Access to professional cybercrime services and the formalisation of cybercrime is one of the causes for growing cyberattacks, and this can only be effectively combated through cooperation and vigilance, says computing multinational Intel Security VP Raj Samani.

“The cybercriminals are working together and companies must also work together to protect themselves against increasing cybercrime. I believe that the only way businesses can protect themselves against these threats is to cooperate, share information and, through this situational awareness, act accordingly.”

However, Samani notes that outsourcing does not exempt businesses from taking responsibility to defend themselves against cybercrime and, even if outsourced or using the cloud, the issue must remain as an agenda item at board and executive meetings.

Similarly, cybersecurity services and companies already have a strong tradition of sharing cybercrime information and information on emerging threats, and Samani advocates continuing and broader sharing of cybercrime information between stakeholders to combat the growth in cybercrime-as-a-service.

Demonstrating the ease with which cybercrime services and information can be accessed, Samani used a mobile phone and common social media and video platforms to get contact information for cybercrime services, including denial of service attacks, stolen credit card information offerings and individuals’ personal details.

Some of the offers were $20 for 50 000 individuals’ details or stolen credit card information (with the pins for the cards and guarantees of balances of about $5 000). He notes that he could possibly access similar datasets at even lower prices.

“A high impact exploit (typically a vulnerability in an operating system, software or device firmware allowing the system to be hacked or shut down) in this example is selling for $600. Medium impact exploits (typically for systems with fewer users or used to penetrate older software) can be bought for $200,” he notes.

Cybercriminals can also outsource the research component of the cybercrime value chain to identify which industries, territories or users would be vulnerable to the exploit purchased. Cybercrime services operate on a user-rating system, enabling prospective cybercrime service users to evaluate whether a specific cybercrime service would be effective.

Samani also showed that some of the cybercrime sites allow criminals to search for information by city and profession, enabling cybercriminals to target specific industries. This granularity of information by region and profession makes it much easier to target individuals, and exposes the possibility for cybersabotage and cyberespionage by competitors within industries.

“The only thing required to carry out cyberattacks and cybercrime these days is a means to pay for these services. No technical knowledge is required at all and the entire cybercrime value chain can be outsourced.”

Vigilance and awareness are, therefore, paramount – early identification of cyberbreaches and data leaks and losses can prevent significant financial and reputational damage to companies.

“Transparency and communication with affected parties are best practices. Only by being honest about breaches and immediately communicating with affected customers can companies hope to limit reputational damage.

“Owing to the scope of the threats, any company can be hacked and having a breach response strategy can mean the difference between a company losing customers and subsequently closing down as the result of a breach, and an honest, measured response and retention of clients,” Samani concludes.