The Real Reason Why Cybercriminals Steal
Legend has it that when Willie Sutton, a prolific bandit in the US during the Depression era, was asked by a reporter why he robbed banks, his response was, “Because that’s where the money is.” Mr. Sutton was so good at robbing banks, that one biographer estimated that Mr. Sutton committed over 100 bank robberies and stole over $27 million in today’s dollars.
When I think about how much money Mr. Sutton stole and the number of robberies he committed, I can’t help but think of the similarities to the state of cybercrime today. Data is highly valuable, both to steal, or hold for ransom. As well, Cybercrime is rampant and the data held by IT in many cases is incredibly easy to steal.
Part of the problem lies in how companies value data assets. The other is how we protect those assets. On the valuation side, organizations tend to think in terms of the cost of a breach, loss of business, or the loss of reputation. Cybercriminals on the other hand, value stolen data or data held for ransom in different terms.
A recent study published by Dell SecureWorks pegged the value of various types of business and consumer data. Here are some quick numbers:
- Banking credentials – 1% to 5% of the account balance
- Corporate email account credentials – $500
- 300,000 airline points – $90
- America Express Card – $30
At the same time, cyber extortionists are demanding $600 to $1800 for encryption keys to unlock data held for ransom.
The value of individual items may sound trivial, but if you put them into context of data volume, there’s an awful of money to be made in cybercrime. Consider a company which employs about 70,000 people; If a hacker got into their provider’s online travel system and stole 70,000 credit cards at $30 a card, the value of the cards to the broker would be around $2.1 million. The purchasers of the 70,000 credit cards could have netted $128 million dollars in fraudulent charges based on an average loss of $1,830 per card according FBI 2014 statistics.
Understanding the nature of the crime can help us construct appropriate defenses.
IT organizations need to adapt their security approaches to address these emerging threats such as cyber destruction, cyber extortion, or blackmail. In the past we focused on protecting ourselves from the outside world with protection technologies such as firewalls, DMZs, VPNs, and access controls. However, many of today’s new threats are unleashed on the inside: disgruntled employees, malicious Internet sites, phishing, spear phishing, and whaling emails that release malware on the inside of IT’s perimeter defenses.
These emerging threats are rocking many organizations. Cybercriminals seem to stay a step ahead with new malware variants and encrypted viruses, while regulatory agencies are drafting new rules describing how we need to protect and test our protection schemes.
Oh before I forget; the real reason that cybercriminals steal and hold data for ransom, to paraphrase Mr. Sutton, “is because that’s where the money is”.
So how are we going to slow-down cybercrime? With vigilance, better approaches to security, and improved crime fighting techniques, the likes of Willie Sutton, Al Capone, Bonnie and Clyde, John Dillinger, “Pretty Boy” Floyd, and “Baby Face” Nelson, were pretty much put out of business by the end of the late 1930’s. We in IT too have hope that with vigilance, better approaches to cyber security, and improved cybercrime fighting techniques that we will soon be able to put an end to cyber plagues that seem to engulf us.