The Impact of Cybersecurity Add to reading list

Costs of Cybersecurity Efforts

Worldwide spending on cybersecurity is predicted to exceed $124 billion in 2019. view citation[1] That figure only accounts for direct expenditures on such items as antivirus programs, identity access management systems and network security equipment. When you take into account the time we all spend on cybersecurity, the total is much higher. And when you add in the costs of cybersecurity failures—data breaches, identity theft, ransomware and state-sponsored cyberterrorism—it becomes apparent that cybersecurity has a tremendous impact, directly and indirectly, regardless of whether it fails or succeeds.

Individual Costs

Individual costs include all the little adjustments we’ve made to living in a data-protected world: setting up user accounts, remembering our usernames, managing our passwords, making sure we’re protected against viruses, fretting about the security of public Wi-Fi. It may not seem like much, but all these little dribs and drabs of time and effort add up to a significant “opportunity cost,” as an economist might put it. That is, instead of whatever else you might be doing with that time and effort, you’re debating whether to turn on location services for Facebook so you can check in at a designated location, or you’re trying to remember the password you chose for that account you set up for that new app you downloaded the other day.

Of course, individuals also pay a literal financial cost for cybersecurity measures. This can take the form of cash outlay for antivirus software and router firewalls, or we can pay higher prices for products and services that cost more because their stronger security measures cause the companies that provide them to have higher overhead, which they pass along to us at the cash register.

Then there are the indirect costs suffered by victims of identity theft. You likely won’t be held liable for any of the purchases the thief made with accounts they created by using your identity, but your credit report might well be devastated. It can take years of diligent effort to undo the damage and return your profile to its pre-theft status, during which time you can forget about opening a new line of credit, buying a car or refinancing your mortgage.

Individuals can also pay an indirect cost in decreased privacy. This can be caused by the data breaches that seem to be a fact of life these days, but as we have seen, privacy can also be decreased by the increasingly intrusive security meant to fend off those breaches. Some people seem unconcerned that companies know so much about us, but strong defenders of civil liberties would say that protecting your privacy is necessary to protect your autonomy—and that your autonomy is too high a price to pay for the convenience of checking in at a location on Facebook more easily.

Business Costs

Business costs of cybersecurity dominate the headlines because the impacts can be huge. After Target’s epic data breach, the company paid $18.5 million to settle dozens of lawsuits. That only sounded big until Equifax got hacked, when the Federal Trade Commission slapped the credit-reporting firm with a $700 million fine. Not to be outdone, Facebook’s punishment for negligently allowing Cambridge Analytica to access account users’ information weighed in at $5 billion.

We also need to take into account the direct losses to companies that are themselves the victims of cybersecurity failures. For instance, the money lost due to fraudulent credit or debit card transactions totaled $6.4 billion in 2018, view citation[2] a cost that was borne almost entirely by the financial institutions issuing the cards.

To protect against those breaches, fines and losses, U.S. businesses are shelling out big bucks on their cybersecurity efforts, to the tune of $66 billion in 2018. view citation[3] Those costs cover hardware, software and the most important component of effective cybersecurity: recruiting, hiring and retaining skilled cybersecurity professionals. The most advanced hardware and the most cunningly designed software are worthless without experts who know which products and services to procure and how to use them to ensure maximum protection for the enterprise.

Government Costs

Government costs of cybersecurity include the costs of prevention and enforcement activities intended to protect the United States, whether by passing laws, developing policies and regulations, or creating and maintaining special agencies such as the Cybersecurity Infrastructure and Security Agency.

There’s also the money governments have to spend to protect themselves from cybercrime, espionage and terrorism. For the U.S. federal government, that figure will amount to $17.4 billion view citation[4] in fiscal year 2020. States and local governments are making the same kinds of expenditures and experiencing the same kinds of impacts.

Speaking of impact on local government, the 2019 ransomware attack on the city of Baltimore crashed the city’s IT systems and prevented city staff and agencies from performing basic operational tasks. The city estimates the cost of the attack to be at least $18.2 million. view citation[5]

Unfortunately, Baltimore isn’t the only U.S. city that has fallen victim to ransomware. A few months prior, hackers used the same [tooltip text="A piece of malicious software created solely to disrupt or damage a network, computer, server or other device."]malware — a piece of ransomware called RobbinHood — to attack the IT systems of the city government of Greenville, North Carolina, and in 2018 hackers used a different ransomware package to attack Atlanta. In none of these cases did the cities pay the ransoms their attackers demanded, but that probably isn’t much consolation, given the hefty price tag for the recovery efforts. For instance, Atlanta’s attackers asked for a bitcoin ransom worth approximately $50,000, but the city spent at least $6.2 million view citation[6] to bring all its systems back online.

Cybersecurity Risks of Everyday Life

The presence of the word “security” embedded within cybersecurity implies that there might be some kind of “cyber-risk” that cybersecurity is supposed to protect us from. And that’s true. Black-hat hackers are the No. 1 cybersecurity risk, in all their various manifestations: identity thieves, credit-card fraudsters, embezzlers, blackmailers, spies and terrorists.

But as the history of high-profile data breaches demonstrates, hackers aren’t the only risk, because the risk didn’t necessarily begin with them. When you contemplate the prodigious volume of important information in the possession of a Target or an Equifax or a Facebook, you start to wonder: Is it a good idea for all these companies to have all this data on us? Maybe the massive stockpiling of data is where the risk originates, rather than in the criminal intent of the hacker. Still, it’s hard to imagine getting through the day without interacting with at least one organization that knows far more about you than you realize.

Companies like Facebook and Equifax are actually just the tip of the personal-data iceberg. If you want to see someone who really knows a lot about you, take a look at Google. In a 2018 report, Douglas Schmidt, a professor of computer science at Vanderbilt University, made a detailed study of just how much and what kind of data Google collects on computer users.

Google has the world’s leading web browser, the top mobile platform and the No. 1 search engine. The company uses all those assets to collect unbelievably large amounts of data on its users, which it then uses to precisely customize the advertising products it sells. And make no mistake: Advertising—based on user data—is Google’s primary stock in trade, accounting for 86% of the company’s revenue. view citation[7]

It’s important to understand that Google collects data both through active use, such as when someone uses Gmail or Google Search, and through passive means, which involves Google’s Android mobile operating system or Chrome web browser gathering user information whenever the system is up and running. For example, Schmidt found that an Android device with a Chrome browser sent location data to Google 340 times in a 24-hour period, constituting 35% of all the data that device sent to Google during that time.

In response to individual and governmental concerns about private companies having unprecedented access to so much data on us, companies are taking steps to be more responsible custodians of our data and to give us more control over what they know about us. In 2019 Google released a suite of new privacy tools that allow users to set a schedule for Google to automatically delete their activity history for Google searches, voice requests to Google Assistant, searches in Google’s Play store, destinations searched for in Maps, and YouTube searches and views. The tool allows you set autodeletion to take place after either three months or 18 months.