53% of respondents said that it is costing hackers less to attack an organization, mainly due to the wide availability and reduction in cost of hacking tools. Attackers now have to spend an average of $1,367 for the tools they need to conduct a successful attack.

While attackers are collaborating with each other to make attacks easier to conduct, organizations can make it much harder for hackers by sharing threat intelligence. The report suggests that 39% of all successful hacks could be prevented by intelligence sharing, while 55% of respondents said intelligence sharing between organizations was the most likely reason for an attack failing.

47% of threat experts said that common sense controls were not sufficient to prevent successful hacks, and more advanced technological solutions were now required to keep hackers at bay.

The report suggests that organizations must implement next generation technology such as intelligence sharing solutions and integrated security platforms, build a strong security team, and conduct threat awareness training to combat phishing attacks.

The key to the prevention of successful hacks is to make it harder for attackers to succeed. It may not be possible to keep a determined attacker at bay forever, but the longer it takes to attack an organization, the less likely it will be that an attack will be successful.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.