Proven strategies can save hundreds of thousands of dollars
As noted in our kick-off post, the theme for this year’s cybersecurity awareness month campaign in the U.S. is “See Yourself in Cyber.”
This is an excellent place to start. But we mustn’t forget about the other side of the equation. Your business objectives should define your motivations. However, it’s essential to understand the competing motivations that may be working against you.
“Know thy self, know thy enemy.”
Cybercriminal Motivations
Cybercriminals tend to operate in a highly opportunistic fashion, seeking the best return on their investment with minimized risk of getting caught. They are experts at employing targeted tactics and tormenting techniques to compromise systems and uncover, steal, and sell valuable business data. If there is no market value in the data, they will instead hold it—and sometimes just the systems—for ransom.
Why do they do this? Because there is money to be made.
The total cost of cybercrime is expected to rise globally to $10.5 trillion by 2025, characterized by the global average cost of a data breach estimated at $4.35M.
These are some of the top motivations behind cybercriminals’ activities:
- Ransomware is profitable: One fundamental model for monetization of cybercrime comes from ransomware. With a continued upward trend, ransomware is forecast to cost victims over a quarter trillion (USD 265 billion) annually by 2031.
- Phishing and business email compromise are lucrative: Some of the priciest initial attack vectors in 2022, on average, were phishing and business email compromise, both at nearly USD 5 million each. Compromised credentials, which these attacks pursue, USD 4.5 million.
- Exploiting third-party software is enticing: Responsible for 62% of system intrusions, vulnerabilities in third-party software cost companies USD 4.55 million on average. Keep in mind that the short-term motivation here may not be financial. According to Verizon, “unlike a financially motivated actor, nation-state threat actors [that can compromise the vulnerabilities uncovered in the supply chain] may skip the breach and keep the access” for later use.
- IT complexity is easier to attack than protect: Human error is understandable, especially as systems and environments have increased capabilities and become more convoluted. Responsible for configuration errors highlight employees’ fallibility and inability to understand how these systems work end-to-end.
- End-user (un)awareness is like fishing in a barrel: 82% of breaches involved the human element, many of which can be attributed to stolen credentials, phishing, system misuse, or (again) human error.
Speaking of stolen or compromised credentials, this was the most common initial attack vector in 2022, responsible for 19% of breaches in a recent IBM study. These attacks have a USD 4.50 million, according to the Verizon DBIR.
Business Motivations
With the constant up-and-down between good and evil, it can prove challenging for companies to get off the cyber-see-saw to focus on what matters: growing and protecting the business for long-term sustainability.
These are a few areas that motivate business leaders to invest in cybersecurity:
- Corporate responsibility is non-negotiable: Environment, social, and governance (ESG) have become a boardroom and executive-level conversation and a mandatory element in fundraising for start-ups. More than two-thirds (68%) of start-ups have embedded ESG as part of their business strategy at the inception of their company because investors expect it to be there. Connecting security to ESG can help companies exhibit their desire to do the right thing for society.
- Demonstrating due care proves valuable: Security as a value-add feature in the offering continues to grow in popularity. We see big brands leaning in on their ties to security and privacy. The idea is that consumers value privacy, choose one brand over another, and pay more for it. Start down this path, however, and get it wrong, and the brand could take a hit. This principle holds for business-to-business relationships too. Doing business with like-minded organizations can nurture a competitive advantage over those that don’t have these same bonds rooted in cyber safety.
- Exploiting risk shouldn’t be counterintuitive: A thoughtful approach to risk could enable the organization to tackle projects and create solutions that others may not want to touch or succeed in. For example, while many organizations may attempt to introduce AI into their offerings or play in the metaverse, doing so without clear ethics surrounding security and privacy by design could leave the company exposed in ways unimaginable.
Another example can be found in the explosion of data. Since many cybercriminals’ motivations are rooted in data, it’s essential to look at data’s role as a business motivator. For starters, 2.6mn petabytes (PB) of data were consumed globally in 2021. This figure is expected to rise to reach 8.1mn PB by 2026. That’s a lot of data to manage and protect.
At both ends of the cyber-see-saw, legitimate and illegal businesses share a common motivation: to build a strong revenue stream, generate top-level returns on their investment, protect future revenue streams, and ensure that the value generated supports their long-term sustainability.