And What It Means for Businesses

By Mark Belgrove, Head of Cyber Consultancy, Exponential-e

In a sea of increasingly complex cyber warfare and nation-state hackers, it can be easy to forget that the simplest things are still the biggest security threats. These can range from falling for an email phishing scam to people not programming properly, leading to website vulnerabilities. In fact, because so many cybersecurity methods of attack are so mainstream, carrying out these attacks has now become a business in itself — a bonafide service in its own right, where all you need to do is press a button and pay an e-invoice.

Last year, the cybercrime industry was estimated to be worth $1.5 trillion; this year, the nefarious economy shows no signs of slowing down. Though illegal, the cybercrime economy is clearly proving reliable amid fiscal and social uncertainty across the globe; its lasting power lies in its self-sufficient and profitable status. If you go to the right place, you can buy cybercrime-as-a-service, press a button, get an invoice, then take on your chosen target through a third-party without needing any cyber skills of your own. The attention to detail is now so curated that criminal organizations often have help desks.

While it might seem shocking how widespread the cybercrime-as-a-service has become, this means it’s more important than ever to understand and attempt to mitigate it. As easy as online shopping, accessing cybercrime tools, services, and expertise is an incredibly straightforward business these days if you know who to look for. Also, due to the very nature of cybercrime, there’s no end to the location of potential malicious actors, who can launch a cyber attack on a business headquartered in a completely different country or even continent to the attacker themselves.

Consequently, companies of all sizes will find themselves faced with more costly, sophisticated, and disruptive cyber attacks. Although technology threats remain mostly the same with cybercrime-as-a-service, from an enterprise perspective, it’s important to remember that more people are able to partake in cybercrime as a result. Moreover, the malicious hacker delivering the service is likely to have carried out their attack many times before. As such, the danger posed by cybercrime-as-a-service must be understood by businesses in order to mitigate its damage.

This is where the importance of data visibility becomes most apparent, which means keeping on top of shadow IT — no mean feat. Although a pertinent problem in companies of all sizes, the issue is (somewhat ironically) exacerbated when a company experiences rapid growth and success — whether that’s through a string of fresh hires to keep up with new business or a long-awaited acquisition. In all other aspects, the business might be booming, which is brilliant — but as growth increases, so does the struggle for IT teams to keep on top of threats, both on and off the company network.

This can be particularly difficult for mid-market and high-growth businesses, such as startups and scale-ups, where it can be a struggle to keep on top of threats amid a continually increasing headcount. We need cyber binoculars, if you will, to see ahead, identify threats early, and give the experts the chance to analyze and take appropriate action. Here, a forward-thinking cybersecurity operations center (CSOC), supported by a hands-on team of analysts, can really help — which means a CSOC that’s both reactive and proactive. The CSOC team should undertake specific research into cybercrime-as-a-service as well.

Compliance is the cornerstone to all of this because, as networks and requirements change, disparate security systems across the IT environment create a significant compliance headache for businesses, making it almost impossible to accurately assess compliance adherence across a multitude of interfaces. The result? A fragmented view of compliance that is prone to error.

Now, however, technology and systems exist that are designed to monitor for compliance to multiple standards — across different geographies, if needed. The specific nature of this form of monitoring relieves a heavy burden when adhering to regulations such as European GDPR, as real-time compliance monitoring can be continually illustrated to anyone from a regulator to a supplier. This is achieved by collecting, aggregating and correlating system and network information. What makes this so important is that strong cybersecurity protection relies entirely on data visibility — if an organization can’t keep track of its data or its stored insecurely, this paves the way for a host of possible cybersecurity threats, from simple phishing scams to ransomware attacks.

By taking a proactive approach to security protection, it becomes possible to use threat intelligence to prevent attacks, rather than just react to imminent threats. Beyond technology, this should take the form of a trusted team of third-party experts who have the time and wider resources to spend on cybersecurity protection. In doing so, it becomes possible to limit the chaos of added cost and simplify security to focus on business strategy and risk. After all, when it comes to security, it’s the actionable information, integration, and the end-to-end capabilities that equip businesses with the tools they need to take on cybercrime-as-a-service — giving them that much-needed edge to survive.

About the Author

Mark Belgrove is the Head of Cyber Consultancy of Exponential-e. With over 25 years’ experience in the information security field, Mark runs the global cybersecurity consultancy team at Exponential-e and is the technical lead. Mark combines a strong background as a Chief Information Security Officer (Yell Ltd) with almost 10 years of security and risk consulting delivery into a range of clients including Merrill Lynch, Cable & Wireless (NTL), Scottish & Southern Electric and Chase Manhattan Bank. Mark has experience in a wide range of specialist topics including risk management, business continuity, compliance, and cybersecurity governance. Mark is a Certified Information Systems Security Professional (CISSP), Payment Card Industry Professional (PCIP – former QSA) and ISO 27001 Lead Auditor. Mark can be reached online at LinkedIn and at our company website