The state of cybersecurity
We know that cyberattacks are on the rise. Cybercrime is up 600%. We go behind the numbers to look at trends and patterns — and the rise of cybercrime-as-a-service.
By TNK2 co-founders Alix Kwak, Jay Jeong and Elston DSouza and Upling co-founder Peter Thomas.
It’s in the news every day: cybercrime is on the rise.
Whether it’s phishing emails, scam calls or fake SMS messages, you — or someone you know — has experienced some or all of these. Some of those people — and hopefully not you — has fallen for them.
The problem is so concerning that the World Economic Forum’s The Global Risks Report 2021 lists cyberattacks in the top three key threats in the next ten years — along with weapons of mass destruction and climate change. The cost of dealing with cybersecurity attacks is expected to reach $6 trillion this year — twice that of 2015.
But why is this — especially since we are investing over $1 trillion in cybersecurity services and products?
Let’s look behind the numbers.
One of the answers to this question, of course, is the pandemic.
COVID19 has brought about drastic changes in our lifestyle. We are more digital, more online, more of the time. Digital communication replaces face to face conversation; work from home replaces work from the office; remote learning replaces classroom learning. The pace of work has changed, and we are now under more pressure than ever before to produce. We now spend more time looking at screens than looking at anything else.
The Australian Cyber Security Centre reported that the most common cyber security incident was malicious emails — phishing and spear-phishing.
During 2019–2020, there was a 45% increase in the economic loss due to phishing. Spending hours every day writing and responding to emails, it’s easy to mistake a fake email for a real one, a dangerous link for a legitimate one. Misclicks are frequent.
Phishing is now not just limited to email but happens via SMS and phone calls. Smishing is a form of phishing that uses SMS for phishing, as you can see in these examples.
Almost everyone has seen an uptick in the number of unknown callers — or calls from other countries — on their mobiles. Now it’s domestic calls, too: attackers are using legitimate numbers, often from well-known companies or trusted services like banks, parcel delivery companies or large grocery stores.
This is possible through a technique called spoofing.
Spoofing can change the caller ID of the malicious caller using VoIP, a type of internet-based phone call. In Australia, for example, you might see a call from a potentially legitimate number with the format 04xx-xxx-xxx, which makes you think this is possibly a real call.
And then you answer it, and the phishing starts.
But one of the unacknowledged reasons behind the rising number of cyberattacks is that it’s easier to become a hacker.
Cybercrime is not necessarily sophisticated, and hackers are not only those with a huge amount of technical knowledge. The passport to becoming a bad actor these days isn’t a PhD in computer science.
We now live in a world of cybercrime-as-a-service (or CaaS)— an organised business model selling hacking tools and services.
Spoofing, smishing, and phishing are now ridiculously easy to do, cost little, and the chances of getting caught are almost non-existent. Law enforcement agencies are stretched to their limits dealing with cases where the cyberattack is of national importance, the losses are huge, or the threat disrupts essential services.
The would-be hacker can buy or rent tools, products and services that enable them to phish, smish and spoof — all provided by vendors who, like any criminal enterprise or legitimate corporation, are very well-organised and, like any other enterprise, take a cut of the proceeds.
This graphic from IBM shows some of the ways the ecosystem is organised — from licencing malware, buying hosting, subscribing to spambots that send bulk emails, to getting money mules to launder the proceeds.
As IBM say:
Cybercrime is no longer a one-man operation. Within the cybercrime underground an attacker can find a wealth of tools and services that can be bought or rented to facilitate different aspects of the attack lifecycle.
Just like Microsoft enables any small business to run services like email, calendars and storage, the successful cybercriminal can rent cybercrime solutions to those who don’t have the resources or know-how to design, write, and execute cyberattacks.
So we have CaaS that collects victims’ email addresses and contact details, provides cloud hosting, offers support and tutorials, sells ransomware and provides prebuilt phishing-ready web pages.
One of the implications of this is that because many of those who choose to embark on a life of cybercrime aren’t experts, they are more likely to target those who aren’t experts either and who don’t have the knowledge and skills to defend themselves. That usually means the average consumer or the cash-starved, time-poor, small business.
While targeting individuals and small businesses might not make much money per transaction, there are lots of them to target — and anyway, it didn’t cost much to get started, thanks to the help of the cybercriminal ecosystem.
In 2019, Australians lost $634 million to scams with an average loss of $7,224 and only 20% of that was recovered.
Doing some simple maths, you can see that if, for example, it costs a cybercriminal ¢25 per text message, you could send 29,000 messages (= $7,244/¢25) and break even with one victim. You only need to successfully victimise one more person to be in profit. Two in 29,000 is an achievable target.
Europol, the European Union’s law enforcement agency, in its Internet Organised Crime Threat Assessment (IOCTA) report says:
There has been an observable shift from what used to be a business for threat actors, now being more of an enterprise. Where specialist skills are needed criminals are able to hire developers or consultants to fill this need. This highlights increased professionalisation in the cybercrime threat landscape.
As we have said in previous stories, the key skill of malicious actors is human, not technological.
Many, if not most, cyberattacks are not technically sophisticated. Human vulnerabilities cause almost 40% of cybersecurity incidents. This especially applies to malware, where 94% of malware is delivered by email.
As is obvious, organisations are made up of people.
Whether you’re a one-person small business or a corporate enterprise, it's the individuals that are the vulnerable part of the picture.
The most vulnerable industry sector to cyberattacks is health, followed by finance and education. What unites all of these businesses is time — there isn't enough of it, especially now, to improve cybersecurity practices — and people are busy, distracted and, occasionally, careless.
As the former FBI Director Robert S. Mueller III said: “There are only two types of companies — those that have been hacked and those that will be hacked.”
That’s why here at TNK2, we are focusing on the human factors of cybersecurity — those things that make us vulnerable in the face of a troubling and growing phenomenon like the rise of cybercrime-as-a-service.
We know that everyone uses different digital products and services and have different levels of technical sophistication. We all have different personality traits and different social and cultural heritages. One of our solutions, our Behavioural Assessment Engine — which you can read about here — takes into account all of those factors and more to help identify vulnerabilities and build more resilient knowledge and behaviours. To learn more, visit us at
Come back to the TNK2 publication to read more stories.
All too human
An overview of why the difficult challenges of cybersecurity are human, not technological. Peter Thomas, co-founder of Upling, writing with TNK2 co-founders Elston DSouza, Alix Kwak and Principal Researcher Jay Jeong.
Class is not dismissed
We take a look at the education sector and particularly K12 schools. In the light of several recent high-profile security breaches, we look at why schools are so vulnerable and what we might do to change that. By Peter Thomas for TNK2.
Your money or your data: inside ransomware
Expensive, disruptive, and possibly disastrous. We look inside the disturbing and rapidly-growing ransomware phenomenon. By Alix Kwak for TNK2.
To err is human
We look at the science of errors, how it relates to cybersecurity and how unintentional actions make us less secure — from downloading a malware-infected attachment to failing to use a strong password. By Jay Jeong for TNK2.
And coming soon:
Why small business is big business for cybercriminals
A cybersecurity incident that impacts a small business can be devastating. Why are small businesses vulnerable? We look at some of the reasons — and what we might do about them. By Alix Kwak for TNK2.
You can learn more about our work by visiting tnk2.com.au and read more about our approach to the human factors of cybersecurity.
