Make no mistake: cybercrime has become big business. Forbes recently reported that cybercrime costs are projected to reach $2 trillion by 2019. To achieve this level of growth, cybercrime is now organized like big business, complete with a supply chain, middlemen, and sales and distribution channels. This is good and bad news for your organization. The bad news is that there are powerful forces working to steal your data. The good news is that cyber criminals now think in business terms, and you already know how to compete in business. Once you understand the economics of cybercrime, you can reduce your risks from cyber attacks by making your organization an unprofitable target. 

So how does the cybercrime business work? 

The cybercrime ecosystem

Cybercrime is an entrepreneurial game. An article in the International Journal of Cyber Crimenotes that, while traditional organized crime organizations are increasingly involved in cybercrime, “Digital technology has empowered individuals as never before.” There is a rich business ecosystem on the dark web for those looking to get in on this growing market, with business training, tools suppliers, franchise-type arrangements, and ready markets. Anyone can learn how to hack or hire a hacker. A quick search on Grams, the dark web search engine, yields thousands of results for everything from Certified Ethical Hacker training for white hat (good guy) hackers to tutorials in the Encyclopedia of Cybercrime, hacker handbooks, and Darknet hacking services for hire. Armed with basic skills, even “script kiddies” (unskilled hackers) can buy exploit kits (software designed to find and exploit server vulnerabilities), download free tools, or lease botnets (networks of malware-infected private computers that are harnessed to mount cyber attacks.) Hacking is even available as a service (HaaS). Symantec reports that hacking software and services can sell or rent for as little as $100 to $500, whereas use of a large-scale botnet can cost as much as $20,000. (To put that in perspective, CNN reported that it would have cost Apple more than $100,000 in labor costs to help the FBI hack the iPhone in the San Bernardino mass shooting incident.)

Once the attacker, be it an individual, small group, or crime syndicate, has stolen valuable information, the attacker can sell it anonymously on an ever-changing selection of dark web markets to other criminals who will monetize them. (Ever-changing because, as soon as law enforcement shuts down a dark market, others spring up in its place. But hackers can find a current list any day on DeepDotWeb, the official news site of the dark web.) According to Havocscope, the global black market price guide, stolen credit card info, paid for in untraceable cyber currency such as Bitcoin, can sell for anywhere from $5 to $250 each, email addresses (useful for phishing campaigns) sell for $10 to $15 per thousand, online bank accounts in the U.S. sell for two percent of the account balance, whereas PayPal accounts can net six to 20 percent of the balance, and stolen health insurance information can bring in a whopping $1,300 per record. Price is obviously determined by the value of the stolen information, as well as supply and demand. Since large-scale cyber attacks have become common, the black market has been flooded with stolen credit card information, hence the low price.

ROI in cybercrime

Like any other business, the cybercrime business looks at return on investment. A 2016 study by the Ponemon Institute surveyed hundreds of U.S. experts involved in the threat community, under conditions of anonymity, to find out how cyber attackers view their business. The study found that technically proficient hackers spend an average of $1,367 for specialized attack toolkits and that successful attacks yield average revenue of $14,711. The Ponemon survey results suggest that the average attacker mounts around eight attacks a year, about a quarter of which are successful, yielding income of just under $29,000 a year for an individual hacker, or about $40/hour. While not a whopping salary, you have to realize that a) these people average less than 100 hours per attack so this typically supplements a day job, b) many of them live in countries where $29k buys a lot more than it does in the U.S., and c) this is an average, so some make a lot more. Hackers also limit where and how often they attack in order to stay under the radar of law enforcement. 

Now consider the economics of this from the attacker’s perspective. If only about 25 percent of attacks are successful and they can only do about eight per year, then the average return per attack is less than $4,500. Which means that hackers can’t afford to spend time attacking a system that’s either hard to breach or doesn’t yield information that will fetch a good price on the black market. And the results of the Ponemon study confirm that: More than 60 percent of hackers will move on if an attack doesn’t yield results within 40 hours.

A recent report by HP confirms that cyber criminals are looking at the bottom line, observing that “hackers have become almost corporate in their behavior,” in that they tend to weigh costs, effort, and risks. For example, organized crime has the budget and resources to deploy expensive botnets, so it can mount large-scale phishing scams and use stolen credentials to steal high value information, in the process providing employment for phishing specialists, botnet creators, and other skilled workers in the cybercrime value chain. Individual hackers may target smaller, cheaper-to-attack, but lower yield targets, perhaps stealing financial information from a smaller, less well-defended business.

Compete to protect

In a sense, you’re in competition with cyber criminals for the security of your data. But while the average cyber attacker stands to make a few thousand dollars per attack, the average cost of data breach to a U.S. business has risen to $7 million, according to Ponemon’s 2016 Cost of Data Breach study. So you have a lot more to lose than they have to gain.

But thinking of cybercrime as a business gives you one more weapon in your defense arsenal. In addition to taking stock of sensitive information you have, you can plan your defense spending around what thieves are most likely to go after and how. The next installment of this series will look at cybercrime by industry, both at how attacks are staged and what data is most likely to be stolen.

photo credit: Visual Content Malware Infection via photopin (license)