What are the chances of becoming a cyber victim? In this post, we’ll explore the odds compared to the chances of other unrelated events.
Many of us take comfort in knowing that certain bad things are not likely to happen to us, so we don’t worry too much about those things. We think our chances are pretty good.
Comforting Odds:
- Dying from a shark attack: 300,000,000 : 1
- Your opponent’s getting a Royal Flush in poker: 649,739 : 1
- Being struck by lightning in California: 7,538,382 : 1
- A meteor landing on your house: 182,138,880,000,000 : 1
- Dying from a mountain lion attack in California: 32,000,000 : 1
- Dying from parts falling off an airplane: 10,000,000 : 1
- Being attacked by an Orca: 0 (excluding Orcas in captivity)
On the other hand, we find lots of things good or bad for which the odds are not what we would like them to be. We don’t think our chances are as good for these things turning out our way.
Not Comforting Odds:
- Getting a Royal Flush in poker: 649,739 : 1
- A meteor landing on your worst boss’s house: 182,138,880,000,000 : 1
- Being struck by lightning in Montana 249,550 :1
- Having a stroke: 1 in 6
- Winning the Powerball Jackpot: 13,983,816 : 1
- An American man developing cancer in his lifetime: 1 in 2
- There is another category of bad things for which we just don’t know the odds, and It’s Downright Scary!
Downright Scary:
Odds that your antivirus product will protect you from a cyberattack: Unknown
Actually, you cannot accurately calculate the odds of your antivirus (AV) product protecting you because probabilities deal with the odds of specific events happening. Here, the cyberattack could be spam, malware, phishing, social engineering, or some other form of attack. Within each of those categories, there is a wide range of types of attacks. On average, there are 27 trillion malicious attacks per year, so there are going to be a lot of attack vectors crashing into your AV product. Calculating the odds is almost impossible. It’s Downright Scary!
McAfee’s The Economic Impact Of Cybercrime And Cyber Espionage, July 2013, estimates the cost of global cybercrime to be $300 billion to $1 trillion. Using an average annual cost per breach of $11.56 million, extrapolated from the 488 attacks used to measure the total cost in a study for The Ponemon Institute’s 2013 Cost of Cyber Crime Study: United States, the total number of attacks would be in the range of 26,000 to 87,000. Of course, as the number of attacks is spread out over all victims, the cost per attack would drop, meaning that the number of successful attacks would be much higher. We just don’t know. It’s Downright Scary!
What we do know is that for those 26,000, 86,000, or whatever higher, scarier number it is, their AV product did not stop whatever malicious threats caused the breaches. Of course, none of the other defenses these companies had in place stopped the criminals. In fact, 100% of the time, the combination of all of these products failed for these victim companies.
How about for you company? Would you be protected? Unfortunately, you don’t know. It’s Downright Scary! Also unfortunate is that fact that most companies don’t know they were not protected until about 210 days on average (Trustwave) after they have been compromised. Wonder what the bad guys could do inside your systems in 210 days? It’s Downright . . ., well, you get the point.
What can you do? It is apparent from these numbers and from the daily news reports, that there are at least two major things happening in the cyber world – the good guys are losing and the bad guys are winning. This is not just both sides of the same coin, there is much more to it than that. Sure, the bad guys are getting better at what they do. They have entire infrastructures to rely on, social networks for criminals, division of labor, secondary markets for their tools, and they learn quickly from what they learn. They are not all smart, but many are and there are many of them.
So, why are the good guys losing? There are lots of reasons to be sure, but a significant number of attacks are successful because the incoming threat was not detected at all or not detected until it was too late. The collective description of the problem in these cases is than the AV vendor of other provider is trying to fight today’s cyber war, and it is a war, using yesterday’s tactics and yesterday’s weapons. Many victims are surprised to learn that there is a better way. That better way it to use actionable intelligence and proactive intervention to identify the sources of the malicious threats, identify the bad actors and their tools and networks and to use this information to prevent their success and to take down their infrastructure.
Is this a 100% cure? No, a “cure” is not in sight. However, it is better medicine. Throughout our history, we have benefited from moving away from shamans and witch doctors and toward proven effective cures for many illnesses. To make ourselves safer in the cyber world, we must take similar action. We must move away from what might have worked, we really don’t know how well it did work, to what we know is better – an intelligence-based approach to cyber protection. Not only is the cyber world often very mysterious, It’s Downright Scary!
