Enterprises are constantly under attack from cyber-criminals. In 2016 we saw one of the worst ever years for data breaches. Adult Friendfinder, LinkedIn and Yahoo all experienced some of the biggest breaches ever recorded.
Streams of confidential information harvested from unencrypted enterprise customer databases, phishing emails and mobile messaging scams is finding its way to the Dark Web.
Here a sophisticated supply chain has evolved trading black market goods and personal data for Bitcoin.
Working in close collaboration with Professor Alan Woodward, a leading cyber-security expert at Surrey University, UK, NURO has just published an original report on this alternative economy entitled Hacker-nomics: Introducing the Dark Web.
As the report reveals it is a world where the hackers seek to be rewarded for their crimes.
So what does cyber-crime actually pay?
The answer is not as much as you might think.
One report from April 2016 describes US credit card data being available on the Dark Web for £17 each. Details usually include personally identifiable information (PIIs) such as card numbers, account names and CVV security digits.
Stolen credit card details have a very short shelf life. Cardholders inform their banks very quickly. This means their value tends to drop steeply within hours.
It is very likely the advertiser would have had to settle for much less than original the £17 asking price.
When Wired interviewed the hacker behind the breach of millions of Twitter and LinkedIn account details they claimed to have earned just £12,000 for each batch.
In the black economy of the Dark Web it would appear that, unless the victim is a celebrity or high-profile public figure, the price of the data of ordinary individuals is peanuts.
It explains why cyber-criminals like to gather PII data in large volumes.
A complete set of information that includes names, addresses, National Insurance numbers as well as bank details sells for rather more. “Fullz” as they as known have everything a fraudster needs. Fullz are collated by middlemen, or consolidators, who piece together bits of hacked data to make them more desirable.
Operating on the outer margins of the law, consolidators try to exploit the various data protection rules in different countries. This is not as hard as it sounds. Only about 100 countries have any form of data protection laws at all.
Hackers have been so successful at breaching enterprise customer databases that even the price of fullz has gone down. A few years ago the asking price for fullz was £40 each but more recently the market value is closer to £8 to £12.
The people who buy stolen data on the Dark Web are in it for profit.
Sometimes they ask the victim for ransom money. But usually they take a more traditional approach. They use the information to carry out fraud by making false transactions and bank transfers from individual compromised accounts.
Some estimates put the return on investment of acquiring stolen data as high as 1,425 percent.
Business policies such as Bring Your Own Device and Bring Your Own App undoubtedly bring productivity benefits. Set against this are the risks to the enterprise of consumer apps like mobile group chat on employees own phones and tablets.
The pros and cons of each must be carefully weighed.
Tempting as it is to save money on tech, unsecured mobile chat apps are a target for scammers and could compromise enterprise security overall.
Equally important is regular staff training on such issues as mobile phishing and how to spot messages with suspicious links.
Large-scale data breaches can cause untold damage to the enterprise in terms of reputation and financial penalties.
Business-grade alternatives to consumer apps for team chat and messaging have security built in by design. Plus they are just as easy to use.
The challenge for enterprise is to extend security measures beyond the network to embrace technologies such as mobile and cloud-based applications.
With so much at stake and so much already invested in security systems to then allow cyber-criminals a way into the organisation that's completely beyond the IT department to control is a bit of an own goal.
Locking down cloud-based mobile communications channels closes the security loop. At a single stroke the organisation substantially reduces its threat posture while making funding the cyber-criminal lifestyle a lot less likely.
Contributed by Omri Sigelman, co-founder & CMO, NURO Secure Messaging