As the first half of 2011 draws to a close - six months that have seen some of the most serious online security breaches for enterprise and government ever - Cisco has published a new security report addressing the shift in activity for cyber criminals.
There is a bright side and a very dark side to the results of this report, titled "Email Attacks: This Time It's Personal," which was based on responses from 361 IT professionals from 50 countries.
Speaking at a media event in San Bruno, Calif. on Thursday, Tom Gillis, vice president and general manager for the Security Technology Business Unit at Cisco, explained what Cisco has seen as the "evolution of the threat landscape," which can be broken down as the "Four Cs" of motivation:
- Competition (Notoriety by hitting people with email attacks worldwide)
- Commerce (Spam, selling things like herbal remedies, etc.)
- Crime (Stealing credit card and social security numbers)
- Country (More politically motivated, sophisticated attacks)
As far as mass spam goes, the incentive and actual action of those attacks have dropped considerably. Let's take a look at some of the positive highlights from the study:
- Daily mass spam volumes dropped from 300 billion messages in June 2010 to 40 billion
- Financial returns from mass spam/e-mail attacks declined by over 50 percent from $1.1 billion in June 2010 to $500 million in June 2011
However, according to Patrick Peterson, a chief security researcher at Cisco, the nature and rewards for more serious heists, such as targeted attacks, are much more lucrative. This shift really took place somewhere around 2010, which is evident based on the previous numbers.
Here's a snapshot of where more serious attacks are heading as the major security attacks shift from mass spam to personalized attacks:
- In the last 12 months, Spearfishing attacks have increased threefold; personalized scams, malicious and targeted attacks have all risen fourfold
- Fishing campaigns can net at least 10 times the profit of a mass spam attack
Now let's examine the bottom line: what is this costing enterprises and even governments worldwide?
Overall, the estimated cost of targeted attacks to organizations is $1.29 billion annually. Cisco estimates that figure breaks down to for every $1 lost due to infected users, enterprises spend an additional $2.10 for remediation and then $6.40 for reputation repair.
So what are we all to do? Obviously, enterprises and governments are leaving too many loopholes open to personal data of customers and citizens.
Granted, there has been much more media hype about hacking and security breaches this year, especially after the attack on Sony's PlayStation Network in April. That just led to a flood of attention on the part of the media, consumers/citizens and hackers who saw an opportunity.
Nevertheless, everyone has to take more action against cyber attacks. That's not just corporations (who definitely have a responsibility to their end users), but also the end users as well by being more vigilant and conscientious when using email, sharing account information, installing firewalls, etc.
This is also an opportunity for a number of IT-focused enterprises worldwide, including Cisco, as obviously the need for new and better digital security platforms is prevalent. There's the saying that "any publicity is good publicity," but that isn't necessarily true for businesses who have been victims of major hacking jobs, such as Citigroup, Sega and Nintendo. These corporations are going to need to step up their security standards, and that's where this could be suddenly profitable for tech companies focused on developing security solutions.