Money from crude data

May 27, 2020
Organizations should look to put in place a layered defensive strategy to keep it secure

I have two questions for the first people who discovered crude oil. First, what were you looking for when you went digging into the ground and hit oil? Secondly, what was your initial reaction? I say this because I cannot imagine anyone jumping for joy, high fiving each other upon finding this ugly smelly black liquid that was a nightmare to get out of their clothes.

Fast forward to today and crude oil is perhaps the most valuable and fought over resource there is. I mean literally, wars have been fought over the black sludge, because it powers just about everything on the planet.

Stating that data is the new oil is by no way revolutionary or insightful. Ever since entering the digital age, we’ve known that there is value to data, but what is that value actually? While a few organizations have tapped into the potential value of data, I still don’t believe they are truly there. And consumers, whose data makes up the bargaining chips are woefully ill-informed about the value of their data. Or willingly turn a blind eye due to the convenience offered.

Instead, I believe that cybercriminals and digital miscreants are pushing the boundaries in terms of understanding the value of data.

Cybercrime Motivations and Tactics

Many hackers are curious beings. They want to know how things work, poke and prod, trying to find vulnerabilities. This sometimes causes problems, when they gain access to intellectual property or take over systems. But much of this can be put down to mischief, and traditionally speaking, it was more about gaining notoriety, making a few free long-distance phone calls, or being able to ride public transport for free.

But today's cybercriminals should be viewed as for-profit organizations. While they may still seek out notoriety, or juvenile disruption, most of the criminal activities boil down to making money - and this is where things get complicated and worrisome.

Banks and financial institutions are comparatively well-funded and well-secured. Also, directly attacking a financial institution draws a lot of heat. So, while they are the most direct way of gaining money, many attacks are focused on tricking users into sending criminals money through social engineering techniques.

Ransomware has proven to be the golden ticket for many criminals. Encrypting all the files held by a company and demanding a hefty payment to release the files. But this isn’t where criminals have stopped; they’ve evolved to taking copies of all data before encrypting the files. Allowing them to demand ransom for unlocking files, and secondly, demanding a separate ransom to not release the data they copied.

In fact, this was taken one step further when criminals gained access to a cosmetic surgery clinic. Not only did they take copies of data before encrypting them. But they reached out to patients of the clinic demanding a ransom from each individual or release their potentially embarrassing cosmetic surgery information to the public.

Understand Data to Defend It

Increasing defenses in one area doesn’t mean that the criminals will go away. Rather, they will find another way around it. A few years ago, some website owners received threatening emails demanding payment, or a DDoS attack would be launched against their website rendering it unreachable by customers.

As DDoS protection has improved over the years, we’ve seen the tactic change. Now criminals are emailing website owners demanding a ransom or they will direct bots to click on ads served by their websites, thus blacklisting them from AdSense programs and crippling their income stream.

Even a high-level glance at the trends can teach us a few things. One, that there is some value to all kinds of data. Just because it isn’t immediately obvious, it doesn’t mean that it won’t be exploited by some criminal for financial gain. This could be stealing and selling the data, trying to extort organizations for the data, or using the data to get money from an organization's customers.

The other observation is that patched and secured systems are hard to break into directly. So nearly all criminal attacks in some part look to exploit the human, be that through phishing, or by sending extortion demands via email.

Organizations should look to put in place a layered defensive strategy to keep it secure. Security awareness and training should form the cornerstone of this defensive strategy so that all users can spot the telltale signs of an attack and know how to escalate any suspected attacks to the IT department. Because, while we may not fully appreciate or understand the value of data, it would be foolish for any organization to underestimate the value of it and not take the necessary steps needed to secure it.

About the Author:

Javvad Malik is Security Awareness Advocate for KnowBe4. He can be found on LinkedIn at, and on Twitter, @J4vv4D