Why is it that cybercriminals are so successful at stealing data, infiltrating corporate networks and otherwise penetrating corporate defenses? I recently read a white paper from Osterman Research, "Addressing the Top 10 Security Issues Organizations Face", and it lists a number of reasons:

• Criminals are smart and capable

One important reason for the success of cybercrime is that criminal organizations are normally quite well funded; they are usually financed by organized crime.  They have the technical resources needed to create new and ever more capable attack methods,and they collaborate with one another to share new techniques and processes.

• Criminals make lots of money from their efforts

The most lucrative cybercriminals can make up to $2 million annually, and even entry-level hackers can generate an annual income of $42,000or more. Cybercriminals can generate individual earnings that are up to 15percent greater than traditional crimes. The laundered funds from cybercriminal activity are estimated at up to $200 billion per year. Money is always a key motivator for virtually any activity and cybercrime is no exception.

• Organizations make mistakes

Another reason for cybercriminal success is that many organizations aren't exercising proper due diligence in addressing the problems of phishing, spearphishing, CEO fraud/BEC, ransomware and other threats. Many organizations don't backup their data adequately and cannot recover quickly or fully from a ransomware attack. Many do not provide good security awareness training to help users more easily recognize phishing attempts. Many don't have good internal control processes that enable the recipient of a CEO Fraud/BEC attempt to verify the communication via text or mobile phone. Many don't have adequate detection for threats like phishing or spearphishing. Many don't have adequate data loss prevention capabilities that can detect when sensitive or confidential information is being sent unencrypted, through unapproved channels, or in anomalous ways. Also, many have not adequately addressed the "Shadow IT"problem which stops  them from preventing some problems before they occur.

• Users make mistakes

Many users will use the same password for multiple systems, they don't change passwords on a regular basis, and they use simple passwords that are easy for brute force attacks to "guess". Some users will employ non-secure systems, such as their personal webmail account or non-IT-approved mobile apps,to send sensitive or confidential work data. Some users will click on phishing links without first determining the identity of the sender or the actual destination of the links contained in the message. Some users visit web sites that have a high probability of containing malware which will infect their systems.

• Vendors make mistakes

It is, for the most part, a foregone conclusion that software ships with vulnerabilities, some more serious than others.  Vulnerabilities that can expose data or otherwise enable infiltration by cybercriminals are commonplace.  The NIST National Vulnerability Database found and analyzed 1,521 new common vulnerabilities and exposures during just November 2018 alone.  Some organizations will fail to patch their software in a timely manner, as Equifax failed to do,contributing to a breach of 143 million records.  Sometimes vendors will also fail to fix known vulnerabilities; several years ago, Microsoft failed to fix a known vulnerability in Internet Explorer 8 for at least seven months after it was discovered and, as of December 2018, a bug in Firefox appears not to have been addressed since it was first reported more than 11 years earlier.

• There are more points of vulnerability

The growth of the Internet of Things (IoT) is generating orders of magnitude more entry points which cybercriminals can exploit for activities like phishing, malware distribution and distributed denial-of-service (DDoS) attacks. Gartner estimates that the2020 installed base for IoT will reach 20.4 billion units, 7.6 billion of which will be found business settings.

• Use of cryptocurrency

The availability of cryptocurrency has enabled some types of cybercrime (ransomware, for example) to flourish.  Cybercriminals that demand cryptocurrencies as payment are very difficult to trace, so, funds from ransoms can be"laundered" with relative ease. While threats like ransomware almost always use cryptocurrencies as payment, not all cybercriminals use it: as of December 2018, a Chinese ransomware strain that has impacted at least 100,000 endpoints manages ransom payments via the WeChat payment service.

• Cybercrime isn't just for professionals

Finally, just about anyone can become a cybercriminal with only a minimal knowledge of the mechanics involved. While malware kits have been available for more than 25 years, today's ransomware-as-a-service kits are available on the dark web for as little as $175 and allow "hobbyist" cybercriminals to generate sophisticated attacks. Some of these kits are quite sophisticated and offer robust feature sets.


With many security infrastructures today, user issues are arguably the biggest vulnerability of them all,  users with no or inadequate training on how to deal with issues like phishing, spearphishing, social media, web surfing and the like. Various Osterman Research surveys over the past couple of years have found that most corporate users simply do not receive proper training on security issues.  A recent survey found that three percent of users are never trained on these issues, 30 percent receive training only once per year, and another 21 percent are trained only twice per year. It shows that more than one-half of users receive minimal or no training on how to deal with the variety of security threats they encounter on a regular basis.  

What this translates into is a relatively low level of confidence in users' abilities to deal with things like phishing and targeted email attacks, as shown in this figure:

Confidence That Various Groups are Well-Trained to Recognize Phishing and Targeted Email Attacks
Percentage Responding "Very Good" or "Excellent" Level of Confidence

Source: Osterman Research, Inc.

It's important to note that the marginal effectiveness of current security awareness training- such as it is- should not be interpreted as a criticism of the concept of training itself, but rather the way that many organizations implement it.  Osterman Research found that many organizations use informal training processes that don't include phish testing to determine the effectiveness of the training regimen. In the absence of adequate training, many users will not have the necessary skepticism for the various threats they encounter, particularly if these threats are delivered through social media channels, malvertising or text messages that users implicitly assume to be more trustworthy (or at least less suspect) than corporate email or the web.

The end result of insufficient training is that IT and security staff develop a lack confidence in their users' ability to recognize incoming threats or in their organizations' ability to stop phishing and related attacks. That said, even comprehensive security awareness training will not stop all attacks- some highly sophisticated attacks will use legitimate-looking web sites and evasive techniques that can trick even highly trained security staffers. Good security awareness training is essential, but it MUST be part of a robust security infrastructure and that infrastructure MUST be regularly evaluated and improved.