Cyber crooks have their own economy, and your data’s probably part of it

Consumers, companies need to secure all channels of risk—cloud, mobile, networks

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

There’s no smashed glass or muddy footprints outside the window to tell you how cyber crooks broke into your business.

Maybe they duped you or an employee into clicking an email link or attachment containing malware that let intruders access customer data.

Perhaps an unwitting employee brought malware into the workplace on their personal phone or tablet, which was then passed on to the corporate network via the company Wi-Fi.

Malware could even spread from phone to company within an instant messaging app.

According to Professor Alan Woodward, a leading cybersecurity expert at Surrey University, U.K., and co-author of a new report “Hacker-nomics: Introducing the Dark Web,” something as innocuous as using consumer instant messenger apps like WhatsApp or Facebook Messenger in the workplace can be a route for covertly ex-filtrating sensitive data.

A whole supply chain has grown up around stolen data, according to the report. Highly personal details of ordinary customer lives are simply a commodity to be trafficked.

Related podcast: The ghost in the machine: Darknet evolves as portal into hacker’s targets

Supplies of personal data are so abundant that prices are falling.

In April 2016 it was reported U.S credit card details—card numbers, account names and CVV security digits—were selling on the Dark Web for $21 each. Their value falls quite steeply, and within just a few hours they would have fetched even less.

Likewise, active accounts for the taxi service Uber reportedly sold in bundles of 100 accounts for $54.

And when the hacker supposedly behind the breach of millions of Twitter and LinkedIn account details was interviewed by Wired magazine, he or she revealed that only about $15,000 was paid for each batch.

Complete dossiers of information, covering names, addresses, National Insurance details, as well as financial records—known as “fullz”—fetch a bit more.

These are gathered by consolidators—intermediaries in the supply chain—who assemble pieces of hacked data into more complete records.

Consolidators operate in a legal gray area—exploiting cross-border data protection differences. Indeed, only about 100 countries have any form of data protection laws at all.

Even the price of fullz is falling, Woodward says, down from $50 each to $10-15 in recent years.

So who are the people buying the stolen data on the Dark Web? Criminals looking to profit from what’s been stolen are the final link in the supply chain. They either approach the victim asking for a ransom to be paid, or they simply try to make fraudulent transactions and bank transfers from the compromised accounts. By one estimate, the return on investment of acquiring stolen data is 1,425 percent.

To the hacker, a victim is just a statistic—one in a hundred, thousand or million compromised records. But individual customers whose data is compromised feel the intrusion into their lives deeply. As retribution, they will expect the enterprise to pay dearly for letting any breach take place.

The challenge for enterprise is to lock down all sources of risk—network, cloud and mobile.

That means educating staff about the dangers of clicking suspicious links, and it means taking a holistic approach to cybersecurity.

If Bring Your Own Device (BYOD) is bringing clear business benefits, then consider adopting a business-oriented app for team collaboration that has security baked-in. For the last word on managing the risks we return to Professor Woodward. His advice for enterprise: Check everything; use systems to spot suspicious behavior in real-time; and equip IT operatives to take preventative action.

More stories related to data security:
Despite heightened awareness, most firms lack cyber risk management strategy
Underwriters, InfoSec officers must close gap on risk management

Companies should assess their risk profile, align it to a security solution