The P&L sheet of a professional cyber criminal

"Cyber crime is now a profession,” so needs to be thought of as such.

The traditional view of a lone hacker in a basement trying to get into your business is an outdated one. Cyber criminal gangs are effectively professional businesses, and that’s how we need to think of them.

That was the message from Jamie Johnson – Global technical account manager at Symantec – during a talk at Fujitsu Forum in Munich earlier this week, where he emphasised how the mindset of the security professional needs to change.   

“What we’re seeing is our adversaries are starting to get more professional,” he said. “They have moved from being a start-up business into much more of a growth business and they’re starting to target certain industries. You’re seeing the bad guys verticalise.

“The reality is that our cyber adversaries really are professional hackers. These are educated, talented individuals.”

The modern way to think about cyber criminals, Johnson suggested, is through a P&L sheet as you would any legitimate business. He split the activities of a potential attacker into five sections:

  • The bookings report: This refers to the record number of cyber attacks and stolen identities we’re seeing at the moment, i.e. the revenue criminal gangs are bringing in: “The goal for all this is monetary gain and let me tell you, they’re bringing in a lot of money.”
  • Margin expansion: This refers to the growth of new markets, such as “the shift towards digital extortion. This is where they’re starting to add new areas of business to be able to generate additional revenue to the organisation.”
  • Channel program: Symantec’s 2016 Internet Security Threat Report found that 78 per cent of websites had vulnerabilities, creating a ‘channel program’ of sorts where attackers can “find new hosts to compromise and new individuals to target to hopefully exploit different markets.”
  • Research and development: This is a key area for any company and refers to zero-day threats where hackers are “finding new information, new types of exploits that they can leverage to compromise organisations.”
  • Go-to-market expansion: It’s now commonly accepted that no industry is safe from cyber attacks, as hackers have expanded into all segments - from retail to healthcare and financial services to education - bearing a striking resemblance to traditional market expansion.

“It’s really a changing environment for businesses,” Johnson said and when you think about hackers in this way it’s easy to understand why. Advanced adversaries that are well-funded and technically savvy are able to leverage new and improved technologies against an ever-expanding attack surface full of internet connected devices.

“What we’re hearing from our customers is that it’s really tough to stay on top of security. It’s just an overwhelming process for them,” Johnson concluded, a thought echoed by John Swanson, Fujitsu’s head of security offerings for EMEIA, who said: “There are a whole raft of threat actors that we face. Incidents with malicious code are increasing at around 40 per cent per year, security incidents increasing at 60 per cent per year. Cyber crime is now a profession.”

It’s an ominous thought, but one which certainly can’t be ignored.

Image Credit: Brian Klug / Flickr