To gain a deeper understanding of the insights illuminated by this research, Brilliance Security Magazine spoke with Adam Kujawa, Director of Malwarebytes Intelligence. Adam explained that for the first time ever, the survey identifies that the combination of threats, skills shortage, security practitioner compensation, and retention challenges (and presumably the temptation to turn Black Hat/Gray Hat) may be crunching mid-market companies with 500-999 employees more than larger and smaller companies.
The report “White Hat, Black Hat and the Emergence of the Gray Hat: The True Costs of Cybercrime” goes beyond merely surveying companies about the impact of cybercrime on their bottom line, but also looks at all sides of IT security costs from budget and remediation, to hiring and recruiting and retention. With the potential for a Black Hat to make more than $166,000 a month, it’s no surprise that an IT security professional with a starting salary of $65,000 a year may be tempted to straddle the fence as a Gray Hat (engaged in insider theft or cybercrime) to supplement their income. Practicality prevails, however, in that the majority of cybercrime fighters believe there is more money to be made defending against hackers as opposed to joining their ranks.
Top findings include:
- Global organizations are still taking the bait: Phishing was the most common threat causing business disruption globally (44 percent), followed by adware/spyware (41 percent), ransomware (26 percent) and spear phishing (20 percent).
- In the US, mid-market companies are getting attacked and squeezed more than their larger counterparts: Companies with 500-999 employees are experiencing about the same levels of major incidents caused by phishing, spearphishing and hacktivist attacks as the largest corporations (of more than 1000 employees), while charting significantly higher levels of adware, accidental insider data breaches and intentional insider data breaches. They even had higher levels of nation-state attacks. As a result, they had the highest percentage of 2018 security budget increases and spent a higher percentage of that budget remediating attacks than both larger and smaller (under 500 employees) enterprises.
- US security budgets climbed faster; as a whole, organizations spent 15 percent of their security budgets on remediation: In the US, the average security budget of companies surveyed was $930,004, with an increase to $1,119,821 in 2018. US security budgets are projected to climb 20 percent faster than the other regions surveyed with 15 percent spent on remediating active compromises (malware intrusions, threat remediation, forensics, etc.)
- The cost to remediate in the US is astronomically high: In 2017, the US had the highest overall cost for a major remediation event, $876,225, spending eight times more than businesses in the UK. Of this spend, $516,405 was spent on remediating threats caused by the malicious insider or “gray hat” activity.
- Malicious insiders are not hard to find – UK-based respondents believe that one in 13 of their colleagues are “gray hats” – working as security professionals while also operating as cybercriminals, while US respondents believe one in 20 of their colleagues may be dabbling in the darkside.
Steven Bowcut, CPP, PSP is the Editor-in-Chief for Brilliance Security Magazine.