Just a few years ago, financially motivated attackers tended to focus on fringe businesses like online gaming sites. But transaction processors like Protx are now choice prey for extortionists, according to Peter Rendall, CEO of Top Layer Networks, a security vendor based in Westboro, Massachusetts. "If you bring down your payment processor, you can bring down hundreds of [online] processors," he said. " Transaction processors like Protx will do everything in their power not to be offline; therefore, they are investing heavily in security and bandwidth."
Proportionately, online security costs are greater for smaller companies than for larger ones. According to the 2005 Computer Crime and Security Survey conducted by the Computer Security Institute and the Federal Bureau of Investigation, companies with sales of less than $10 million per year spent $643 per employee on computer security each year. For the largest companies--those with more than $1 billion in annual revenue--the amount spent on security dropped to $247 per employee.
The survey found that companies in the utilities business spent the most on computer security--on average, $190 per employee per year. Next highest on the list were transportation and telecommunication companies, with average annual costs per employee of $187 and $132, respectively.
But for companies under targeted attack, the costs are decidedly higher. Protx, for example, ended up spending a whopping $38,000 per employee on security over the past year.
Protx's Alculumbre says he had thought that his company was too small to draw the attention of organized crime, but the events of the last year have taught him otherwise. "It's very alarming for us that an unknown assailant can do so much to a business that I've spent so many years trying to build," he said.
Though the first days of the assaults were stressful, Alculumbre that says he's grown more accustomed to the high costs involved. "If you're going to be in business, then you have to accept that DDoS attacks are a part of this," he says.
Tomorrow: Who's Catching the Cybercrooks?