The Business of Being a Cyber Criminal – Why I target SMEs

Clients often joke with me that I should ‘switch to the dark side’ and turn to hacking rather than helping businesses to defend themselves because I would make more financial gain.

Whilst this definitely isn’t in my nature or on my list of career aspirations, it does raise an important point about the ‘business’ of being a cyber criminal.

Firstly, lets note that not all hackers are in it for financial gain. Some ‘hacktivists’ are there to disrupt businesses with a cause that they disagree with whilst others like the challenge of being able to break into large organisations to validate their own skills. For a large proportion of hackers though, they are career criminals, running their own illegitimate businesses and probably doing very well for themselves on the back of conning innocent victims.

Understanding the criminal mentality behind this helps to prioritise our defences against it. Its unrealistic to expect all businesses to have limitless budgets to spend on cyber security. I have been that person within a business who is the first contact point for vendors wishing to sell our business over-engineered overpriced solutions that might reduce the risk of an obscure cyber attack that may happen twice a year.

Cyber criminals also have the same challenges. The more time and effort that they have to put into orchestrating an attack, the lower their potential profit margin is from the attack. Let’s assume for a minute that the calculation is as follows.

Total Attack Profit = Extorted Cash+ Data Dark Web Resale Value – Hardware and Software Costs – Man hours for Recon and Orchestration.

We’ll examine the model here in a ransomware attack. (please note, figures are for illustrative purposes only)

Scenario 1

Large size telecoms organisation holding clients personal data with significant IT and Security budget running Windows 10 latest version with robust patching:

  • Extorted cash- Likely to be 0 as documented in incident response plan.
  • Data Dark Web Resale Value – Assuming £50k
  • Hardware and Software costs- Assume specialist software and hardware value of £10k
  • Man hours for Recon and Orchestration- in excess of 90 days @ £500/day = £45,000

Total Attack Profit = £5k

Scenario 2

Small Accountancy or Legal Practice with 10-20 employees holding personal data, Case or transaction monies and sensitive financial data. Running Windows 7 patched occasionally:

  • Extorted cash – £10k direct from business as no documented incident response plan and Business Owner keen to retrieve data, potential for £50k more through subsequent infections of client devices.
  • Data Dark Web Resale Value – Assuming £10k (smaller volume of data than in scenario 1 but much more detailed financial data)
  • Hardware and software costs- Minimal specialist equipment as known vulnerabilities exist, £2k
  • Man hours for recon and orchestration- 2-3 days @ £500/day, minimal recon required and known exploits used = £1500

Total Attack Profit = £66,500

Ok so the numbers of fictitious but the point is real. SME’s like in scenario 2 often assume that cyber criminals wont target them and so don’t prioritise investing in Cyber Security because they’re too small. The reality is that to a Cyber Criminal who is making the same type of decisions about profitability as any other legitimate business owner, an SME that hasn’t invested in cyber security is an example of low hanging fruit and is a prime target for repeatable low cost attack methods.

The great new for SME’s is that low cost repeatable attack methods are low cost and simple to fix. Isn’t it time to prioritise cyber security in your business and truly become a business that isn’t worth the time to the criminals?

X