Ransomware has followed the same pattern as virtually all types of crime, whether physical or cyber. So long as there is high reward with little risk of consequence, and highly specialized skills are not required, the crime rate will continue to increase.
Yet while businesses are urged to improve their security posture and face hefty fines for non-compliance with cybersecurity regulations, we’re missing a fundamental truth – even the best defense strategies alone will not end all cybercrime.
The onus to protect, since 100% protection is not achievable, cannot be fully on the victims. What we need is a fundamental shift in how we approach cybercrime – one that treats it as the serious criminal activity it is, rather than continuing to blame those who fall victim to it.
The Crime Equation Remains Unchanged
Crime is crime, whether it occurs in the physical world or cyberspace. Every single year, cybercrime has increased, and it will continue to do so until we address the fundamental drivers. Understanding why crime happens is crucial – opportunity, motive and the perception that one can get away with it.
In general, the best way to fight crime is to make it more difficult to succeed and significant consequences. Consider how we protect physical assets: The Bank of England vault is nearly impenetrable because it houses our most valuable gold reserves.
Local banks have extensive security systems and alarm protocols. Even petrol stations have cameras and basic security measures. The level of protection corresponds to the value of what’s being protected and, crucially, there are real consequences for those who attempt theft – life imprisonment for the most serious offences.
In cyberspace, however, everything is accessible from everywhere. Unlike The Bank of England vault, where we can bury gold in an impenetrable fortress, most business data must be available to a myriad of stakeholder such as employees, customers, consultants and third-party providers on a 24/7 basis. This creates an inherent vulnerability that makes perfect protection impossible.
The Shift to Ransomware and Anonymous Payment
The cybercrime landscape has undergone a significant transformation. Many years ago, most cybercrime focused on stealing financial data – credit card numbers, banking details, identity theft.
Whilst this still occurs, there’s been a dramatic shift towards ransomware, and this is because it’s far easier to encrypt and demand payment than to spend time finding buyers for credit card numbers.
This shift has been fuelled by cryptocurrency. For the first time in history, criminals can be paid in anonymous currency, anywhere in the world, at any time, and convert it into pounds, euros or dollars.
Previously, criminals had to physically collect payments or transfer money to traceable bank accounts. Now, they can operate with anonymity whilst easily converting their ill-gotten gains into real money.
If criminals couldn’t convert cryptocurrency into real currency, it would drop to almost nothing or remain merely a barter system. The ability to monetize these attacks anonymously has fundamentally changed the risk-reward calculation for cybercriminals and eliminated one of law enforcement’s most powerful tools – “follow the money”.
The Jurisdictional Challenge
The second major factor enabling cybercrime is jurisdiction. Many cybercriminals operate from countries where western governments have no recourse. If a ransomware actor were based in Ireland and attacked a US company, authorities would issue an extradition request, and Ireland would likely comply.
However, when these criminals operate from non-cooperative jurisdictions, they find their activities tolerated or even tacitly supported.
“We’re effectively blaming victims for being robbed and hoping we can regulate every business to become an impenetrable fortress”
These two factors – anonymous payment systems and safe havens – represent elements of the cybercrime equation that individual businesses simply cannot address on their own. Companies can only try to make it harder for criminals to access their systems, but this approach has inherent limitations.
Treating Cybercrime Like Real Crime
This is why we urgently need real discussions about fighting cybercrime as a society.
The first critical step is treating cybercrime like regular crime, particularly its financial aspects. Currently, we’re effectively blaming victims for being robbed and hoping we can regulate every business to become an impenetrable fortress.
When someone is physically robbed, police respond to help recover stolen property and investigate the crime. With cybercrime, victims face blame, fines, reputational damage and higher insurance premiums. Every incident results in questions about what the victim didn’t do, rather than recognition that a crime has been committed against them.
This victim-blaming approach must change. Despite the massive threat, we continue to place the burden entirely on those affected rather than treating cybercriminals as the criminals they are.
A Potential Path Forward
Solving the cybercrime problem requires a comprehensive public-private partnership with three key components:
- First, stop blaming victims. We need governmental and societal recognition that cyber-attacks represent crimes against businesses and individuals, not solely failures of those organizations to protect themselves adequately. Many western nations have expanded policing efforts against cybercrime, but they are generally massively underfunded given the scale of the challenges.
- Second, address the anonymous payment system. This is not an easy problem to solve as governments have become addicted to new sources of tax revenue. Governments must find ways to trace and regulate how cryptocurrency converts into real money. Until we can follow the money, criminals will continue operating with impunity.
- Third, introduce real consequences. The number one deterrent to crime is the fear of being caught and punished. With 24/7 access from anywhere, the internet has eliminated this deterrent, allowing criminals to act with impunity from countries that simply do not care. We need extraditions, criminal charges and serious consequences for cybercriminals. This will require political pressure on countries harboring these people, potentially including restrictions on internet connectivity for non-cooperative nations. Whilst drastic, such measures could force governments to reconsider their tolerance for cybercriminal activities.
The Limits of Regulation
From the General Data Protection Regulation (GDPR) to the Health Insurance Portability and Accountability Act (HIPAA), a variety of cyber-focused regulations are now enforced. But have these actually helped to reduce breaches?
The latest of these regulations was introduced in 2018, yet cybercrime has continued to tick up in the seven years since: In 2023, 3285 cyber incidents were reported by the Information Commissioner’s Office (ICO), a 52% increase from 2022. In 2024, 50% of UK businesses reported experiencing cyber-attacks, up from 39% in 2022.
Compliance regulations alone won’t solve the fundamental problem – they may achieve modest improvements and are generally used as a tool to make society feel as though ‘something is being done.’
That doesn’t mean compliance requirements aren’t a critical part of the solution. The key is to couple them with properly funded cyber law enforcement that is empowered with the tools required to bring criminals to justice across jurisdictions.
Cybercrime has become a serious tax on businesses and consumers worldwide, and its impact needs to be addressed. Take seatbelts for example. We’re legally required to wear a seatbelt when in a car, yet the real improvements in road safety came when governments simultaneously improved roads and police stepped up enforcement against speeding, in conjunction with seat belts.
We cannot solve problems with defensive measures alone. True progress requires acknowledging that cybercrime is crime, treating victims as victims rather than failures and implementing systemic changes to disrupt the criminal ecosystem.
Click Here For The Original Source.
