Cybercrime: A lucrative business that’s on the rise
Experts warn of persistent threats and urge proactive digital security measures.
Cybercrime is on the rise, and all of us — individuals and organizations — are easy targets. Yet there are basic steps we can and should take to protect ourselves.
Cybercrime is projected to cost the world $9.5 trillion this year and $10.5 trillion in 2025, according to Cybersecurity Ventures. The global average cost of a data breach in 2023 was nearly $4.5 million, IBM reported, and 75% of security professionals observed an increase in cyberattacks over the past year, according to CFO.com.
As a result, the cybersecurity insurance market is expected to be worth $20 billion by 2025 (DataProt) and grow at an annual rate of 24.5%, reaching $120.8 billion by 2032 (Fortune Business Insights).
Globally, 73% of organizations fell victim to ransomware attacks in 2023 (Statista). Extortion was involved in 27% of attacks, showing a growing trend in ransomware tactics (IBM). Ransomware costs are projected to reach $265 billion annually by 2031, up from $20 billion in 2021 (Cybersecurity Ventures).
Phishing has been identified as the primary infection vector in 41% of cybersecurity incidents (IBM). More than 75% of targeted cyberattacks have started with an email in 2024, (Norton Antivirus). The number of conversation/thread hijacking attempts doubled in 2022 compared to 2021 (IBM).
Nearly all, or 98%, of web applications are vulnerable to attacks that can result in malware, redirection to malicious websites and more. Furthermore, 17% of cyberattacks target vulnerabilities in web applications (PT Security). Yet, 73% of companies in North America use browsers that are out of date (Statista).
The average time it takes to detect a cyberattack is 118 days (ThoughtLab) and 277 days to identify and contain it (Parachute).
Cybersecurity in the news
Almost daily, we hear of yet another cyberattack or data breach and its far-reaching consequences.
Last Friday, Delta Air Lines sued CrowdStrike, claiming the Texas-based cybersecurity company cut corners, leading to a global technology outage that caused thousands of canceled flights in July.
Delta is seeking compensation and punitive damages, stating that the outage, which began with a faulty update sent to millions of Microsoft computers, crippled its operations for several days and resulted in more than $500 million in lost revenue and additional expenses. Delta claimed that CrowdStrike failed to test the update before rolling it out worldwide.
Also last Friday, United Health announced that a ransomware attack earlier this year affected the information of 100 million users in the largest-ever U.S. health care data breach.
Change Healthcare, part of the United Healthcare Group, was attacked by an affiliate of the ALPHV/BlackCat ransomware group, which stole 6 terabytes of sensitive customer data, including health, insurance, billing, claims and personal information such as Social Security and driver’s license numbers. Change Healthcare ultimately paid a $22 million ransom in exchange for the data.
Cybercriminals linked to China may have attempted to tap into the phones or networks used by former President Donald Trump and his running mate, Sen. JD Vance, BBC and CBS News reported Friday. People associated with the presidential campaign of Vice President Kamala Harris and Gov. Tim Walz were also targeted.
Last Thursday, the Georgia secretary of state’s office reported that it repelled a cyberattack earlier in the month. The attempt appeared to be aimed at shutting down the website voters use to request absentee ballots ahead of the election, USA Today reported. The threat was discovered after the agency noticed hundreds of thousands of attempts to access the site on Oct. 14, one day before early voting began in Georgia.
Earlier this month, Verizon said it was “aware that a highly sophisticated nation-state actor has reportedly targeted several U.S. telecommunications providers to gather intelligence.” And the list goes on.
Cybersecurity in your hands
“We need to understand that we live in a world where, in addition to physical security, we need to be aware and protective of our digital security,” said Carla Framil-Ferrán, vice president of Legal at Liberty Communications, during a talk on “Cybersecurity in Your Hands: Protect Your Digital Identity and Avoid Fraud” held last week by Liberty Puerto Rico.
“The digital world is another space where we live together. It’s important that we think about this not only as a personal responsibility but also as a collective responsibility, and for that, we need to be proactive and responsible,” she said.
Although the internet is more than 40 years old, it has been advancing at an exponential rate, leaping forward by about 10 years during the COVID-19 pandemic, Framil-Ferrán noted.
Cybercrime, too, accelerated during the pandemic. Consider the following statistics:
- Phishing attacks or malicious emails rose 600% in 2020 (United Nations).
- The pandemic led to a 50.1% increase in cyberattacks and 30,000 associated pandemic-related cyberattacks (World Economic Forum).
- The number of cyber threats rose 30,000% specifically because of COVID-19 (CGI Group).
- Interpol detected some 907,000 spam messages, 737 malware-related incidents and 48,000 malicious URLs tied to COVID-19 between January and April 2020.
- In April 2020, Google reportedly blocked 18 million malware and phishing emails daily related to the pandemic.
Cybercrime is a lucrative business operated by sophisticated organizations, said Marcel del Prado, vice president of channels at Pentera, a cybersecurity company.
“Cybercrime is a tremendous business. If cybercrime’s value could be a country, it would be the third largest global economy. It easily surpasses $10 trillion” per year, he said.
“This is no longer a threat caused by a kid in his grandma’s basement. These are extremely sophisticated organizations known as advanced persistent threats. Like legitimate companies, these APTs have corporate buildings with employees who receive salaries and benefits. There’s a [cybercrime] group in Russia that has 5,000 employees,” del Prado said.
Individuals and organizations need to consider the value of their information, said Felipe Ruiz-Rivillas, vice president of information security and chief information security officer at Liberty Latin America.
“That’s why we’re attractive [targets], because of the value of our information — how it can be materialized, but even more, how it can be capitalized,” he said.
People connect their devices to Wi-Fi networks at airports and hotels without giving it a second thought, del Prado said. They check their email, credit card and bank statements, oblivious to or ignoring the fact that “the man in the middle” — whoever controls the network — can see everything that is being transmitted.
“This is why we’re seeing the value of cybercrime accelerating so much,” he said.
“Nothing is free,” Ruiz-Rivillas added. “How much have you paid for using WhatsApp or Instagram?”
These apps profit by collecting data. Data mining may seem harmless, but while reputable companies use data to, for example, show users ads that are relevant to them, hackers use it to steal identities.
Most people don’t realize their digital identity has been compromised because hackers can observe their targets for years before launching an attack. That’s why it’s called a persistent threat — hackers wait until they know everything before striking, del Prado explained.
“The largest cybersecurity and fraud incidents begin with, let’s say, the account belonging to the air conditioning maintenance employee. And from there [the hackers] continue to elevate and elevate privileges [and access]. It’s not if but when it will happen to us,” Ruiz-Rivillas said.
“Our purpose is not to generate paranoia but to remind everyone to think before they click. Don’t rush. Think before you click,” he added.
Artificial intelligence is accelerating the hackers’ ability to scale the number and quality of their attacks, del Prado said, noting that cybercriminals can use AI to create realistic voice and image reproductions, known as deepfakes, to scam people.
“If someone who sounds like your husband calls you saying he has an emergency and asking for money, tell him you’ll call him back,” he advised, suggesting that people establish a code word for emergencies.
The panelists shared several critical recommendations: always be aware online; avoid automatically trusting websites, apps or networks; safeguard login credentials; avoid using the same password for different sites or apps; regularly change usernames and passwords; take advantage of two-factor authentication (2FA); avoid sharing private information via text, direct messages or emails; monitor your social media accounts (if you don’t use them, deactivate them); consider credit monitoring; and, above all, think before you click.
We need to accept that our personal information, including Social Security numbers, is already public, del Prado noted.
“That’s reality. I can promise you that each and every one of you has been attacked this week. That’s a fact. The only way to exist with this is to … be responsible with the tools we use, be aware of the information we put out there and take prudent measures,” he said.
Yet, the measures we take to protect ourselves will never be enough, Ruiz Rivillas said.
“There’s no way to reach a state of zero risk. The only way is to turn everything off and leave. There’s no zero risk. Your computer can have the latest antivirus, super protected, but hackers eventually get around it. So, it never stops. What we need to do is stay aware of this risk and take at least some basic precautions,” he added.
