Cybercrime as a business - Click and Protect

The stereotype of a hacker as a young man alone in his parents’ basement wearing a hoodie is commonplace. Most of the images illustrating articles about hacking conform to this stereotype.

As a result, most people outside the information security sector don’t realise that hacking can be big business, and runs in a similar way to most businesses you see around you.

The loner in the basement might be working for themselves (or just having fun), or they might be employed by one of these big cybercrime businesses, and working from home. Or, they might be employed by a business in the cybercrime supply chain. Yes, that is a thing.

Just like any business operating aboveboard, a cybercrime business will do some or all of these things:

Seek to maximise profit and minimise cost
Compete with others in the same market
Target their attacks, and hone their organisation for efficiency
Market their products and services to targeted groups of potential customers
Support their customer base (raise tickets; provide a help desk)
Provide call centres to help their victims pay the ransom
Conduct R&D to identify new, potentially more profitable markets and develop new products and new revenue streams
Hire specific expertise either as employees or as subcontractors
Pay top rates for excellent coding talent that can write and modify code, create and test exploits
Have multiple levels of management in different departments—or they may operate as a consortium, rather than in a hierarchical structure
Subcontract out non-core elements of the business
Pivot, if necessary, to a new niche
Consider new operating models, such as franchising or white-labelling products.

Not all cyber attackers are profit-oriented businesses, of course: some are individuals out for fun, for the experience or for revenge. Others might have political or military motivations, or be out to promote a particular cause.

Am I likely to be targeted by a cybercrime business?

It depends on the nature of your business, of course, and on the motivations of your attacker.

Some business sectors are more likely to be targets than others. The hospitality industry, for instance, holds a lot of personal and financial information on its customers, as does the legal sector and HR departments in general. The finance sector is an obvious target.

Manufacturing companies typically have valuable intellectual property, and many use software that can be difficult to update, which can make it easier to attack. Critical national infrastructure can be a target for politically motivated attackers.

But in general, your attacker is likely to go for easy targets, because they are quicker and cheaper to infiltrate, and to use tried and tested methods, to avoid wasted effort.

So, you are most likely to be attacked using one of the standard attack types, such as ransomware or phishing.

Phishing is common-place just because it is so cheap to implement. Many thousands of emails can be sent out at low cost, and it only takes a few unwary clicks out of those thousands to make it a good day at the office for the attackers.

Ransomware will make your data or your systems unusable unless you pay a ransom (and maybe not even then). And sometimes the attackers double-dip: demanding the ransom and also selling on the data that they’ve stolen.

What can I do to reduce my risk of being targeted?

There are a few things you can do to reduce your risk.

Think carefully about your business information assets. What do you need to protect? What threats might they be vulnerable to?
Consider the sector you work in. What are the most likely threats facing you, given your particular circumstances?
Get the basics in place:
1. Strong and unique passwords for every account
1. Turn on two-step verification for every account you have that allows it
1. Keep the software on all your devices up to date
1. Password protect your mobile devices
1. Don’t connect to unknown wi-fi hotspots
1. Backup your data regularly—keep your backups away from your originals
1. Install anti-malware and firewalls
1. Train your staff in how to recognise phishing emails
1. Make sure your staff feel able to alert you to anything suspicious.

Implementing these steps won’t guarantee protection from cyber-attacks, but they can reduce the risk of it happening to you. If you’d like help with reducing your risk of cyber-attack by setting up strong cyber defences—or if you’d just like an assessment of the risks you face—contact the Click and Protect team, or call us on 0113 733 6230

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cyber attack as a business

Am I likely to be targeted by a cybercrime business?

What can I do to reduce my risk of being targeted?

You might also be interested in: