Famed bank robber Willie Sutton was once quoted as saying he robbed banks “because that’s where the money is”. As we explore in our Cybersecurity Express training, there has been one major change in the IT security landscape in the past 10 years – it’s been the realization by criminals that data has value in two ways – it’s valuable to you if you were to lose access to it, and it’s valuable to them if they can sell it. The criminal landscape has changed because data is where the money is.
In the first example, data has value to you if you were to lose access to it. Up until about a decade ago, most viruses and malware that plagued computers were either annoyances, like pop-up ad generation machines, technical speed bumps made by creative high schoolers just to see if they could, or in the worst case scenario, data destruction machines, out to wreck havoc and delete all your data, but without a way built in to monetize the action. Enter “ransomware”, or software that gets installed on your computer without your intent which encrypts your data and gives you instructions to pay a ransom to unencrypt the data to regain access. Up until as recently as 2017, the average demand was under $1,100. However, by the end of 2019, the average ransomware confirmed payment to criminals had ballooned to $84,116!
In the second example, data has value if they can capture your data and sell it. Known as Personally Identifiable Information, or PII, a combination of data points such as a first and last name combined with an address or date of birth can run as low as $1 per record, while known good online banking credentials can fetch as much as $65 per record. So when you see stories in the news, like when Capital One lost 100 million customer credit applications in 2019, do the math.
And it’s not just a big business problem – it happens to organizations in our region like Baystate Health, and is attempted against small businesses, particularly those who maintain a lot of “delicious data” as a prize.
Criminals are after your data, because that’s where the money is. Our industry has a tendency to throw terms around like “ransomware” like it’s the problem – it’s not. It’s the tool. If criminals were physically at your door with guns demanding or extorting cash, the security measures put in place would much more aggressive and thorough than what had been in place ten years ago. The reality is that organized and highly trained criminals are at your virtual door, and they’ve come with weapons demanding or extorting cash for your data. How will you respond?