Cybercrime is big business that is increasing in frequency, intensity, and sophistication, targeting both businesses and individuals. As the official economy continues to struggle, its dark cyber-underbelly has become one of the world’s largest and fastest growing forms of economic activity. As Marc Goodman, an information security expert and author of Future Crimes: Everything is Connected, Everyone is Vulnerable and What We Can Do About It (Bantam Press, 2015), observes, cybercriminals “steal identities, drain online bank accounts, and wipe out computer servers, but that’s just the beginning”, further noting that “to date, no computer has been created that could not be hacked.”

Cybercriminals have created vast international networks and infrastructures of front companies and fake identities with the main purpose of penetrating business and individual information systems to steal corporate, client, financial, personal, and intellectual property data.

Cybercrime – including information breaches, corporate espionage, financial fraud, and identity theft – affects all kinds of businesses, from multinational conglomerates to local family-owned shops, and individuals from every sphere of life. According to Ronald J. Deibert, a political scientist and author of Black Code (McClelland & Stewart, 2013), “Every new piece of software, social networking site, cloud computing system, or web-hosting service represents an opportunity for the predatory cybercriminal to subvert and exploit.”

Economists estimate that cybercrime steals between $300 billion and $1 trillion from businesses worldwide each year. According to Keith Alexander, the former director of the United States National Security Agency and commander of US Cyber Command, the loss of corporate information, intellectual property, and money through cybercrime constitutes the “greatest transfer of wealth in history”. Most security and information analysts contend that it is no longer a matter of whether a company or individual will be targeted by cybercriminals, but when and how it or they will be targeted. In the US, the FBI now ranks combating cybercrime as one of its top law enforcement priorities.

Cybercriminals engage in corporate espionage and theft on a grand scale, installing malicious malware, spyware, and other viruses into corporate computer networks and other information communication technologies to monitor, sabotage, and steal all kinds of sensitive data including intellectual property, trade secrets, confidential contracts, legal documents, private correspondence, financial transactions, operational and systems procedures, managerial decisions, personnel records, and so on.

The so-called Carbanak cyber gang is one of the most notorious examples of cybercriminals. Named after the malware they deploy, these cybercriminals have targeted more than 100 banks and financial institutions worldwide, representing one of the largest bank thefts in history. Up to $1 billion has been stolen over the past two years and it is believed these cyber attacks are still ongoing. According to Chris Doggett of Kaspersky Lab, an information security firm, “This is likely the most sophisticated attack the world has seen to date in terms of the tactics and methods that cybercriminals have used to remain covert.”

This unprecedented cyber-robbery, however, began like many others: the cybercriminals sent employees infected e-mails that, when opened, clandestinely downloaded malicious code allowing the hackers to infiltrate and monitor their networks. They focussed particularly on employees who administered cash transfer systems and ATMs. They also installed a remote access tool in each network to secretly capture video, screenshots, keyboard strikes and other information from the employees’ computers, allowing them to not only record every digital move but also discover and mimic how the companies conducted both special and daily routines.

The cybercriminals then impersonated bank officials, mimicking their internal activities, to ensure their crimes would appear like normal transactions. When prepared to execute their crimes – each of which took between two to four months – they turned on various cash machines in multiple locations, where an associate would be waiting, to automatically dispense money, transfer funds from the banks into dummy accounts, and manipulated account balances.

The diverse kinds, novel combinations, and growing amounts of business and personal information compromised by cybercriminals are used in an increasingly sophisticated online black market

Other recent cybercrime examples include cyber attacks against Anthem, one of the main health insurers in the US, this past February, in which 80 million records of personal information of tens of thousands of its customers, employees, and its chief executive, were compromised. The information included names, social security numbers, birthdays, addresses, e-mails, and employment information including income data.

In the autumn of 2014, office supply retailer Staples disclosed that hackers broke into its computer network and compromised information of over one million credit cards. Meanwhile, Home Depot, a major North American construction and home improvement retailer, revealed that around 56 million payment cards were compromised in a cyber attack affecting stores in the US and Canada and estimated the breach’s cost at $62 million.

Throughout the summer of 2014, JPMorgan Chase’s computer networks were infiltrated by cybercriminals siphoning off sensitive information including checking and savings account details. The bank reported that 83 million accounts, of both businesses and individuals, were compromised. During this same period, Community Health Systems, an American national hospital operator, revealed that the personal data of nearly five million patients, including names, dates of birth, social security numbers, had been stolen in a cyber attack earlier in the year. In the spring of 2014, the arts and crafts retailer Michaels Stores estimated that personal information from three million customers’ payment cards were stolen and otherwise exposed.

During Christmas 2013, Target, a prominent American low-end department store, disclosed that hackers stole credit and debit card numbers and personal information from more than 40 million of its customers. The breach, one of the largest ever reported at the time, originated from malware installed on the company’s networks siphoning customer information during the important holiday shopping period. Target’s profit for that quarter fell by nearly half.

Cybercriminals also pose a threat to individuals. It already affects more than 431 million people. More than one million victims are affected every single day, translating into 14 victims every second of every day. Cybercriminals mainly target individuals’ personal information, including credit card numbers, financial account data, social security numbers, passport details, usernames, and passwords. Combinations of names, birthdates, addresses, social security numbers, and other personally identifiable data are especially hot commodities, selling for more than simple credit card numbers.

The diverse kinds, novel combinations, and growing amounts of business and personal information compromised by cybercriminals are used in an increasingly sophisticated online black market where it is bought, sold, and resold through online auction websites. According to Trend Micro, an internet security firm, some of the illicit products and services that are sold online include hiring a distributed denial of service attack for $30-70 a day; selling an individual’s complete medical history for $40-50; hacking social media accounts for $130 each; breaking into e-mail accounts for $162 each; scanning legitimate passports for $5; and offering credit card numbers for $5 each.

This online black market also traffics in criminal tools and techniques to for further cybercriminal activities. For instance, malicious software packages called “zero days” – because Internet security firms are unaware of or have no known protections against them – can be readily purchased with helpful how-to manuals on how to implement and exploit them. There are botnet herders – individuals who control tens of thousands of compromised computers – who market their services for various ends. They can be rented cheaply for negotiated times from hours to weeks and also offered all-day technical support for clients to help them ensure their criminality is supported and successful. There are also specialised programs providing interfaces and instructions to create your own phishing websites, simulating legitimate banking, shopping, and social media interfaces, that are designed to steal credit card numbers, e-mail addresses, and passwords from unsuspecting victims.

But many businesses and individuals are ignorant of their victimisation. Although according to Gartner, the information technology research firm, companies are now spending upwards of $100 billion on cybersecurity and defence, most remain incapable of detecting when cybercriminals have breached their information systems. According to Trustwave Holdings, an information security company, the average time from the initial breach until discovery is typically 210 days. Cybercriminals, in other words, typically have over six months to creep around unnoticed and unfettered in a network, monitoring corporate activities, stealing intellectual property and trade secrets, breaching financial systems, siphoning away money, and compromising personal information. Security expert Marc Goodman states that the proverbial “barbarians are no longer just at the gate: they are in your laptop, network operations centre, in your lunchroom, and wandering your virtual corridors, unnoticed for months at a time”.

Yet although cybercrime is becoming more sophisticated and difficult to detect, there are some steps that businesses and individuals can take in order to help better protect themselves against it. For businesses, one of the first steps to be instituted is the creation of a single department or entity to deal with cybercrime. Many companies tend to segment security responsibilities into separate silos, resulting in poor preparedness because of a lack of clear and coordinated communications and information sharing.

Second, companies should no longer only concentrate on defensive cyber-capabilities but instead go on the offense. For instance, they should purposely hunt for possible cybercriminals in their midst by searching their own systems on a regular basis.

Third, companies should test assumptions by designing and implementing internal cyber attacks involving internal or external consultants purposely hacking the company in order to discover, identify, and address possible digital vulnerabilities.

Fourth, companies must adopt strict encryption procedures for its internal databases and all sensitive information. Encryption helps ensure information is only accessible by the company by using large prime numbers to scramble it so that only those authorised entities with the secret key to unscramble it can do so.

Fifth, companies must develop a comprehensive cyber-disaster response and recovery plan that includes all areas and aspects of the company in order to be prepared before a cyber attack, not during or after the proceedings.

Finally, companies should publicly disclose their breaches in order to inform clients, customers, and law enforcement. Anthem, the health insurer, was applauded by security analysts for informing the FBI and the public about its breach. The FBI encourages companies to promptly report breaches and share information about them with allies and competitors alike. This public disclosure would warn others and promote information sharing between companies, governments, and law enforcement in order to trace cybercriminals, provide guidance on how to bolster cyber defences, and both anticipate and respond to future cyber attacks.

For individuals, the best place to start protecting themselves from cybercrime is their passwords. When passwords are complicated and different from one another – a practice sometimes referred to as clean password hygiene – the more difficult they are to crack.

First, do not use common words or phrases, or personally identifiable details, as a password. Instead, lots of random characters – letters, numbers, symbols – provide the best protection. Second, do not reuse passwords. Although it may be convenient to have the same password for different websites and services, it is better to create separate passwords for each online activity. Third, prioritise accounts: that is, use the most complicated password for the most sensitive information.

Fourth, use two-factor authentication when and where possible. It provides a second layer of security after the password by generating a random number to be inputted after the password. Fifth, use a password manager to help create new random passwords for various accounts. These managers then save them all for you: just ensure that you have a strong password to protect all the manager’s saved passwords.

Finally, share your passwords cautiously: whenever possible, do not necessarily use any of your actual passwords for certain services. Instead, use disposable e-mail addresses and passwords, offered by services like 10minutemail.com, that allow one to create and use temporary accounts that self-destruct after ten minutes.

Cybercrime is growing in size, scope, and sophistication, targeting companies and individuals alike. It is unlikely that any organisation or person will be left unaffected by its menace. But Ronald J. Deibert, the political scientist, poses another disturbing question lurking in the background: “What happens when the world of cybercrime becomes militarised?”

Marc Kosciejew is a lecturer at the University of Malta’s Faculty of Media and Knowledge Sciences.