This article is part of the Handling Secrets series. In this first part, Valuing Secrets, we describe how to rate the likelihood of theft for common types of secrets. In the second, Protecting Secrets, we describe the easiest ways to prevent their theft.
After money, the most popular thing on the internet to steal is information that can be turned into money.
You have some.
Some information is worth millions, and some sells for less than a cup of coffee. Some is easy to turn into cash and some requires connections, teams, and plenty of coordination.
There is a thriving economy and supply chain for stolen secrets. Just like any industry, there are suppliers and vendors and brokers and marketplaces. Some run solo, some operate as small practices, and some operate with employees in the hundreds. Money enters through scams, extortion, and regular businesses who want dirt on the competition. Even governments often get in on the deal: many regularly acquire high-value proprietary trade secrets to benefit local industry or intelligence agencies. Some authoritarian regimes even run criminal operations to fund the government operating budget.
Just like in drug trafficking, these players often need enormous markups on their services because of the risk and effort to avoid law enforcement. Most of the larger groups exist in countries with a weak rule of law: with so many people involved, it is difficult to keep the illegal nature of their operation a secret. To maintain a profitable business, they must keep the risk of extradition low, and that often means bribes are a substantial cost of doing business. They must also compensate employees extra for the risk they take on.
Crime can be an expensive and unpredictable business.
A true economy
These markets are full of specialists. The skills to steal information are different than the skills to monetize it, which are different than the skills to run a secret brokerage that connects those people together while resisting law enforcement.
Consider the call center that phones elderly people with dementia, impersonating grandchildren stuck in a Mexican prison needing bail money. They need a steady supply of names and phone numbers. They will pay extra for a list of verified elders with a high likelihood of falling for the scam, and even more for supporting details like the personal information of the grandchild they impersonate. These details increase the chances of a successful scam, which improves their profitability per employee, and overall operational margin. This organization has no need for other secrets: they excel at fooling vulnerable adults into sending them money.
A different operation may consist of three people who file fraudulent US tax returns. They need a big supply of W-2s in January so they can submit returns before legitimate filers. They will happily pay top dollar for accounts of CPAs: the IRS notices and blocks fraudulent returns based on submitter volume, so the group can sneak through more returns if they can impersonate legitimate CPAs with an established history of legitimate filing. They also need access to a network of money mules, so the illicit refunds do not end up in the same single bank account and trigger an investigation by that bank or the FBI.
Third, consider a group of talented and experienced computer experts that excels at breaking into advanced systems. They are contracted by large companies and governments to steal specific secrets such as proprietary schematics, code, or intelligence on agent activities or military plans. They need stolen passwords for employees and contractors of their target, undisclosed vulnerabilities in the software their targets run, and software that can efficiently exploit those vulnerabilities and maintain persistent access until the contracted secrets are found and safely extracted.
What about me?
Most businesses do not deal in secrets worth millions on the black market— hundreds is more typical.
It is not worth any competent criminal’s time to go after those secrets manually. Instead, they harvest them with a dragnet: indeterminately bombard everyone with viruses or spam, then use a computer to automatically check and categorize what they caught. Most of it will be junk, but sometimes they will find secrets they can sell. They batch those up by category and sell them on marketplaces to criminal operators who specialize in extracting money from them.
These dragnet criminals only spend what they need on the sophistication and strength of their attacking tools. If people keep clicking and getting infected, why should they spend extra for fancier tech?
If you operate a business that only has commodity secrets, your strategy should not be to stop the talented, bespoke group of hackers—they will never go after you. You only need to avoid being an easy mark. Simple Salt is focused on solving this problem: most businesses can avoid internet crime through simple changes in the way they work.
What if I have secrets worth millions?
You should still avoid being an easy mark! Why would anyone commission an A-team if you can be taken to the cleaners for pennies? After you get the fundamentals right, work on intermediate and advanced protection. Simple Salt helps you plan and deliver the protection that is right for you.
How valuable are my secrets?
In this first part of our Handling Secrets series, Valuing Secrets, we describe how risky different types of secrets are to your business. In each article in the series, we will identify a category of secret and describe how to assess its risk. There are three factors that contribute:
How much does it sell for?
Commodity secrets like credit cards or personal contact information are sold in bulk for market rates. Unique secrets depend on the business landscape and may require more judgement to estimate. In each case, the market rate is usually per secret: if you have 3,000 credit cards numbers, the street value would be 3,000 times the commodity rate.
How many buyers are there?
Secrets with many potential buyers are worth more because it takes little effort for the thief to sell it. Secrets valuable only to one or two organizations may end up worthless if those groups decide to take the high road and decline their offer.
How much damage will you suffer?
Often, the impact to you and your business is substantially more than thieves gain by stealing your secrets. This can include time and money to recover, regulatory penalties, lawsuits, revocation of professional certifications, and reputational damage. We include typical costs for commodity data, but for unique secrets, damage will vary substantially depending on its importance to your strategy and operations.
Next Steps
Understanding how stolen secrets can damage your business is the first step in appropriately preventing serious damage from their theft. Valuing Secrets identifies the major types of valuable secrets someone may try to steal and helps explain how worried you should be about each.
Don’t have time to figure it out? Just give us a ring.