CEOs really need to stop deluding themselves and understand that their information is worth being stolen. If your data is poorly protected, your business is essentially just setting out gold bars in an unprotected window so that any opportunistic bad guy can come and take what he likes. Some of the “gold bars” are different for each business–perhaps secret recipes for food manufacturers, blueprints for engineering firms, programming code for software developers. Other “gold bars” transcend industry verticals. Every business risks confidential information about partners, sensitive customer data and potential sales leads when they don’t shore up security.
The enormous payouts from such antics have driven cybercriminals to dial up their risk thresholds and their ingenuity levels. “Cybercrime today is targeted, it hits deeply, it tries to be stealthy, rarely making the news, and often those attacks on a damage-per-incident level are 10 to 50 times higher than the costs of things like the Slammer worm and other high-profile attacks we used to see,” says John Pescatore, analyst with Gartner Research. “It’s way higher than what a simple virus used to cost us.”
The cat is out of the bag that all of these data tidbits are worth a considerable amount to competitors and identity thieves—most modern hackers already realize this and are well on their way to figuring out how to steal yours without you even knowing it.
In 2007, the U.S. Government Accountability Office estimated that cybercrime costs the economy $117.5 billion a year. And yet, I still hear CEOs ask, “What would they want with my organization? They’ve got better targets to attack. It’s not like I’m a Fortune 500 company.”
See, it used to be that the bad guys in cybercrime were simple script kiddies, just in it for the rush of defacing company property and getting their props from news reports. Their attacks were meant to be visible, so it was very clear when they occurred. But money changed all of that—hackers saw a dollar sign attached to the technical feats they could accomplish and they switched gears. Nowadays, the crooks are trying to fly under the radar, sneaking in to pillage data stores undetected so they can do it again and again to the same target-rich environments. In poorer Eastern Bloc countries, hacking corporate systems is a job for some people. They go to work and hack American companies for other companies or for well-organized crime rings perpetuating identity theft.
That thinking is all wrong. The thing is that most hackers are smart enough to recognize that smaller companies don’t spend the kind of money and effort securing their information that the big boys do. If you aren’t spending on security, then you become the better target to attack.
Think about it. If I’m a hacker planning to make some money by selling personal identifiable information to an identity thief, who would I rather attack? A large multinational bank that likely has billions of dollars invested in information security? Or a small credit union that probably hasn’t fully secured its systems? It’s like asking a burglar whether he’d rather sneak into a house with unlocked doors or crowbar his way into a deadlocked home. He’ll pick the unlocked house every time.
3. Well-organized & focused cyBercriminals
Cybercrime has grown into an extremely mature black market with major players often employing more sophisticated business methods and partnerships than many legitimate businesses. Tom Espiner with CNET News.com wrote a particularly illuminating summary of the cybercrime ecosystem in his article, “Cracking Open the Cybercrime Economy,” published Dec. 14, 2007:
“Hackers can buy denial-of-service attacks for $100 per day, while spammers can buy CDs with harvested e-mail addresses. Spammers can also send mail via spam brokers, handled via online forums such as specialham.com and spamforum.biz. In this environment, $1 buys 1,000 to 5,000 credits, while $1,000 buys 10,000 compromised PCs.
Carders, who mainly deal in stolen credit card details, openly publish prices, or engage in private negotiations to decide the price, with some sources giving bulk discounts for larger purchases. The rate for credit card details is approximately $1 for all the details down to the Card Verification Value (CVV); $10 for details with CVV linked to a Social Security number; and $50 for a full bank account.
Scammers use a variety of ways to launder cash. Compromised bank accounts can be used to launder funds, or struggling companies can be bribed to turn the money into ready cash. Scammers can find businesses with a debt of $10,000, and agree to pay them $20,000 if they agree to cash out 50 percent of the funds. Dedicated cashiers, also known as “money mules,” can also take up to 50 percent of the funds to move the money via transfer services.
Money can also be laundered by buying and selling merchandise on the wider black market. Shipper rings can ship PCs to scammers via intermediaries, which can then be resold.“