Our security client Fortinet asked us to compose a bylined thought-leadership piece on why cybercrime continues to be big business. Appearing in Forbes , the article takes an unflinching look at why cybercrime is growing in magnitude and sophistication. The two driving factors are the consumerization of crimeware and the adoption of best business practices by crime syndicates worldwide.
Perhaps most alarming is the fact that crime syndicates are using an “enterprise-class” approach to growing their business. The structure of these syndicates, in many respects, mirrors the hierarchies of big organizations right down to the executive suite, middle management and the rank and file.
When you couple the growing organizational sophistication of crime syndicates with the explosion in cloud computing, social networking, BYOD and mobile communications, cybercriminals have an unprecedented smorgasbord of attack vectors to choose from.
And like most well managed for-profit enterprises, crime syndicates maintain extensive R&D organizations. Custom-order code to produce private botnets, fake anti-virus software and previously unseen deployment systems are just a handful of new schemes being developed in off-the-grid labs.
But the similarities syndicates share with the corporate world don’t end there. Taking a page out of Wall Street, crime syndicates are actively engaging in mergers and acquisitions to grow their botnets through the use of another organization’s best practices.
Blurring the lines of best practices even further, we’re now seeing creative profit-sharing flair as crime syndicates grow sophisticated, pay-per-click/install/purchase affiliate programs. Up and coming cybercriminal affiliates are now being rewarded on a performance-based pay scale.
So what’s to be done about all of this? Clearly, working groups and task forces are essential to stem the tide. But despite some high profile take-downs, these efforts are a drop in the bucket.
The bottom line is that global participation is a necessity. International bodies that can mediate disputes and dispatch resources to share information about cybercrime trends are mandatory. In addition, the Achilles heel of cybercrime needs to be attacked — and that means going after the cash flow. Affiliate programs need to be targeted because they’re the cash cows that pay out commissions and rewards to the “infantry” that carry out malicious attacks. Dry up the well and the rest of food chain withers.
Of course, there is no practical substitute for implementing a highly layered security strategy, assessing potential security flaws on a regular basis, and educating users about security best practices while having incident response plans and enforceable policy mechanisms in place.
What do you think? Can cybercrime ever be contained? What needs to happen to enable a lower incidence of “incidents”? What can the private and public sectors do, separately and in tandem, to make it harder for bad guys to ply their trade?