Darren Mullins
Darren Mullins

Who isn’t aware of the continuing threat of a cyberattack or a cybercrime? The potential loss in financial, social and reputational cost due to our lack of awareness, preparedness or appetite in addressing the threat of a cyber breach fills countless column inches daily.

With each passing day, new stories hit the news of the latest or most devastating cyber or cybercrime attacks.

Whether it is the recent ransomware attacks that brought the U.K.’s NHS to a standstill or the $1 million Bitcoin ransom paid by a South Korean web-hosting firm to release their clients’ data. Yet do we really understand this threat and what it actually means? Is it only large corporations with big pockets that get hit?

To truly understand the impact of this threat it is important to know how the mind of a cybercriminal works, a criminal developing a business that preys on the least prepared organisations that are therefore the easiest target.

The strategy of a cybercrime business

Fraud, malware, ransomware and attack services are a cost effective, easy to implement, faceless yet potentially richly-rewarding crime; the new face of 21st Century criminal business.

Unless politically motivated, or with the time and resources to undertake large scale attacks, the most efficient way for cybercrime businessmen to make money is to go after what they consider are the low hanging fruit.

This was evidenced in 2016 when security company Palo Alto and the Ponemon Institute published the results of a survey to explore the economics of cyberattacks from the attacker’s perspective. 73% of respondents stated that they search for what they consider to be soft targets, those who do not have a strong defense.

Additionally, 72% said they won’t waste time on an attack that will not speedily produce high-value returns.

Attacks are made abundantly easier and quicker by the array of digital weapons at the attackers’ fingertips. Cybercriminals readily share information on potential targets and resources.

Hacker forums and download sites provide a constant stream of malware used to exploit new security holes or those that build on previously known methods in an attempt to stay ahead of the cyber security companies providing our defense.

These attackers will, however, give up and move on to another target after spending approximately a week without achieving their goals. They are in the business to make money and finding the most efficient way to extract money from a target, whether it be digital blackmail or theft of data is key.

In most instances, this efficiency will be gained through a high volume of attacks against poorly protected organizations that may only provide small payouts rather than the one big newsworthy jackpot.

This importantly means that those at greatest risk are organizations who feel they may never be targeted and thus ignore the risk of being attacked.

Understanding how not to be targeted

To continue to prosper in this criminal market, the upper echelon of cyber-criminals need to maintain efficiency, all the while going undetected. They engage in intricate conspiracies to camouflage their business activities and vigorously seek to evade detection and capture.

Their methodology leads to the indisputable fact that these individuals are well-ordered and transnational. They take full advantage of the fact that the internet has no boundaries, whilst law enforcement agencies and forces have jurisdictional, geographical and financial limitations.

As we have seen though, efficiency is key to their strategy and continuously investing in a strong defense can help deter attackers looking for a cheap win.

If electronic defenses are in place that deter the cybercrime businessmen and make it harder for them to attack you, then they may look elsewhere because it isn’t economically viable.

Understanding this is a key step to help create an effective cybercrime prevention strategy. You just have to put enough defenses in their way to make the return on their investment unpalatable.

In other words, stop being the low hanging fruit, move up the tree and treat your security seriously.

Darren Mullins, Director, Forensic Technology, Financial Advisory, Deloitte, Middle East