Conservative estimates show cyber-criminal revenue worldwide of at least US$1.5trn to date— equal to the entire GDP of Russia.
To put that into perspective, if cybercrime was a country, it would have the 13th highest GDP in the world.
As the walls between the criminal and legitimate worlds are blurring, we are no longer simply dealing with “hackers in hoodies”. Today, cybercrime revenue often exceeds that of legitimate companies—especially at the small to medium-sized enterprise (SME) level. In fact, revenue generation in the cybercrime economy takes place at a variety of levels, from large “multinational” operations that can make profits of close to US$1bn to smaller “SME-style” operations where profits of US$30,000-US$50,000 are the norm.
Tracing the root of cyber-criminal revenue
In reality, the scale and reach of this issue is an inevitability that has been developing ever since the conception of the internet. Of course, this is a classic case of criminals being criminals, but it has just as much to do with the techno-utopianism of the people who were involved with connecting every person and computer on the planet, and the unanticipated consequences of this. The internet itself was designed without the assumption that anything would be hostile on it. And with everything connected using the same networking protocol, every cyber-criminal on earth is now your neighbor in a way that they weren’t previously. It’s concerning to imagine a criminal physically close-by, but the reality is actually far graver. A business’s physical security is targeted relatively infrequently by criminals, and even then there are security guards or even police in place to defend against malicious outsiders. In the cyber world, your defenses are subject to constant attacks, and the only human standing in the way is an ordinary employee.
Cyber-criminals: a new breed of entrepreneurs
The problem today is also that cyber-criminals are true businesspeople, and the majority of organizations don’t see the threat in this way. To be able to defend against these attacks we need to understand the scale of what we’re facing. Yes, the threat has been developing over many years, and it has been a long time coming. However, in recent years we have seen these cyber-criminal enterprises scale and globalize faster than any legitimate business could ever hope to, and it warrants a deep investigation.
Cyber-criminals follow the money, and in many ways, they have grown and scaled by adopting similar structures and following the same economic models as the legitimate business world. The criminal underworld has evolved towards all the hallmarks of a capitalist economy that Adam Smith would have identified 300 years ago. Cyber-criminals are keen to innovate their offering and move with the times, like any successful business. They can find their niche in the market, capitalize on trends, and spend time gaining a deep understanding of how a target business works in order to exploit weaknesses for financial gain.
Endeavor to create a niche
As for the structure of this economy, whether internally within an organization or in relation to the wider market, it all comes down to specialization. Within the wider market, just as we have seen a resurgence of boutique specialist retailers, service providers or technology companies, many cyber-criminal organizations tend to focus on doing one thing well and creating an underground service market around that offering. It may be a Ukrainian gang that has become known for a particularly effective piece of malware or providing a botnet for rent to the highest bidder, for example. The price of malware on the darknet markets has gone right down and almost become commoditized, so cyber-criminals need to find ways to differentiate to find continued success.
This brings us on to a slightly different but equally fascinating vertical structure within some of the largest and most successful cyber-criminal organizations. These more closely resemble the big multinationals of the legitimate business world and will have a business-unit like structure with departments for everything from researching human targets on social media, crafting phishing emails, a social engineering call center, graphic designers and an entire recruitment department. We’ve seen examples of these in Nigeria becoming staggeringly successful in infiltrating email accounts and making significant financial gains in social engineering-based wire transfer fraud, a far cry from the rudimentary Nigerian prince spam scams synonymous with the region. This is a classic example of the labor specialization and the division of labor and capital that has allowed these organizations to grow. Combining this with the level of connectedness and democratized access to technology in today’s world, and it’s easy to see how cybercrime has developed so rapidly into its own global economy.
How does the global cybercriminal economy function?
Cyber-criminals have taken a keen interest in the business processes of legitimate organizations to help their operations scale, but also to be able to find the core weakness to exploit.
Today’s most effective and damaging cyber threats are not the overly sophisticated so-called zero-day exploits cooked up by some beautiful mind in a bedroom somewhere—if that’s all you needed to take down a company or a country, we wouldn’t be where we are now. Even the least technologically advanced cyber-criminal organizations can be brutally effective at extorting money from big organizations with technical defenses in place. Why? Because they know to target people, be it through social engineering or perfectly timed phishing emails, as it is the path of least resistance. The professionalization and human focused-direction of cybercrime have resulted in a stark asymmetry between how attackers think about attacking, and how legitimate organizations think about defending themselves.
Cyber-security is still thought of as a technical discipline, with the focus being on protecting the outer perimeter of an organization of the technology on the network within, rather than protecting the actual people who are being targeted and attacked by cyber-criminals. What is concerning is the extent to which legitimate organizations are on the back foot in this asymmetry of understanding—not to mention the shocking FBI figure that over US$12bn has been stolen by cyber-criminals through people-centric email compromise scams in 2018 alone.
To defend against today’s threats, organizations need to have visibility and understanding into who within their business is being targeted, and how. Only then can the appropriate people-centric security measures be put in place to protect them and the business. By truly understanding the enemy and the threats, businesses that implement the right defenses can not only protect their reputations but play a crucial role in disrupting the global tide of criminality.