Crime-as-a-Service: Anyone Can Be a Cyber Criminal

Being a successful cyber criminal no longer requires technical acumen. Camellia Chan takes a look at how criminals are selling their services and, more importantly, how businesses can tighten their defences

The sustained rollout of new technologies has become a matter of routine. Whether personal or professional, each launch or update is promoted as bringing new features, increasing general ease of use that will benefit even the less tech-savvy end-users.

This trend towards greater accessibility is also true for technologies designed for criminal use. The world’s most prolific hackers are now marketing their criminal ability ‘as-a-Service’ to others who may not possess the same technical skill or resources but are willing to pay for it, thereby widening the pool of potential cyber attackers. This poses a new risk environment for businesses, but thankfully, there are several ways to harden up defences.

Crime-as-a-Service (CaaS) Threats  

Across the board, ‘as-a-Service’ models have become common in recent years, signalling a complete shift in how organisations use technology and services to improve offerings. It makes the supplier/customer relationship much more flexible, with service users free to opt in or out whenever they like instead of owning a specific product or investing heavily in resources upfront.

“Ransomware kits containing technology capable of locating and encrypting important files is becoming widely available”

This business model has also become particularly effective in the hacking tool market. Crime-as-a-Service is where an experienced cyber criminal develops advanced tools or services which are put up for sale or rent to less tech-savvy cyber criminals. As a result, even those with limited knowledge can carry out an attack.

Ransomware kits containing technology capable of locating and encrypting important files, forcing the victim to pay up to (supposedly) regain access to the data, are becoming widely available. Victims can be businesses of any size or sector. We’ve recently witnessed NHS trusts and ION fall victim to ransomware attacks, and similar tools can be bought or rented to allow more criminals – who may not possess the same technical know-how – to launch their own offences.

Business leaders must not underestimate the risk that this criminal business model poses. While CaaS lowers the barriers to entry for cyber criminals, this doesn’t come at the expense of poor execution. Developers often play a hands-on role in attacks to maximise their effectiveness and leave easier tasks to their less experienced customers. In other words, think of CaaS providers as Managed Service Providers (MSP).

Education and Diligence

With the average cost of a data breach at $4.45 million (£3.6m), business leaders can’t leave cyber defence to chance. They need to reduce the vulnerabilities that present an attractive attack target. Reducing the potential for human error should be a key consideration for all those seeking long-term continuity. Technology and information officers should petition for company-wide training and drills to educate colleagues on the risks of a breach and the red flags.

Alongside this, conducting thorough due diligence over existing data governance ensures that correct protocols are in place to protect sensitive information before it gets leaked. This requires a high level of internal investigation, but it can be the difference between successfully protecting data or accessing it by nefarious actors.

Hardware Defence

Due to a series of high-profile attacks over the last few months, cybersecurity remains a big board-level concern. The conversation has changed from when, not if, an organisation experiences an attack and how best to protect assets. While talking about action might be a good first step, implementing action is truly needed to mitigate the damaging financial, legal and reputational repercussions accompanying a breach.

Investing in solutions at the device hardware level protects the area with the closest proximity to data, which can dramatically reduce the implications of an attack. Breakthroughs in AI are also being introduced to cybersecurity, where technology can monitor threats continuously and more accurately than the human eye.

However, it’s vital to remember that ultimate protection is not guaranteed. No cybersecurity posture can completely defend against the flood of current and future attacks, so leaders must look at mitigating the potential damage caused when an attack succeeds. This requires greater awareness of current threats, criminal business models, and multi-layered cybersecurity defences.