CEO Insider

Escalation of Cybercrime-As-A-Service Has Major Ramifications

Stu Sjouwerman, SACP CEO at KnowBe4 (KNBE)

As technology evolves, so does cybercrime. In fact, most people do not realize that today’s cybercriminals leverage the same technologies, business models, and service offerings that ordinary, non-criminal enterprises use. Similar to the software-as-a-service (SaaS) model where consumers access software and services in exchange for a monthly or recurring fee, the market for cybercrime-as-a-service (CaaS) is rapidly expanding. Attackers can rent sophisticated cybercrime technologies and platforms (e.g., phishing-as-a-service, ransomware-as-a-service) as a subscription-based model.

Cybercrime-As-A-Service Commoditizes Cybercrime

The days when attackers needed superior technical knowledge to devise nefarious cyber-attacks are long gone. Aspiring cyber criminals can now rent phishing templates, hosting services for scam websites, tools for credential theft, and phishing delivery mechanisms for as little as $50. This scenario can be considered a win-win in the sense that service providers and sophisticated criminal organizations can easily scale their business using these free agents without investing time in studying vulnerable targets. These cybercriminals are also at less risk of being caught since they are not directly executing the attacks themselves. On the other hand, inexperienced cybercriminals can now pull off a professional phishing or ransomware attack without sweating over infrastructure or the skills needed to build malicious campaigns.

How Did This Evolution Come About?

At some point in time, cybercriminals probably ran into a problem that a lot of traditional businesses run into – scalability. They had a few smart people, but they were burning cash and resources coding malware, maintaining infrastructure, designing phishing emails, laundering money, evading law enforcement and everything else that goes into running illegal operations. Since cloud platforms were offering a service-based model, someone from the hacker community had a eureka moment: offer a phishing service or a ransomware service in exchange for a monthly fee. The idea led to the emergence of a widely popular cybercrime-as-a-service market, where like-minded criminals can partner with organized criminal syndicates and leverage their service or platform in exchange for a fee or profit sharing. Some of these ransomware gangs have matured into complex entities that are increasingly adopting the same standard business practices of the organizations they target.

Escalation of Cybercrime Has Major Ramifications

It is no secret that the cybercrime economy is already hugely profitable. The proliferation of cybercrime-as-a-service will basically open the floodgates to further cybercrime activities. Amateurs no longer need access to vast amounts of resources or infrastructure to execute an attack. All they will need is to rent out tools from the dark web, click and execute a phishing or ransomware scam or launch an advanced persistent threat. Earlier, the high cost of cybercrime (specialist tools and knowledge) meant that only high-value targets were likely victims. Today, the escalation of cybercrime means that even small businesses and individuals can be targeted. This might well be a plausible explanation as to why phishing attacks have nearly tripled in 2021 compared to 2020, while ransomware attacks have nearly doubled.

The Answer to Cybercrime: Defense-In-Depth

Cybercrime-as-a-service threats will most likely intensify and there will never be a silver bullet to fool-proof cybersecurity. Businesses must therefore invest in a defense-in-depth approach that mainly consists of three things: technical controls, security awareness training, and phishing simulations, as well as policies and procedures.

Technical controls entail having sophisticated tools in place like multi-factor authentication, using VPNs and turning off remote desktop protocol (RDP), deploying next-gen firewalls, endpoint detection and response, a weapons-grade backup, anti-phishing education, data loss prevention, and extensive security monitoring (analyze logs, conduct spot checks, scan for vulnerabilities).

Since all humans are vulnerable and 85% of breaches involve human error, it is important that users trust nothing at face value. Businesses must teach people to recognize a phishing scam, report suspicious activity, practice password hygiene, and understand the impact that their actions can have on the organization. Finally, all businesses must have a living document that is updated regularly with security best practices, key contacts, and security procedures in case a security incident occurs. The idea is to be prepared for any kind of eventuality.

Unfortunately, no one is immune from cyber-attacks. In case you are affected, contact law enforcement agencies immediately. Consider obtaining cyber insurance and contact your local FBI field office or the Internet Crime Complaint Center. Detailed advice on responding to ransomware can also be found on the CISA website.


Written by Stu Sjouwerman.
Have you read?
4 Strategies for Ramping Up Your Finance Digital Transformation Efforts by Chen Amit.
The No Hope Positivity Defined by Dr. Salla Vijay Kumar.
Can our negative emotions provide an inner superpower by Mark Berridge.
In 2022, What does it take to be a Morally Minded Leader by Frank C. Bucaro.

Track Latest News Live on CEOWORLD magazine and get news updates from the United States and around the world. The views expressed are those of the author and are not necessarily those of the CEOWORLD magazine.
Follow CEOWORLD magazine headlines on Google News, Twitter, and Facebook. For media queries, please contact: info@ceoworld.biz
Stu Sjouwerman
Stu Sjouwerman is founder and CEO of KnowBe4, [NASDAQ: KNBE] developer of security awareness training and simulated phishing platforms, with over 41,000 customers and more than 25 million users. KnowBe4 also offers a KCM GRC platform that provides ready-made templates for quick compliance evaluations and reporting. Centralized policy distribution and tracking helps users remain compliant, as does flagging risky users. Sjouwerman was previously co-founder of Sunbelt Software, the anti-malware software company acquired in 2010. He is the author of four books, his latest being “Cyberheist: The Biggest Financial Threat Facing American Businesses.”


Stu Sjouwerman is an opinion columnist for the CEOWORLD magazine. You can follow him on Twitter and LinkedIn.