There are no questions about the growing profitability of cybercrime, which will reach an estimated US$10.5 trillion by 2025. For that price, you will definitely be hacked. The late Pablo Escobar, who at the height of the Medellin cartel prominence, is alleged to have dominated 80% of the world’s multibillion dollar cocaine trade, would have jumped at the opportunity to take a small piece of the pie. At 20%, El Tzar de Cocaina would have a fortune three times as much as he did in the late 1980s. This is how profoundly lucrative cybercrime portends to be.
According to a report by Cybersecurity Ventures, “Cybercrime is more profitable than the global illegal drug trade.” Cybersecurity Ventures predicts global cybercrime costs will grow by 15 percent per year over the next five years, reaching US$10.5 trillion annually by 2025, up from $3 trillion in 2015. This represents the greatest transfer of economic wealth in history.
It’s easy to see why the incentive to commit cybercrime is high. High-priced PII (Personally Identifiable Information) is stolen and sold in the underground market on the dark web. The “fresher” the data, the higher the offering.
Data breaches in the news
An internet search of data breaches and hacker news will return a limited list of cyberattack victims. The list is limited because there largely appears to be a culture or code of silence amongst fiduciary persons, banks, financial institutions, law firms and hospitals. Still, hourly, daily and weekly news flashes contain articles on cyber-attacks and data breaches. Unsecured databases and PII are regularly landing in the hands of hackers. Some recent high-profile data breaches that made it to news included:
- The Microsoft Exchange Hafnium exploit of four zero-day bugs that had been reported in January. According to Tom Burt, Microsoft’s Corporate Vice President, Customer Security & Trust, this was classified as a state-sponsored threat actor that the Microsoft Threat Intelligence Center (MSTIC) identified and named Hafnium.
- TIO reports on over 553 million published personal data of Facebook users. The type of exposed data ranged from phone numbers, Facebook IDs, full names, locations, birthdates, bios and, in some cases, email addresses. Unfortunately, this is not the first-time personal information of Facebook users has been leaked.
- Microsoft-owned social network LinkedIn fell victim of a massive data breach in which data of 500 million user profiles has been leaked by cybercriminals. According to Business Insider, a LinkedIn spokesperson confirmed that the leaked data had been scraped from publicly viewable information that was scraped from LinkedIn combined with data aggregated from other websites or companies.
For other entities that subscribe to a code of silence and choose not to disclose details of breaches, no corrective action can be taken. In this way, the victims inadvertently aid crimes like fraud, money laundering, counterfeiting of currency, extortion and identity theft.
Data protection: Who is responsible?
Data privacy laws across different jurisdictions will generally place the duty of protecting data on the entity that is collecting, processing, storing and using the data. In the event of a data breach, legal entities prescribe fines and penalties.
However, the risk of long-term reputational damage or even business collapse is even more ominously present. In the case of the Panama Papers, the law firm Mossack Fonseca shut down operations two years after the massive data leak of financial and legal client data. By some accounts, entities are still suffering the effects of the unauthorized release five years after the fact.
Fighting back against cyber fatigue
So, what can we do about this harrowing outlook? The security threat landscape calls for concerted efforts and initiatives from enterprise security teams and organizations as a whole. The cyber fatigue that permeates cybersecurity teams and boardrooms needs a counteragent if organizations are going to put up a fight against hackers.
The firefighting approach to reacting to new threats needs to be overhauled to embrace cybersecurity not only as a defensive strategy but as a competitive advantage. Cybersecurity as a service is slowly gaining traction among small and medium companies to allow for a more robust cybersecurity stance. Gartner Inc.’s prediction that by 2025, 40% of boards will have a dedicated cybersecurity committee resonates with the present times, business terrain and cybersecurity challenges.
There is also a need for expanded global collaboration. In a similar way to how international narcotics law enforcement was set up to deal with prominent cartels, the increase in state-sponsored cyberattacks calls for an enaction of global norms and laws to regulate and strengthen penalties for cyberattacks and cyber espionage. Suffice it to say that even with stronger legal enforcement in place, you ought not leave your windows, front and back doors unsecured. To paraphrase the late screenwriter Robert Sherwood’s observation: The instinct of condemnation for theft of an idea (PII data) is somehow not as strong as that of theft of a pen (or worse still, the theft of a gram of narcotics).