The majority of businesses are not likely to be an active target of cyber criminals (at least at first). What I mean by this is, there is not somebody saying… “I know, I’ll target ABC Company”. That is not really where the story starts.

When your business acquires a new customer, there is an associated cost of acquisition. This is the amount of time and money you spend luring your prospective customer and convincing them to purchase your products or services. The value the customer gives you (i.e. the amount of money you make from them) must be greater than the cost of acquisition in order to be profitable.


Cyber Crime Economics = Business Economics


What a lot of people don’t realise is that cyber criminals are organised gangs and operate like a business. They operate operate on this same economic principle. The amount of money they make from you needs to be more than the cost of acquiring you as a “customer”, perhaps better described as a “victim” in this case.

Let’s go back to the business operation for a moment. Say you sell beds and you make £500 profit for each bed you sell. You decide to spend £1000 on an advertising campaign on social media. As part of that, you need to get the adverts designed and produced, pay for placement, and track the results, in order to measure your return on investment. In this advertising campaign, you reach 5000 potential customers. All of those prospects aren’t likely to buy. The good news is, you only need to sell two beds in order to break even. Every sale after that is profit. You sell 20 beds as a result, making it a successful campaign.

The same thing applies to cyber crime. Cyber criminals will carry out a campaign based on one method. In your business it was social media advertising. In the criminals’ case they also pick a medium to gain potential victims. Let’s say they choose email.

They craft a clever phishing email designed to trick their victims into downloading some ransomware.

This is software that will encrypt all the files on the victim’s computer so as to prevent access to them. They charge a ransom to make the files available again.

This email is sent to a list of 500,000 email addresses. Let’s say campaign costs them around £1000 after they’ve purchased the ransomware, obtained the list of emails and paid one of their members to set it up. Each time a victim pays the ransom they make £200. To break even, they only need 5 victims (0.001%) to be affected and pay the ransom. Anything after this is profit. There’s a pretty good chance more than 5 victims will choose to pay £200 instead of losing all their data. The campaign is a success and 100 people pay the ransom, netting the criminals £19,000 profit.


Passive Threat, Not Targeted

These numbers are all hypothetical, and the process is somewhat simplified, but the principle is very real. A scatter gun approach to cyber attacks means you’re very likely to be a target at some point. In the scenario described, all they need is your email, which is highly likely to be out there and available, either because you’ve posted it somewhere or because a website or service you use was hacked at some point.

This is what we mean if we say there’s a passive threat. You’re not a focussed, individual target of the criminals in most cases, but you are certainly a target. Fortunately, this means that if you do all the ‘basic’ things right when it comes to cyber security, the majority of attacks will pass you by. Note that I say majority. That’s because it’s almost impossible to be 100% certain you’ll never be hit, which is why it’s important to have a plan B such as good backups and cyber insurance.