Corporate cybercrime is a cottage industry, but it’s one that’s clearly on the rise. Cybercriminals are getting more sophisticated and organized by the day, and their goals are broadening from disrupting companies to profiting from them.
A large part of why the corporate hacking industry is developing at such a rapid pace is that, at the moment, it’s low-risk, low-cost and high-gain.
Billions Lost Every Year
Research shows that corporate cybercrime is currently costing global businesses billions of dollars annually, and the numbers are only getting bigger.
Those costs come in the form of prevention efforts as well as cleanup. When companies have a security breach, they tend to lose money directly as a result of the breach (i.e., going to the hackers, as in the case of the theft of credit card numbers).
But they also lose millions in the form of lost customer trust and lost future opportunities, including from intellectual property theft and the subsequent drop in market competitiveness. Many companies have found it hard to stay afloat after high-damage security breaches.
A Low-Cost Venture
While the losses to businesses are in the billions, the costs to hackers are miniscule by comparison. And those costs are going down, not up.
Rising business expenses come as the cost to hackers themselves is plunging, thanks to a proliferation of botnets that make launching DoS [denial of service] attacks cheap and simple, [as well as] the easy sharing of tools and exploits on “dark net” forums and marketplaces.
According to cybersecurity firm Incapsula, the price of launching a DoS attack has plummeted to just $38 per hour. By comparison, “the real-world cost of an unmitigated attack is $40,000 per hour” for businesses.
Meanwhile, for companies the costs are only rising – both in terms of the money they have to spend to protect themselves and the money they end up losing if they don’t protect themselves enough.
Cybercriminals don’t have to incur a lot of risk because so few of them are caught, and they don’t have to spend a lot of money because cyber attacks are relatively cheap these days. It’s the complete opposite for companies, which take on huge risk and have to spend a lot of money if they ever have a breach. The real danger for companies is if they underestimate their risk.
– Kirk Porter, President of Avitus Technologies
Corporate hacking is still a relatively low-risk enterprise. Let’s just say it’s not like robbing a bank.
For one thing, companies don’t usually know they’ve been hacked until long after the fact. A hacking scheme could take place in the spring but the company might not realize it until the fall.
That’s not always the case, of course, but it is always the case with a bank robbery. The bank knows it’s happening either while it’s still happening or immediately afterwards.
The Federal Bureau of Investigation (FBI) reports that there were around 5,600 bank heists in the U.S. in 2010, with about $43 million taken.
In 22 percent of those cases, authorities managed to recover some or all of the money taken – about $8 million. Of the 6,750 or so robbers believed to be involved in these cases, authorities were able to identify 49 percent of them.
Compare those statistics to corporate cybercrime. In 2010, over 300,000 victims lost $1.1 billion to cybercriminals, according to the FBI. In 2014, those numbers were around 270,000 victims with a total of just over $800 million.
Yet hardly any of the perpetrators are going to jail. Of the 300,000 complaints in 2010, the FBI was only able to bring just over 1,400 criminal cases forward and, of those, achieve only 6 convictions, according to InfoWorld.com.
The Center for Strategic and International Studies (CSIS) reports that cybercriminals are getting better and better at monetizing the information they steal and, because there’s not much risk, cyber attacks will only increase.
The Most Profitable
Some of the most profitable hacks have occurred in the financial industry, where hackers acquire inside information and use that information to make money on the stock market.
If hackers can get inside bank networks, they can access accounts and steal funds, either all at once or bit by bit so they go unnoticed. If hackers get wind of sensitive business information like plans for mergers or quarterly reports, they can use it to achieve gains in the stock markets.
If they can get into the databases of central banks or ministries of finance, they can see information on interest rates and entire markets before anyone else does.
In a high-profile example of this, an international ring made over $100 million from insider trading based on information gained through cyber attacks.
According to the Washington Post, 30 hackers and traders in various countries got their hands on over 150,000 press releases before they were published.
They used the information – on companies like Boeing, Bank of America and Home Depot – to make quick trades. They sent the gains to offshore accounts and phony companies in Macau and Estonia.
The “brazen scheme…was unprecedented in terms of the scope of the hacking, the number of traders involved, the number of securities unlawfully traded and the amount of profits generated,” SEC Chair Mary Jo White said Tuesday at a Newark news conference alongside Secretary of Homeland Security Jeh Johnson. “The traders were market-savvy, using equities and options…to maximize their profits.”
A Growth Industry
While corporate cybercrime is still a cottage industry, it’s gaining in sophistication all the time. Today’s corporate hacks aren’t heavy-handed attacks by teenagers. They’re subtle and sophisticated endeavors undertaken by complex criminal organizations with broad-ranging expertise, hierarchies and well-developed tactics and goals.
And, unfortunately, while the risks and costs remain low for cybercriminals, we can expect to see the number of corporate cybercrimes continue to rise.