Calculating the cost of email threats - hype or high risk?

By Nigel Mendonca, Regional Director, Asia, Symantec.cloud | Apr 28, 2011

0 comments

Digg

 Email

 Print

Hackers Steal Thousands from Insurance Firm! 
      Cyber-Crooks Steal Millions from Small Companies!       
             Health Records Compromised by Computer Virus! 
                     Computers Shut Down in Malware Attack!

Eye-catching headlines like these seem to leap from the pages of newspapers, magazines and online media all too frequently these days. Collectively, they convey the disturbing impression of a constant stream of businesses and public sector organizations around the world falling foul of email-borne threats such as viruses, worms, Trojans and spyware – and paying a punishing price as a result.

But is this just another classic case of media hype? Is the threat exaggerated? Or does the degree of risk facing businesses justify the coverage and column inches such stories often command?

For any organization, whatever its size and sphere of activity, these are fundamentally important questions. Only if a business develops a clear understanding of just how likely it is that a PC or network will be attacked – and what the financial consequences of such an attack might be – can it make a sensible decision whether to invest in an email security solution and, if it does, how robust that solution should be.

Could it happen to you?
Despite all the publicity that email threats generate, many computer users are still surprisingly optimistic about their chances of staying immune from them.

Only a year or so ago, half of the respondents to a security survey respondents were confident it wouldn’t happen to them. Twenty nine per cent thought it very unlikely that their PC would get infected by a virus, while a further 14 per cent thought they would never experience such an infection.

A common cause of this complacency is the (mistaken) belief that “I’ve got nothing worth stealing on my PC”. In reality, everyone has – even if it’s just an email address. In the murky alleyways of the shadow economy which the global cyber-crime industry has evolved into, lurk all kinds of people willing to pay for all kinds of data. As a result, there’s absolutely no shortage of criminals who are willing to steal this data and keep feeding what is indisputably a growth market.

Cyber-crime has come a long way in a comparatively short space of time. Maverick hackers and eccentric loners have been pushed to the margins. Gang culture has taken root. Indeed, an overwhelming majority of the malware and other threats circulating the globe are now unleashed by well organized criminal gangs that are sophisticated, disciplined and frequently located in countries where they can operate with minimal interference from the authorities.
 

The resources at the gangs’ disposal match the scale of their ambition. And specifically, it’s the botnet phenomenon that puts colossal firepower in the hands of the ‘bad guys’. Comprising thousands or in some cases millions of ‘bots’ – legitimate PCs infected without their owners’ knowledge and orchestrated by a controller or ‘herder’ maybe hundreds or thousands of miles away – botnets are firmly established as the number one medium of mayhem afflicting computer users worldwide. Moreover, although mainly used to spew out breathtaking quantities of spam, botnets are also heavily deployed in the propagation of malware-bearing and other malicious emails.

Bearing in mind the scale of the weaponry at the cyber-criminals’ disposal, it’s probably not surprising that it’s relatively easy for a PC to ‘catch’ a virus – a virus whose objective may not simply be to disrupt or crash a computer or network, but rather to seek out confidential (and therefore valuable) data that can be secretly leaked to the virus’s controller.

Last year over 92.9 billion potentially infected spam messages were sent each per day, accounting for an estimated 89 per cent of all email. By the end of the year there were something like 77-targeted attacks per day, using complex social engineering tactics to dupe victims and steal information. The threat is not just email. Last year Symantec.cloud blocked over 3,000 new websites with spyware or malware each day in 2010.

Faced with this deluge of threats, no business can afford to rely solely on the alertness of its employees to keep it safe. Even the most threat-savvy end-user can’t remain immune indefinitely – perhaps because they share computer resources with someone less aware of the dangers, increasing their risk exposure by proxy.

Or perhaps because they are momentarily distracted by an urgent task or weighed down by the pressure of a bulging inbox. Or perhaps because cyber-criminals are now highly skilled at giving their emails the degree of plausibility and apparent authenticity needed to fool even the smartest of potential victims. Whatever the case, one careless click is often all it takes for the threat to get loose and carry out its malicious mission.

Under attack
The exact course of events may vary. But the results of an attack are always undesirable. Broadly speaking, though, incidents can be broken down into three categories, according to their scale and frequency:

• Minor:
  Accounting for most malware incidents, these typically result in a single machine becoming infected and needing to be cleaned, putting it out of action for a couple of hours. Although limited in impact, cost and disruption can soon add up if minor incidents take place regularly. Indeed, they can easily occur several times a day, leading to a classic ‘drip-drip’ erosion of IT resources and employee productivity.

• Major:
  More serious than minor incidents, these typically render multiple systems unavailable and directly affect revenue streams. Major incidents may only happen around once a year but, when they occur, they can do significant harm to an organization’s operations.

• Severe:
  Occurring perhaps less than once a year, these relatively rare events can nevertheless be devastating for any business. Typically they involve high-value data or financial systems being compromised by a successful targeted trojan or phishing attack, with huge damage done to the unlucky organization’s bottom line.

Picking up the bill

Incidents can vary in size, type and scope. But what will they actually cost in financial terms? The truth is that each event will differ, with key factors such as the nature of the business attacked and the sensitivity of any lost data determining the scale of the impact.
 
But generally speaking, between them, an incident and the response it triggers will involve some, most or all of the following, each of which will result in a cost to the affected organization:

• Identification of the nature and extent of the problem.
• Identification of the point of entry.
• PC clean-up/repair.
• Data/system restoration/reinstallation.
• Damage and danger assessment.
• Service interruption.
• Lost productivity due to PC downtime.
• Lost revenue (e.g. due to systems being unavailable to process payments).
• Breaches of confidentiality.
• Loss of data (usernames, passwords, financial information etc).
• Damaged reputation.
• And finally, but arguably most important of all:
• The unknown. For example, once malware has penetrated a network, it’s very hard to know exactly what it’s been doing, what data has been lost, how that data might be abused, who it might be sold on to etc. Unknowns like these can undermine confidence within any business.

A number of surveys have tried to put a figure on the financial impact that virus incidents can have on an organizations. In a 2008 CSI crime survey in the US, respondents reported an average annual cost of US$40,141; in addition, the reported cost of computers being recruited to botnets averaged a massive US$350,000 per respondent.

In a government survey also conducted in 2008, two-thirds of the businesses taking part said a virus incident was the worst security breach they had suffered during the year.
 

So is there a basic rule of thumb you can use to estimate how much an incident could cost your business, and the size of the bill your business might have to pick up over the course of a year?

• A minor incident (as defined above) will probably cost around US$100, taking into account PC downtime, lost productivity and cost of clean-up. Using the average figure of 2,500 malicious emails heading towards a business during the course of a year, that gives a ‘total minor incident cost’ of $250,000 for any organization without an email security system in place.
   
• A major incident (as defined above) might typically cost a small business between US$15,000 and $30,000 in total and a large company between US$140,000 and US$250,000 – a substantial annual cost if such an incident happens once a year.
   
• A severe incident (as defined above) could leave the victim organization picking up a bill running into millions.

Big money, big question
A gang in China is reported to have made millions from writing and distributing Trojans designed to steal passwords for online gaming accounts. Criminals said to have made tens of millions from small and medium-sized businesses in the US through malware distributed via spam and designed to steal online banking details. A spamming operation generated monthly sales of between around US$400,000 and US$750,000 because one in every 30,000 of its advertising emails resulted in a sale – a great example of the mind-numbing volume of spam now in circulation on the internet!.

As these examples clearly demonstrate, there’s big money to be made in cyber-crime. Stolen data, for instance, may only command prices below US$10 per record, though high-value data will come at a considerably higher price, but with hundreds of thousands of data packets constantly changing hands, fortunes can still be made with minimal effort.

What’s more, the overall cost to society generally exceeds the black market value of the abducted information many times over. It’s estimated that anyone losing data with a ‘retail’ value of US$10 will actually incur around over US$200 in costs, taking into account not just financial losses but also inconvenience and time spent dealing with the incident and putting straight the resulting mess.

So the big question for your business is: are you content to withstand the financial hits that email threats inevitably deliver? Or would it actually save you money if you could implement an email security solution that blocks virtually every threat at internet level before it even approaches your corporate gateway, with minimal demand on your in-house IT resources?

We need an email security solution that achieves this objective. Hosted services provide a lower total cost of ownership alternative to ‘low/no-cost’ services and software/appliance-based solutions that are invariably less accurate and less effective. The real cost of hosted security is infinitely lower than the ‘do nothing’ option where malware incidents, phishing attacks, spam influxes and all their resulting costs are accepted as an inevitable fact of business life.

The risk of becoming a victim of cybercrime is very real. So too are the costs. But making the right call where email security is concerned will mean your business can stop paying them.

0 comments

Digg

 Email

 Print