Willie Sutton was the man who (according to a popular story) gave the definitive answer to the question “Why do you rob banks?” He said “Because that’s where the money is”.
When Willie Sutton was plying his trade as a bank robber in the 1930s, banks were all high-street institutions and money was kept in the safe, on site. But what would Willie Sutton have made of today’s cyber robbers?
With a few notable exceptions, it seems that cyber thieves are getting away with rather less than the public believes, according to a recent study by the Ponemon Institute.
The study indicates that a hacker on average makes $15,000 per attack and an income below $29,000 per year. “Earnings” at this level are considerably below what a legitimate security expert might earn.
This may sound strange, when newspapers report multi-million or even billion dollar losses for corporations that have suffered cyber-attacks. The explanation is simple, however.
The huge losses are caused not only by the money stolen by hackers, but also by the cost of trying to put things to rights afterwards, make amends to real and potential victims amongst the organisation’s customers, and salvage a much-battered reputation.
Some hackers, also known as hacktivists, have other reasons instead of, or at least in addition to those related to money. The current “Panama Papers” leaks are a source of considerable embarrassment for some, but the goal was to expose financial dealings, not to make financial gains.
The hackers that still go after the money may still apply Willie Sutton’s logic in their own way, by targeting organizations that are the easiest to rob.
The good news for enterprises willing to make the effort is that if they can hold out longer against financially motivated cyber-attacks, there is a better chance of the hacker giving up and moving on. In that sense, those enterprises might even say “thank you, Willy Sutton”.