When the hacker behind the Capital One data breach was presented in the media, she very much fit the eccentric cybercriminal stereotype.
However, the truth is that she’s quite an outlier. Most cybercriminals operate in highly organized groups based abroad. They approach their work like any business would except that their revenue streams are stolen data and extortion.
Understanding the business model of hackers and the value that your company’s data represents to them can be a useful thought experiment to help CFOs allocate appropriate resources to cyber defenses. We may live in a time when companies in the First World rarely have to pay “protection money” to mafiosos, but hacking is the new organized crime, and the criminals are similarly ruthless about getting paid.
Modern cyberattacks — such as sophisticated phishing techniques utilizing phony emails that look quite real — can be profitable even with a seemingly low success rate around 1%. The cost of launching these attacks is low, and a single successful cyberattack can yield thousands or even millions of dollars in revenue.
There’s a formula here not unlike an online ad campaign. When ads can be proven to pay for themselves and more, any smart company is going to continue investing more in that campaign until the market is saturated.
Having a proven, predictable business model has enabled cybercriminals to scale and attract partners. They share a portion of the data they obtain through hacking (or the profit from selling stolen data) with individuals or entities interested in getting a piece of the action while minimizing their exposure to prosecution.
A successful cyberattack is usually monetized either through stealing data and selling it on the black market, or holding data hostage and exacting ransoms. The second scenario is a great revenue stream for hackers because it doesn’t require a buyer. Ransoms are typically paid in bitcoin, which most companies don’t have on hand. To facilitate the process, many of these gangs now offer customer service to provide assistance in paying the ransom.
While the Capital One hacker — who was arrested after bragging about her exploits online — may not have been of sound mind, most hackers are very clearheaded and rational. They are as organized as you and your competitors. Such predictability means the threat they pose can be coldly and rationally managed.
Any item a company devotes resources to insuring or securing typically has a known value attached to it. In order to guide a sound cybersecurity strategy, it’s important to take stock of how much your data is worth, both to you and to others.
Certain types of data have a known value on the black market. For instance, Social Security numbers are worth a surprisingly low sum, around $1 each. When combined with full address, date of birth, and name, however, cyber criminals can sell the information for about $50 to $100.
Medical records can enable cybercriminals to commit fraud and are a particularly valuable type of data, selling for about $20 to $50 depending on how many records are currently available on the market.
It’s not uncommon for health care organizations to have the data of tens or hundreds of thousands of patients stolen in a breach. If 100,000 medical records are obtained in a breach and sold for $20 each, that nets the hackers $2 million. It’s easy to see why health care organizations are a target for cybercrime.
In addition to the well-established marketplace for stolen personal information, consider the value of your company’s data if it were obtained by competitors. Play out a hypothetical scenario in which your company’s trade secrets, client list, or proprietary information are made public and how that would affect your business in the long term.
Finally, it’s important to make a realistic assessment of what your data is worth to you. Ransomware, in which hackers encrypt an organization’s data and charge a ransom to unlock it, is one of the most common types of cyberattacks.
The best-case scenario is that a company has a robust backup system and is able to restore its data in less than a day. The worst-case scenario is that no backup is available, so a ransom is paid, but the hackers still do not unlock the data and it is lost permanently. Consider the cost to your business of each of these possibilities and everything in between.
The main risk cybercrime organizations face is getting caught. If they are based in the United States, the odds are actually pretty good that they will get caught sooner or later. That’s why most cyber criminals are based abroad, which in no way prevents them from attacking U.S. companies.
For legitimate businesses, calculating the risk posed by cyberattacks involves a familiar formula:
Risk = (likelihood of an event) x (impact to the business)
We’ve covered part of the impact component of this equation. In addition to the cost of not having access to your data, the other piece to consider is reputation damage should knowledge of a breach become public, or should you be required by a regulatory body to notify customers (in addition to potential fines).
The likelihood piece is a bit tougher to pin down. More than half of businesses report that they have been hacked, and the number is rising. The percentage of businesses targeted by a cyberattack in a given year is very close to 100%, because these attacks are so systematic and ubiquitous. If hackers can surmise that your business likely has data they can sell, you are likely to be targeted more often.
A common rule of thumb is that at a minimum, businesses should invest at least 3% of their total IT capital expenditures in cybersecurity. Industries with particularly valuable data such as finance, health care, and manufacturing require a greater investment.
This budget is usually applied to a combination of technology and training, because hackers achieve their success rate most often through user error — someone inadvertently letting them into the system — rather than technological failure alone. The Capital One breach, which was caused by a misconfigured firewall, is unusual in that regard as well.
Since the threat of cyberattacks is relatively new, it can be overwhelming to determine an appropriate course of action. A good starting point is the understanding that cyberattacks on businesses have been increasing year over year this entire decade not because of some spontaneous crime wave, but because cyber criminals are essentially the new mafia.
Looking at your company through their eyes and evaluating the overall situation with the same detachment they enjoy puts you on more even footing.
Jim Parise is president of technology consulting firm Kelser Corporation, which provides managed IT services to Fortune 500 companies as well as small and medium-sized businesses.