With cybercrime shifting from user-targeted attacks to organization-targeted attacks, it stands to reason that the sophistication of their tools and malicious code has also increased. Employing advanced evasion and persistence techniques to infiltrate and compromise an organization, their goal has remained constant: to make money.
Cybercrime led to estimated financial losses of more than $500 billion in 2015 alone, and that may double in 2016. While not all cybercriminal activities have to do with ransomware, some estimates put the annual costs of cybercriminal activities around $3 trillion in 2015, expected to reach $6 trillion by 2021.
From ransomware attacks aimed at making a quick buck, to APTs (Advanced Persistent Threats) aimed at siphoning intellectual property and customer data, cybercrime has also become a highly profitable industry.
Why Attack Businesses?
There are usually two factors that influence cybercriminals to consider SMBs and organizations as viable and profitable targets. One is that small and medium businesses often lack substantial security budgets. This means that, while they focus on expanding their business, they’re not all that concerned with enforcing security or keeping a firm grasp on customers’ personal data.
The fact that they also sometimes work with larger organizations as suppliers or contractors makes them even more appealing to cybercriminals, as they can leverage their access to those systems and eventually compromise large businesses as well. The Target breach is probably the best example in which cybercriminals used an HVAC (Heating, ventilation and air conditioning) supplier to gain access into Target’s own network.
With more than 50 percent of businesses being breached in the past 12 months, it’s becoming clearer that cybercriminals have found the weakest link in the security chain towards not only targeting larger organizations, but also generating significantly more revenue by extorting richer victims.
The Data Extortion Game
When it comes to ransomware, SMBs are also extremely profitable for cybercriminals, as they have far more to lose if their databases are encrypted. Since small organizations don’t always use regular back-up solutions, they become easy victims for crypto-ransomware and can end up paying far more than $300, as the average user would.
In fact, some studies have shown that between 40 to 67 percent of businesses have been hit by ransomware, and over 34 percent actually paid the cybercriminals to get their data back. While few companies actually come out and admit to giving in to this form data-hostage situation, it’s even more rare that they actually admit to how much the paid.
If ransomware was estimated to generate hundreds of millions of dollars from the average user, targeting SMBs means an entirely new and more profitable revenue stream for cybercriminals.
IoT - The Next Target
With cybercriminals expanding their attack surface to include the ever-growing IoT realm, these estimates may be closer to reality than expected.
More than 6.4 billion IoT devices are estimated to be connected to the internet in 2016 and more than 21 billion forecasted for 2020, meaning cybercrime financial losses will not only peak in the trillions of dollars, but will also cause serious security concerns for companies relying on smart things, across all market verticals.
The cybersecurity market is also expected to reach an estimated $202.36 billion by 2021, from an estimated $122.45 billion in 2016. This would probably mean that, as the number of security breaches and attacks increases, companies and organizations would more likely adopt cybersecurity solutions and technologies.
An even more optimistic estimate shows that Internet of Things security spending will reach $547 million in 2018 from an estimated $348 million in 2016. With more than 25 percent of attacks aimed at enterprises and organizations leveraging IoT vulnerabilities, security vendors will become more motivated to in security mechanisms and work with security vendors towards a unified security framework for smart devices.