The Impact of Cybersecurity
Discover how cybersecurity impacts our everyday lives, whether we can see it or not. Learn about cybersecurity costs and risks for individuals, companies, and governments.
Imagine it’s your birthday and your friends have taken you out for dinner to a nice restaurant.
When your meal arrives, the presentation is so beautiful that you just have to take a picture of it and post it on Insta. Out comes your phone; after a few tries you get a photo you like; you upload the photo, and you dither over the filter a little before arriving at the right effect; and boom, your envy-worthy birthday dinner is on the internet for all your followers to drool over.
Now let’s take a step back and see where cybersecurity was involved in that scenario. If you’re like most people, you had to use a passcode to unlock your phone before you could use it; if you’re more of a tech geek, maybe you used fingerprint recognition or facial identification instead. After you took the photo, you used either a cellphone signal or a Wi-Fi connection to upload it to Instagram. If you used a cell signal, your connection was probably pretty secure; if you used public Wi-Fi, your connection may have been completely unsecured and open to eavesdroppers. Uploading the photo to Instagram required you to already have an account controlled by a unique username and password, and to already be logged in. In addition, you’ve already authorized the upload relationship between Insta and your phone’s operating system so photo uploads can take place easily and securely. Once you post the photo to your feed, you’ve already set the privacy settings on your Instagram account to determine exactly which categories of Insta users can see your post.
You can go on and enjoy your meal now, but that doesn’t mean you’re done with cybersecurity for the evening. When the check arrives (which surely your friends will pick up—it’s your birthday, after all), somebody’s credit card will be scanned to pay for the meal. This will involve a secure transmission of credit-card data from the restaurant’s point-of-sale system to the card issuer, where a fraud-detection algorithm will analyze the transaction characteristics—merchant, location, type of purchase and purchase amount, among other things—before authorizing the transaction, all by the time you finish your dessert.
In short, every aspect of modern life bears the thumbprint of cybersecurity. Most of us usually don’t even notice it anymore, but that doesn’t mean cybersecurity has no impact on us; quite the reverse, in fact.
Costs of Cybersecurity Efforts
Worldwide spending on cybersecurity is predicted to exceed $124 billion in 2019. view citation That figure only accounts for direct expenditures on such items as antivirus programs, identity access management systems and network security equipment. When you take into account the time we all spend on cybersecurity, the total is much higher. And when you add in the costs of cybersecurity failures—data breaches, identity theft, ransomware and state-sponsored cyberterrorism—it becomes apparent that cybersecurity has a tremendous impact, directly and indirectly, regardless of whether it fails or succeeds.
Individual costs include all the little adjustments we’ve made to living in a data-protected world: setting up user accounts, remembering our usernames, managing our passwords, making sure we’re protected against viruses, fretting about the security of public Wi-Fi. It may not seem like much, but all these little dribs and drabs of time and effort add up to a significant “opportunity cost,” as an economist might put it. That is, instead of whatever else you might be doing with that time and effort, you’re debating whether to turn on location services for Facebook so you can check in at a designated location, or you’re trying to remember the password you chose for that account you set up for that new app you downloaded the other day.
Of course, individuals also pay a literal financial cost for cybersecurity measures. This can take the form of cash outlay for antivirus software and router firewalls, or we can pay higher prices for products and services that cost more because their stronger security measures cause the companies that provide them to have higher overhead, which they pass along to us at the cash register.
Then there are the indirect costs suffered by victims of identity theft. You likely won’t be held liable for any of the purchases the thief made with accounts they created by using your identity, but your credit report might well be devastated. It can take years of diligent effort to undo the damage and return your profile to its pre-theft status, during which time you can forget about opening a new line of credit, buying a car or refinancing your mortgage.
Individuals can also pay an indirect cost in decreased privacy. This can be caused by the data breaches that seem to be a fact of life these days, but as we have seen, privacy can also be decreased by the increasingly intrusive security meant to fend off those breaches. Some people seem unconcerned that companies know so much about us, but strong defenders of civil liberties would say that protecting your privacy is necessary to protect your autonomy—and that your autonomy is too high a price to pay for the convenience of checking in at a location on Facebook more easily.
Business costs of cybersecurity dominate the headlines because the impacts can be huge. After Target’s epic data breach, the company paid $18.5 million to settle dozens of lawsuits. That only sounded big until Equifax got hacked, when the Federal Trade Commission slapped the credit-reporting firm with a $700 million fine. Not to be outdone, Facebook’s punishment for negligently allowing Cambridge Analytica to access account users’ information weighed in at $5 billion.
We also need to take into account the direct losses to companies that are themselves the victims of cybersecurity failures. For instance, the money lost due to fraudulent credit or debit card transactions totaled $6.4 billion in 2018, view citation a cost that was borne almost entirely by the financial institutions issuing the cards.
To protect against those breaches, fines and losses, U.S. businesses are shelling out big bucks on their cybersecurity efforts, to the tune of $66 billion in 2018. view citation Those costs cover hardware, software and the most important component of effective cybersecurity: recruiting, hiring and retaining skilled cybersecurity professionals. The most advanced hardware and the most cunningly designed software are worthless without experts who know which products and services to procure and how to use them to ensure maximum protection for the enterprise.
Government costs of cybersecurity include the costs of prevention and enforcement activities intended to protect the United States, whether by passing laws, developing policies and regulations, or creating and maintaining special agencies such as the Cybersecurity Infrastructure and Security Agency.
There’s also the money governments have to spend to protect themselves from cybercrime, espionage and terrorism. For the U.S. federal government, that figure will amount to $17.4 billion view citation in fiscal year 2020. States and local governments are making the same kinds of expenditures and experiencing the same kinds of impacts.
Speaking of impact on local government, the 2019 ransomware attack on the city of Baltimore crashed the city’s IT systems and prevented city staff and agencies from performing basic operational tasks. The city estimates the cost of the attack to be at least $18.2 million. view citation
Unfortunately, Baltimore isn’t the only U.S. city that has fallen victim to ransomware. A few months prior, hackers used the same [tooltip text="A piece of malicious software created solely to disrupt or damage a network, computer, server or other device."]malware — a piece of ransomware called RobbinHood — to attack the IT systems of the city government of Greenville, North Carolina, and in 2018 hackers used a different ransomware package to attack Atlanta. In none of these cases did the cities pay the ransoms their attackers demanded, but that probably isn’t much consolation, given the hefty price tag for the recovery efforts. For instance, Atlanta’s attackers asked for a bitcoin ransom worth approximately $50,000, but the city spent at least $6.2 million view citation to bring all its systems back online.
Cybersecurity Risks of Everyday Life
The presence of the word “security” embedded within cybersecurity implies that there might be some kind of “cyber-risk” that cybersecurity is supposed to protect us from. And that’s true. Black-hat hackers are the No. 1 cybersecurity risk, in all their various manifestations: identity thieves, credit-card fraudsters, embezzlers, blackmailers, spies and terrorists.
But as the history of high-profile data breaches demonstrates, hackers aren’t the only risk, because the risk didn’t necessarily begin with them. When you contemplate the prodigious volume of important information in the possession of a Target or an Equifax or a Facebook, you start to wonder: Is it a good idea for all these companies to have all this data on us? Maybe the massive stockpiling of data is where the risk originates, rather than in the criminal intent of the hacker. Still, it’s hard to imagine getting through the day without interacting with at least one organization that knows far more about you than you realize.
Companies like Facebook and Equifax are actually just the tip of the personal-data iceberg. If you want to see someone who really knows a lot about you, take a look at Google. In a 2018 report, Douglas Schmidt, a professor of computer science at Vanderbilt University, made a detailed study of just how much and what kind of data Google collects on computer users.
Google has the world’s leading web browser, the top mobile platform and the No. 1 search engine. The company uses all those assets to collect unbelievably large amounts of data on its users, which it then uses to precisely customize the advertising products it sells. And make no mistake: Advertising—based on user data—is Google’s primary stock in trade, accounting for 86% of the company’s revenue. view citation
It’s important to understand that Google collects data both through active use, such as when someone uses Gmail or Google Search, and through passive means, which involves Google’s Android mobile operating system or Chrome web browser gathering user information whenever the system is up and running. For example, Schmidt found that an Android device with a Chrome browser sent location data to Google 340 times in a 24-hour period, constituting 35% of all the data that device sent to Google during that time.
In response to individual and governmental concerns about private companies having unprecedented access to so much data on us, companies are taking steps to be more responsible custodians of our data and to give us more control over what they know about us. In 2019 Google released a suite of new privacy tools that allow users to set a schedule for Google to automatically delete their activity history for Google searches, voice requests to Google Assistant, searches in Google’s Play store, destinations searched for in Maps, and YouTube searches and views. The tool allows you set autodeletion to take place after either three months or 18 months.
“Gartner Forecasts Worldwide Information Security Spending to Exceed $124 Billion in 2019.” Gartner. August 2018. View Source
“Identity Theft and Credit Card Fraud Statistics for 2019.” The Ascent by The Motley Fool. November 2019. View Source
“Spending on cybersecurity in the United States from 2010 to 2018.” Statista. August 2019. View Source
“Proposed budget of the U.S. government for cyber security in FY 2017 to 2020.” Statista. May 2019. View Source
“Baltimore city government computer network hit by ransomware attack.” The Baltimore Sun. May 2019. View Source
“Atlanta Spent $2.6M to Recover From a $52,000 Ransomware Scare.” Wired. April 2018. View Source
“Google Data Collection Is More Extensive and Intrusive Than You Ever Imagined.” CPO Magazine. November 2018. View Source