Cyber crime is a growing industry
Cyber security has been a growing industry for many years now. From the first forays into Internet communication and the rise of e-commerce, mobile devices, cloud computing and social media – there has been a steady stream of technological advancements and a growing regulatory imperative to drive continued growth in investment in security as these new ways of doing business – digital transformation – have changed the risk profile.
In parallel, the cyber crime industry has also grown and matured – the rise of technology and the growing reliance on IT systems and networks for the storage, use and access to data has presented them with further opportunity to make (or steal) money or access (or steal) information and more in the way of sophisticated tools with which to do it.
Cyber criminals have had their own digital transformation, and it has been no less disruptive.
Cyber crime is more sophisticated
There are almost too many case studies and examples of advanced cyber attacks, too many research papers into the organised natures and advanced attack methodologies of APT groups, and too many news stories of large well-funded, technologically advanced organisations being found wanting when it comes to their level of security defences.
In many respects the degree of intelligence, organisation and professionalism has tracked the increasing reliance and ubiquity of IT systems that modern businesses deploy. If business can create applications to provide services to users, attackers can attack them; if businesses can use cloud platforms to make their business more flexible, attackers can target these or indeed use the same sorts of technology to mount powerful and flexible attacks. If businesses can create a network of services providers, outsourcers, specialists and international delivery teams; cyber criminals can form the same sort of web of specialisms and commission their services to create diverse and powerful networks of support for their own “businesses” – cloud-based hosting of DDoS attacks, malware on demand, discovery and sale of zero-day exploits etc.
The other factor that has pushed forward the cyber attacker/cyber criminal industry is the increasing rise of state sponsored attacks and attack networks, both those that are specifically geared towards the aims of states themselves or just those that weaken the delivery capabilities of other countries or sap value/intellectual property or personal data from the enterprises that exist in those countries that are considered targets.
This has, as has been widely reported, extended beyond just cyber attacks to the widespread use of propaganda and social media to exert influence and achieve socio-political goals ranging from influencing elections to destabilising society.
In short, there is just as much innovation, inventiveness and organisation on the side of the cyber criminal as there is within a legitimate business.
Cyber crime is more profitable
One other driver behind the increasing volume, prevalence and sophistication in cyber crime is that the money involved has leapt and at a global level now is reported by Interpol to be worth billions of dollars.
This much money attracts more than just amateur hackers and script kiddies – it is well into the sort of territory where organised criminal networks want a slice of the action.
In terms of costs (i.e. the costs to business and governments – rather than the profits made by cyber criminals) the figures are eye watering. A report by Cyber Security Ventures puts the figure at US$6trillion by 2021. Even if that is one or two orders of magnitude out, it’s a significant amount of money.
The rewards for cyber criminals are just as voluminous. Reports put the income potential from a career in cyber crime as high as US$2m for an individual at the top of their game, and above average graduate salaries even at a very low level.
The value of the cyber crime industry is estimated as US$1.5tn here.
As the saying goes: “A billion here, a billion there, pretty soon you are talking real money”. Cyber crime is way past those levels. Real money indeed.
Unless it is bitcoin, but that’s another story.
Cyber crime is more ubiquitous
Put simply cyber crime affects everyone. There used to be (many years ago now) a perception that only banks, governments and high profiles businesses were truly at risk and that most companies would probably avoid the worst antics of cyber criminals if they had a fair level of defences in place.
Now there is financially useful information and personal data everywhere, and the rewards from ransomware can come from any type of system (whether it holds sensitive/valuable data or not) – even if it is just family photos (a big driver for home users to pay ransoms). So revenue for the attacker can come from a workstation in a large bank, a one-man-band sole trader or even an individual.
The threat covers banks, government, critical national infrastructure, telecommunications, social media platforms, retailers, on-line news and services providers, newspaper and even charities.
Cyber crime: Growing, Growing, (not) Gone?
So cyber crime is getting more sophisticated, more lucrative, more flexible and more global. It has a potent blend of innovation drivers and it is unshackled by the working constraints of enterprises and governments who have to operate within the law, pay taxes, respect regulators, be ethical and act in the best interests of employees, customers, citizens and shareholders.
One shouldn’t be defeatist about this however, there is innovation and technology/process/people who are on the side of the potential cyber crime target (or victim). Whether it is governments, the intelligence community, national security agencies, law enforcement bodies or consulting/service/product providers. Even the community itself has more to gain in a competitive marketplace by working together to share intelligence on cyber threats than it does waiting for the competition to fall victim to them – and this is now increasingly recognised.
It does mean that cyber crime is not a threat that can be ignored. A good level of cyber defence, an ability to detect and respond to attacks and ever developing knowledge and awareness amongst technical teams, manager and staff/users has never been more important.
One thing is certain: Cyber crime is not going away!