We evaluate things on the basis of risk versus reward all the time. Enjoy that cupcake now, but risk a feeling of guilt afterward. Make a dubious investment in a startup, but hold out for the possibility that it’ll pay off down the line. Go to the casino with two weeks’ pay in hand, knowing full well that you may walk out empty-handed.
In the game of assessing risk vs. reward, history tells us that the most consistently successful people are those who staked out a firm middle ground – i.e. taking measured risks as a matter of practice. This principle certainly holds true for, say, retirement savings: If you take no risk at all and keep your money liquid, it will actually lose significant value over time due to inflation. But if you funnel all your savings into one particular sector – like energy – then you risk even greater losses. The profitable middle ground, therefore, is to invest in funds that trace broad markets.
But in terms of risk vs. reward, there’s one thing pretty much everyone can agree on: High-reward, low-risk situations are extremely rare. And yet these days, the criminal practice of hacking might just qualify. That’s because cyber criminals are currently operating in a world where they’re seemingly always one step ahead of the authorities bent on nabbing them. As a result, most of their deeds go unpunished. Their earnings potential, on the other hand, is massive.
Take a look at this ROI
Businesses of all sizes make investments in the hope of getting a return that exceeds the amount invested. Individuals do it too, whenever they choose an investment vehicle. For the average investor in large company stocks between 1926 and 2009, the yearly ROI averaged around 10 percent, as Fox Small Business News reported. For individuals and businesses, that’s not a bad number at all. But it absolutely pales in comparison to the potential ROI figure for cyber crime: 1,425 percent.
That massive number comes from a recently released industry report, which was covered by DARKReading’s Sara Peters. Not incidentally, the cyber crime sphere has shifted its focus in recent years to attacks that have the greatest earnings potential possible. While attention-grabbing hacks are still lucrative for cyber criminals, many are fine spending their time on low-level hacks that provide a steady flow of capital.
But how exactly are cyber criminals able to enjoy such a monstrous ROI? It starts with the simple fact that infectious virtual strains are easy to come by, and cheap for purchase. Traditional notions of cyber criminals suggest that they’re all highly computer savvy, and that they develop their own malicious strains using their coding prowess. While this is true for some hackers, there are many others out there who don’t fit the mold of the criminal programmer. Instead, they’re just individuals who buy malicious strains on underground markets.
In December 2014, for instance, a security company in Ohio uncovered a malicious strain called LusyPOS that was being advertised for sale on an underground site. At the time, LusyPOS was notable because its design was similar to the point-of-sale malware that struck retail giant Target – an attack that compromised private data for more than 100 million customers. To sum up the monetary damage of the Target attack is no easy feat, since it had such widespread consequences. But one got a sense of the number in February 2015, when the company released its fourth quarter 2014 finances, revealing $162 million in costs that were tied to the breach. Now compare that $162 million to the amount it would cost a hacker to buy the LusyPOS strain: A mere $2,000. When you compare numbers like that – the cost of the means of attack versus the monetary damage it can do – you begin to get a sense of why hacking is such a lucrative business.
A thriving criminal marketplace
As security industry executive Charles Henderson pointed out to DARKReading, the cyber criminal black market works a lot like any other place: There’s merchandise for sale, and prospective buyers peruse the (virtual) aisles before deciding on a purchase.
“The black market is very transparent,” Henderson said. “You can look for a good deal … just as any mercantile or purveyor of goods.”
The transparency of the underground market, coupled with the highly publicized profit potential of cyber crime (Peters’ article for DARKReading is only one of many that points to the massive cash-in prospects for hackers), is creating a situation where more and more amateurs are clamoring for malware purchases in the hope of launching their own attack – and with it an easy payday. Once the domain of tech whizzes, hacking has expanded to encompass the petty thief, too. In the U.K., for instance, authorities are being confronted with a growing number of ransomware attacks which take a person’s computer hostage and will only restore access when a ransom is paid.
These attacks, as Al Jazeera pointed out, are often conducted by amateur hackers leveraging online tools. Yet for all the amateur cyber criminals out there who are pocketing petty change, there are also plenty of hacker high rollers – tech-savvy criminals who have learned to turn cyber crime into a source of personal wealth. Yet for all the money that’s being made off cyber crime, the ability of law enforcement officials to nab hackers is severely lacking. For those looking into cyber crime, therefore, many rightly see it as a low-risk activity.
Why aren’t we up to par with cyber policing?
As Trend Micro’s Chief Cybersecurity Officer Tom Kellermann told TIME back in 2012, street crime has experienced a decline recently. But in the cyber realm, as Kellermann pointed out, the exact opposite is true: The sector is surging. Spurred by the easy acquisition of malicious strains, the relative ease of carrying out attacks, and the small likelihood of capture, hackers look to cyber crime as a virtual gold rush – everybody wants a piece of it. With the massive increase in virtual crimes of late, the question arises as to why authorities aren’t doing more to hold cyber criminals accountable – and how this can change moving forward.
In a 2012 report released by the National Crime Prevention Council, the group asserted that cyber crime is as much a problem as physical crime, and its consequences can be just as severe. But the particular nature of cyber crime – including the fact that it is typically carried out remotely and that its perpetrators can retain anonymity – creates a situation in which virtual criminals can avoid getting caught.
“By virtue of the tools being used today to commit cyber crimes, criminals are now more anonymous and provided with a virtual market of available victims,” the report stated.
While almost all law enforcement agencies agree that the policing of cyber crime is a growing priority – and something that deserves central attention – the question of how police should adapt to target the virtual criminal sector is still very much up for debate. According to a 2014 report by the Police Executive Research Forum entitled “The Role of Local Law Enforcement Agencies In Preventing and Investigating Cybercrime,” the policing of hacking “creates jurisdictional problems, because the perpetrator often lives thousands of miles away from the victim,” stated Chuck Wexler in the report. And as Wexler added, there’s also a flaw in how cyber criminals are being targeted, since most of law enforcement is focusing on nabbing the large-scale cyber criminals, thereby allowing the lower-scale perpetrators to commit their illegal acts without fear of capture.
“The FBI, Secret Service, and other federal agencies are focusing their limited resources on the largest cases,” Wexler wrote. “Cyber crimes involving losses of $500 or less are often considered too small even for local police to investigate, much less federal agencies, because of the jurisdictional issues and other challenges. Many local police executives acknowledge that currently they are ‘behind the curve’ in finding a role for their agencies with cybercrime.”
But for law enforcement, continuing to be behind the curve is only going to make a rapidly growing problem worse. As bank robberies have gone down, the number of complaints reported to the FBI’s cyber division have gone up. With virtual crime spanning so many different sectors, the time has come for law enforcement to step their game up in terms of bringing hackers to justice. But driving down cyber crime is no easy feat, and law enforcement agencies will have to first work to refine strategies for busting virtual criminals before they can even begin to deploy such strategies. In the meantime, unfortunately, the onus of cyber protection lies not with law enforcement, but with the individuals and businesses who may become the next target for hackers.
What users can do to keep cyber crime at bay
We live in a world where a lack of action with regard to virtual protection simply isn’t an option. If, as an individual or a business leader, you have a virtual presence, that’s something that’s immediately vulnerable. But that doesn’t mean you have to be the next victim of a cyber attack. As the NCPC report pointed out, there are defensive strategies everyone can and should take in terms of personal computing to limit the chances of getting hacked. Here are some of those best practices:
- Choose strong and varied passwords: The importance of this step really can’t be overstated. Considering that password theft is one of the most common forms of cyber crime out there, you’d think that people would be more vigilant in terms of creating strong authentication codes. Yet they’re largely not, which gives hackers an easy point of entry into many people’s accounts. Deploying a host of varied, complex passwords is one of the easiest and most effective steps individuals and businesses can take to stave off hackers. The passwords that tend to be the hardest to breach are the ones with the most variety of character types (i.e. letters and numbers and punctuation marks) and the ones that are the most random in terms of their contents.
- Install antivirus software: There’s only so much that you, as an individual, can detect when it comes to hacking. Cyber criminals take advantage of this by unleashing malicious strains that evade your detection, operating in the background of your computer system to extract personal data in the hope of leading to monetary gains. But strong antivirus software does the work that you can’t do by constantly scanning your system for the kinds of anomalous processes that could indicate something malicious is amiss.”Antivirus software is the next line of defense, monitoring all online activity with the intent to protect the system from viruses, other malicious programs, and can be
upgraded to protect against spyware and adware,” the NCPC report stated. “To be safe on the Internet, the antivirus software should be configured to update itself every time the system connects to the Internet.”
- Keep your personal data personal: How often do you receive an email asking for some kind of personal data? Whether it’s your home address or phone number or other information that you’re providing, this is all material that can be leveraged by hackers to compromise your virtual presence. Operating in the safest computing mode possible means being extremely discerning when it comes to which groups you decide to share your information with. Otherwise, the simple act of sharing a phone number can become the means by which an attacker is able to hack you.
There’s no doubt that cyber crime is on a steep incline. For hackers, the practice is largely one with few risks and the potential for big rewards – making it a lucrative criminal enterprise among many. As the field of cyber criminals grows, the need for law enforcement to contain the problem has never been greater. But unfortunately, the cyber crime prevention sector is behind the curve, meaning that the responsibility for protection now falls on individuals and businesses. By taking proactive measures against virtual crime, though, all computing users can significantly limit their odds of attack and pave the way for safer computing.