Meet the Cyber Mafia: Kelser Exposes the Business of Cybercrime
Earlier this year, a simple thought occurred to me. Hackers are the new mafia. Cybercrime is the newest part of the organized crime business model. How could looking at things this way change the cybersecurity landscape?
One of the biggest challenges in cybersecurity is getting people to care about it. There are data breaches in the news every day, and it’s created a bit of numbness. For the most part, the general public simply doesn’t understand who the organized and systematized cyberattacks and the organizations that perpetrate them are. My hope was that by providing a window into the business of hacking, I could help business owners and IT professionals see their organization through the eyes of hackers.
This became the basis for a Small Business Week presentation with my colleague Brian Mulligan at Work_Space in Manchester, which I went on FOX 61 News to promote.
Anchor Aisha Mbowe summed things up perfectly with this question:
AISHA: I feel like traditionally when we talk about hackers, you’re imagining someone in a basement hacking into your computer and things of that nature. But we’ve learned in the last couple of years especially with those large breaches, that it’s a lot more complicated than that.
ANDREW: I would say it’s become an industry. It started as people experimenting with ways to make money on the internet. It’s now branched into a fully functional industry. There are probably 10 or 15 ways or paths you can take to either acquire data and sell it, or just hack people for ransom. Related to the mafia method of doing business, you find ways to make money out of the weak points of an industry.
So that was the jumping off point for the lunch and learn event in Manchester. The Journal Inquirer sent a reporter to recap the discussion for a story that ran on the front page of the business section the next day.
The article captures the overarching idea well—by imagining how a hacker could make money from attacking your business, you’re more equipped to stop them.
Part of this thought experiment is estimating how much money a hacker could stand to make by targeting your business, and how much you could potentially lose. In an article in The Sociable, Kelser’s Adam Stahl shared some rough numbers for the value of different types of data on the black market. With medical records fetching $20-50 each, it’s easy to get into six and seven figures quickly from a single data breach.
While Social Security Numbers may go for a surprisingly low $1, the other side of the equation is how damaging a cyberattack could be to an organization in terms of legal liability, downtime, remediation, and reputation damage. When you understand that hackers are organized crime, it’s easy to realize that they will be ruthless about making even a small amount of money without regard to the wreckage they leave behind. It’s all about their bottom line. Hackers sometimes even offer assistance for paying a ransom these days, but when it comes to picking up the pieces after a ransomware attack, you’re on your own.
Kelser President Jim Parise was able to take this idea of the cyber mafia to a national audience by writing a detailed, fantastically useful article for CFO.com about the business of hacking. The article was published at a fitting time. As news of the Capital One data breach spread, it immediately jumped out to me that the hacker—a lone woman based in the US—was very atypical.
My fear was that the high-profile Capital One incident would continue to reinforce the Hollywood stereotype of hackers and bury the reality of their methodical, business-like ways. Fortunately, it seems to have spurred some discussion. I’ve seen other cybersecurity experts in the news commenting on how unusual this particular hacker is and taking the opportunity to paint a more accurate picture of criminal organizations based abroad.
As we saw with Capital One, law enforcement in the US is generally quite effective at catching domestic hackers. That’s why most hackers are based abroad. Without much legal recourse, currently our best bet for stopping the cyber mafia is to understand how and why they do what they do, and stay one step ahead of them.