Well, at least cybercrime does. In fact, it turns out that it pays well. Bromium published a report in 2018 in which it asserted: “High-earning cyber criminals can make $166,000+ per month; Middle-earners can make $75,000+ per month; Low-earners can make $3,500+ per month.” That is serious money for the high and middle earners. For a side gig, tax-free, the low earners aren’t doing too bad either. 

The beauty of this type of illegal endeavor is that it is not as risky as one might think.  Some of the top earners are simply providing the platform or the tools for what is known as CaaS (Cybercrime-as-a-Service). Just like the trend in IT for everything to go to X-as-a-Service, Cybercrime is no different. The dark web has lots to offer would-be criminals without the skills to create their own exploits.  

Don’t get me wrong, I’m not suggesting anyone pursue this as a career choice. I am, in fact, fascinated by how these markets work. Take the Target breach of 2013 for instance. Around the time of the breach disclosure, the price for stolen cards was at an unusual high. The months that followed saw a sharp asset depreciation for the criminals who were trying to sell stolen cards due to cards being canceled. There also seems to be some supply and demand issues at play. Prices will fluctuate wildly when there is a glut of stolen records available. Markets will adjust, they always do. Supply, demand, and price are invariably linked. The dark web is no exception! 

Let’s talk about risk. It is quite possible that you may have someone in your security team that moonlights as a black hat. It could be for the money or prestige, or just for the fun of it. Or, maybe your company IP is walking out the door. There are little risks and high rewards for someone who is willing to sell out their company. The insider threat is real and substantial, but the problem is not insurmountable. When I think back to my time in the service, we had controls to prevent an inside threat from compromising classified data. The mindset I have from those days translate directly into best practices I use daily.  

Here’s something that I find puzzling. I hear repeatedly, that regulation is the only way to affect change in how companies treat security and privacy. This may be true today but considering the cybercrime economy is set to generate over $1 trillion in revenue this year, I’m hopeful that companies will start to implement meaningful security rather than checking a box for compliance sake. Let’s hope that the markets adjust in a way that forward-thinking companies see security and privacy as a competitive edge. That would benefit the company, the economy and you and me as the consumer.