Sophos: Cybercrime is a For-Profit Undertaking, Just Like Any Typical “Business”

The real world is a jungle; it is really is still the survival of the fittest even after hundreds of thousands of years ago when our common ancestors walked the planet. But instead of having a fiercer roar, sharper claws, larger teeth, bigger bodies, and other physical attributes, the real world is now intellectually-driven. The more value a person can provide the society, the better a person she will be. This same trajectory happens as well in the less admirable cybercriminal communities. There are still evil script kiddies out there, who used to hog the limelight, their 5-minute of fame with their prank malware and their cheap vandalism attacks on websites.

However, for those less professional and less skilled virus authors and hackers, they are also fast becoming the “yesterday’s news.” The cybercriminal organizations are evolving, as more skilled black hat hackers are becoming more and more influential, with growing leadership in their field.

This scenario was what Joe Levy, the CEO of Sophos, a mainstream antimalware vendor revealed recently in their SophosLabs 2019 Threat Report. The power-play of script kiddies and unprofessional hackers being out, while highly skilled black hat hackers becoming more important with cybercriminal organizations are fueled with one factor only: money.

2019 will strongly continue where 2017 and 2018 before it left off, virus development with the main goal of “earning the big bucks.” The capitalist nature of hacking, virus development, and phishing expeditions is very evident, as organizations left and right admitted to paying the ransom, just to get their encrypted data back.

This money-centric nature of cybercriminals is for all platforms: desktop, laptops, smartphones, routers, tablets and even IoT (Internet-of-Things). This year, the news of a very nasty malware targeting consumer routers, those small network devices usually supplied by ISPs. VPNFilter is science-fiction turned reality, as it performed new ways to propagate malware outside of common devices, creating a new possibility for malware to propagate – the memory and firmware areas of a network router.

Companies need to evaluate and fund a thorough penetration testing for their corporate networks and computers. It is no longer a luxury today, but rather a long-term investment and like an insurance for their business. The possibility of recovering a brand from the bad reputation of being hacked, becoming a victim to a data breach or virus infection is not yet set on stone. There were already companies that literally went out of business, as their PR machine can never recover the lost customer trust due to a cybersecurity issue.

From the board-of-directors to the CEO and the COO and up to the lowest level clerk, companies need to change their IT cultures. The culture of being suspicious of the content of an email message, an instant message and foreign USB drives are better behavioral changes to promote. The natural human take is to veer towards convenience, which is directly opposite and natural enemy of security. Any systems that base its foundation to convenience will always be less secure than a system that was designed with security in mind.