Research presented at the recent RSA Conference suggests cybercriminals are collectively sitting atop an economic empire generating $1.5 trillion in revenues annually. Given the level of investment required to launch cybersecurity attacks it can be assumed this may be one of the most profitable illicit endeavors on the planet.
The Web of Profit report publish by Dr. Mike McGuire, senior lecturer in criminology at Surrey University and sponsored by Bromium, a provider of endpoint security software, notes that $1.5 trillion is roughly equal to the gross domestic product of Russia. In fact, if cybercrime was a country the report estimates it would have the 13th highest GDP in the world.
The report allocates the $1.5 trillion in revenue being generated by cybercriminals as follows:
- $860 billion – Illicit/illegal online markets
- $500 billion – Theft of trade secrets/IP
- $160 billion – Data trading
- $1.6 billion – Crimeware-as-a-Service
- $1 billion – Ransomware
The fact that cybercrime has become big business may not surprise most cybersecurity professionals. But it does show what cybersecurity professionals are up against. Most IT budgets are single digit percentage of the revenue an organization generates. Most cybersecurity budgets in turn are a single digit percentage of the IT budget. It quickly becomes apparent how big the gap is between the cybersecurity defenses any one organization can mount versus the resources organized cybercriminals now have at their disposal.
Like any well-run business the people that run these criminal empires are plowing profits back into growing the business. The report suggests cybercriminals are on average reinvesting 20 percent of their revenues into their operations, or roughly $300 billion a year. This may account for why there appear to be more instances of cybercriminals leveraging machine learning algorithms to not only discover vulnerabilities faster, but also fine tune social engineering attacks targeted at specific individuals.
The report suggests most of ill-gotten gains being generated by cybercrime are in the hands of the individuals that create the platforms enabling these attacks to be launched on an industrial scale. The report estimates individual hackers only earn around $30,000 per year. In contrast, so-called managers can earn up to $2 million per job.
The report also confirms that automation enabled by industrialized platforms for launching cybersecurity attacks is driving down the cost of launching attacks. Prices for different type of cybersecurity attacks are as follows:
- Zero-day Adobe exploits, up to $30,000
- Zero-day iOS exploit, $250,000
- Malware exploit kit, $200-$600 per exploit
- Blackhole exploit kit, $700 for a month’s leasing, or $1,500 for a year
- Custom spyware, $200
- SMS spoofing service, $20 per month
- Hacker for hire, around $200 for a “small” hack
The precise amount of revenue being generated by cybercriminals may not be all that relevant to the average cybersecurity professional. But it does indicate that cybercriminals can afford to drive the cost of cyberattacks even lower than they are now. There’s a direct correlation between the cost of launching those attacks and the volume of attacks cybersecurity professionals can expect to see. Cybercriminals, unfortunately, have the luxury of only having to be right once. Cybersecurity professionals need to be right all day every day, so if the volume of attacks keeps rising the odds against cybersecurity professionals keep getting stacked against them.
The only way to combat those threats effectively is for cybersecurity professionals and their IT colleagues to band together in the cloud. Machine learning algorithms and other forms of artificial intelligence (AI) should help even those odds in the future. But those algorithms only work when exposed to large amount of data from which they can discern patterns. The only place that amount of data can be effectively collected and analyzed is the cloud. In effect, we’re witnessing the industrialization of cybersecurity. IT organizations still depending on legacy manual processes to defend themselves in this new age of industrial cybersecurity should consider themselves warned.
Mike Vizard has covered IT for more than 25 years and has edited or contributed to a number of tech publications including InfoWorld, eWeek, CRN, Baseline, ComputerWorld, TMCNet, and Digital Review. He currently blogs for IT Business Edge and contributes to CIOinsight, The Channel Insider, Programmableweb, and Slashdot. Mike also blogs about emerging cloud technology for SmarterMSP.