Attack Cost $5. That’s all it takes to target your company.

A research paper published by a team from the University of Illinois in 2024 has overturned conventional wisdom in cybersecurity. It demonstrates that an “adaptive worm” using AI agents can autonomously infiltrate, spread, and steal information from corporate networks using a GPT-4 class model and an API cost of just about $5.

$5. The price of five cans of coffee. That is becoming the “cost” of an attack that steals your company’s passwords and customer information.

On the other hand, how much does it cost to defend? Companies spend between ¥200,000 and ¥500,000 per month on firewalls, EDR, and employee training. The cost ratio of attack to defense is 1:1,000 or more. This asymmetry is the essence of the structural change currently underway.

What’s Different from Traditional Worms──The Emergence of ‘Thinking Malware’

Until now, worms (self-replicating malware) operated on “fixed patterns” that exploited known vulnerabilities. Therefore, they could be prevented by applying patches and detected by pattern-matching antivirus software.

Adaptive worms are fundamentally different.

• Reconnaissance Phase: The AI automatically analyzes the target’s OS, network configuration, and installed software.
• Strategy Generation Phase: An LLM (large language model) generates the optimal attack code for that environment in real-time.
• Execution and Spread Phase: Once the attack is successful, it uses the infected target’s computing resources to repeat the same process on the next target.

In other words, “the same attack code is never used twice.” Signature-based detection is fundamentally ineffective. These worms operate across Linux, Windows, and IoT devices, and with each infection, the attacker’s costs approach zero. This is because they leverage the stolen computing resources for the next attack.

This is the most frightening aspect. Attacks scale exponentially with zero additional cost. This is not just a concern for large corporations. Rather, small businesses without dedicated security personnel become “profitable targets.”

‘How Much Can We Spend to Protect Ourselves?’──The Real Defense Costs for Small Businesses

To be honest, perfect defense does not exist. However, it is possible to make yourself a “less cost-effective target for attackers.” It’s the same logic as a burglar entering an unlocked house.

Below, we outline realistic defense strategies and cost estimates for small businesses with 10 to 50 employees.

1. First, Block: Multi-Factor Authentication (MFA) and Password Management [Monthly ¥10,000 – ¥30,000]

The ultimate goal of many adaptive worms is “the theft of authentication information.” Even if passwords are stolen, having MFA (multi-factor authentication) in place makes it significantly more difficult to breach.

• Password management + MFA such as 1Password Business / Microsoft 365 Business Premium: Approximately ¥500 – ¥2,000 per person per month.
• For a company of 50 people, that’s about ¥25,000 – ¥100,000 per month.

This is not a question of cost; it’s a question of whether to do it or not. This is the most ROI-effective defense against a $5 attack. If your company has not yet implemented MFA across the board, you should do it today after reading this article.

2. Detect: EDR/XDR (Endpoint Detection and Response) [Monthly ¥30,000 – ¥100,000]

Traditional antivirus software relies on pattern matching, which is fundamentally weak against adaptive worms. Behavior-based detection through EDR (Endpoint Detection and Response) is necessary.

• CrowdStrike Falcon Go / SentinelOne Singularity: ¥500 – ¥1,500 per endpoint per month.
• For 50 devices, that’s about ¥25,000 – ¥75,000 per month.
• Adding a managed SOC (Security Operations Center) costs an additional ¥50,000 – ¥150,000 per month.

For small businesses, a realistic option is EDR with a managed SOC. It is overwhelmingly cheaper than having a dedicated security personnel in-house. You can “outsource” 24/7 monitoring. It’s not reliant on any one individual. If the responsible person leaves, it doesn’t stop.

3. Control: Network Segmentation and Zero Trust [Monthly ¥30,000 – ¥80,000]

Adaptive worms expand damage through “lateral movement.” If the internal network is flat (all connected), an infection of one device can lead to total compromise.

• UTM (Unified Threat Management) with VLAN segmentation or micro-segmentation: ¥30,000 – ¥80,000 per month.
• First, eliminate the situation where the accounting PC and the factory IoT sensor are on the same network.

There was a real case in a regional manufacturing company where an intruder accessed the internal network through a factory temperature sensor (IoT). The excuse of “we are not an IT company” no longer holds.

4. Train People: Phishing Training and Security Education [Monthly ¥10,000 – ¥30,000]

The most common initial entry point for AI worms is still “people.” Clicking on phishing emails or executing suspicious files. AI-generated phishing emails are no longer the traditional “suspicious Japanese.” They arrive in perfect business Japanese, masquerading as real business partners.

• SaaS-based training tools like KnowBe4 / Proofpoint Security Awareness: ¥10,000 – ¥30,000 per month (for 50 people).
• A realistic operational line includes quarterly simulated phishing attacks with feedback on results.

Total: A Realistic Monthly Range of ¥80,000 – ¥240,000

While I initially mentioned “¥200,000 – ¥500,000 per month,” in reality, depending on the selection and combination of tools, a minimum defense line can be established starting from the ¥100,000 range for a company of 50 people. The key is not to try to do everything at once. Implement MFA → EDR → Network Segmentation → Education in that order, starting with the most effective measures.

The Real Issue is Not ‘Cost’ but ‘Structure’

Having laid out specific costs, I want to discuss a more fundamental issue.

AI has dramatically lowered the cost of attacks. In a world where attacks can be launched for $5, the assumption that “small companies like ours won’t be targeted” collapses. Attackers are not choosing based on “large or small company”; they are choosing based on “how easy it is to breach.”

Moreover, the biggest bottleneck in security measures for small businesses is not the budget but the “who will do it” problem. There is usually one employee who is knowledgeable about IT, and that person handles everything in addition to their regular duties. If that person leaves, it’s over. This is the reality for small businesses in rural areas.

That’s why it’s necessary to protect with a system that does not rely on individuals. Managed SOC, SaaS-based security tools, cloud-based password management. Creating a state where “it can operate even without an expert” is the best defense strategy.

So, What Should We Do?

1. What to do today: Enable MFA for all company accounts. Whether it’s Google Workspace or Microsoft 365, you can set it up in 30 minutes from the admin panel. The cost is almost zero.
2. What to do this month: Consider implementing EDR. Options include CrowdStrike, SentinelOne, or domestic solutions like LANSCOPE. Choose a plan with a managed SOC.
3. What to do this quarter: Review your network configuration. Especially check whether IoT devices and business PCs are on the same network.
4. What to do continuously: Conduct quarterly phishing training. Instead of blaming those who “fell for it,” focus on lowering the organization’s overall susceptibility.

In an era where the attack cost is $5, doing “nothing” is the most expensive option. The average damage from a data breach is said to be several million to tens of millions of yen, even for small businesses in Japan. A monthly investment of ¥100,000 in defense can be viewed as inexpensive insurance.

With AI now on the attack side, the defenders must also counter with AI and systems. And this is not just a concern for large corporations. Rather, agile small businesses can implement SaaS-based security tools immediately. They can decide and implement today, unlike large corporations that take three months for approvals. That is the weapon of small businesses.