A new report aims to shed light on what motivates security professionals to choose to become black hats over white hats as part of a broader study on the overall cost of cybercrime.
To learn more about the organizational cost of cyberattacks and what lures hackers to the "dark side," Malwarebytes and Osterman Research polled 200 security pros between May and June 2018. They found security-related costs are enormous and growing, partly due to a spike in breaches and partly due to a proportion of industry experts donning "gray hats" and dabbling in cybercrime for money.
The cost of crime can be broken into three parts: budgeted costs for security infrastructure, services, and labor; off-budget costs related to major security incidents; and handling the cost of insider breaches. An organization with 2,500 employees can spend about $1.9 million on security, according to the new report, "White Hat, Black Hat and the Emergence of the Gray Hat: The True Costs of Cybercrime."
It's little surprise to learn most organizations in the US have suffered some type of security breach in the 12 months preceding the survey. Phishing was the most common, though respondents also listed adware/spyware, spearphishing, and adware. Organizations reported an average of 1.8 "major" attacks — or those that lead to significant operational disruption or shutdown — during 2017.
Midmarket companies, which usually have 500 to 1,000 employees, are hit hardest. Small businesses don't have a wealth of valuable data, while large ones have ramped up their defenses. Those in the middle are hit with more attacks than their smaller counterparts and have similar rates of attack as larger enterprises; however, they have fewer resources to defend themselves and less staff to combat threats.
"Midsize businesses are the perfect target if you're a cybercriminal," explains Malwarebytes intelligence director Adam Kujawa.
It's tough to stay safe when security is expensive. The average starting salary for an entry-level security pro in the US is $65,578, slightly above the global average of $60,662. Top security professionals in the US make an average of $133,422, the second highest salary among nations surveyed. One of the biggest costs to organizations, in addition to hiring talent, is retaining it.
But is it enough to keep security experts away from cybercrime? More than half of respondents said they know, or have known, someone who has engaged in black hat activity, the highest rate among the five nations polled. Twenty-two percent have been approached to participate in cybercrime; 8% considered it.
Researchers asked about the willingness of respondents' co-workers to become gray hats, or folks who maintain their roles as security professionals while becoming a black hat hacker on the side. Those in the US think 5.1% of their infosec colleagues are gray hats; in the UK, 7.9% of security pros believe their colleagues to be gray hats.
Most people in security think cybercrime is more lucrative and easier to enter than white hat security roles, according to the report. Nearly three in five security pros in the US said they think people become black hats because it's more financially rewarding than becoming a security professional. More than half think it's to retaliate against an employer, and half think black hats are driven by "some sort of cause of philosophical reason."
Security pros in the US are most likely to think employer retaliation is the driver, with more than half (53.3%) reporting that as the reason, compared with the global average of 39.7%. Malicious insiders are harder to find and have the potential to cause deeper damage than external attackers.
"That's a very expensive attack," Kujawa points out. "The value of the data is probably more than what a regular cybercriminal could gather or accomplish." Further, the company loses its trust in network infrastructure, which requires more work to address than securing the doors against outside threats. "Cybercrime is more available to everybody than it ever has been," he adds.
Survey respondents believe these days it's easier for anyone to wear a black hat. "One of the big lures we got from the survey is a lot of global midmarket companies suggest it's easier to get into cybercrime without getting caught," Kujawa says.
- No, The Mafia Doesn't Own Cybercrime: Study
- Google Engineering Lead on Lessons Learned From Chrome's HTTPS Push
- 10 Threats Lurking on the Dark Web
- Manufacturing Industry Experiencing Higher Incidence of Cyberattacks