In the early 1970s, a former air force radar technician living in California discovered that the promotional whistle included in boxes of Cap’n Crunch cereal generated a tone that he could use to make long distance phone calls for free. So he did.
His name was John Draper, and his whistle exploits are often credited as the first case of cybercrime. His actions brought to light a very real need for a new kind of vigilance in technological commerce, and as it turns out, an entirely new industry.
Estimated to be a $200 billion a year business, its impact is universal – touching the private and public sectors as well as individual consumers. Even the $200 billion estimate could be low, as tracking spending has become almost as hard as curtailing cybercrime itself.
According to Cybersecurity Ventures, it is estimated that losses due to cybercrime outpace spending to protect against it by a factor of 6. That would mean a staggering $1.2 trillion is lost every year.
In an age when data can be currency, both figuratively and literally, organizations thoroughly protect themselves from cybercrime as a necessary part of doing business – just like they would hire an armoured car service in the past, right?
Unfortunately, that’s not always the case. The ubiquitous nature of today’s sprawling electronic highway makes identifying the lines of responsibility blurry at best and impossible at worst. Many CEOs and business owners choose measured approaches – balancing risk with cost and efficiency. With high profile cyber-attacks on the Pentagon and routine warnings about the susceptibility of transit systems and the electric grid, often the perception in the private sector is that responsibility for cybersecurity falls disproportionally to the public sector.
Forbes reported in their March 2018 article, “Cybersecurity By The Numbers: Market Estimates, Forecasts and Surveys,” only 36 per cent of senior IT professionals say their leadership see cybersecurity as a strategic priority. 68 per cent of cybersecurity professionals say their CEO demands DevOps and security teams abstain from anything that slows business down.
Those statistics, and the fact that in most countries government collaborates with private businesses through contract work, making cybersecurity tantamount to national security – have many fearing the worst.
- Computer and Network Intrusion
According to the United States Federal Bureau of Investigation, billions of dollars are lost every year repairing attacks that take down systems or disrupt them. Data breaches have become a daily occurrence and even the largest organisations are not immune. The personal information compromised by these attacks can affect hundreds of millions, as in the recent cases of Equifax, Adult Friend Finder and eBay.
The attacker uses a form of malware to encrypt files and then demands a ransom to release them. Ransomware largely accounts for the epidemic levels of recent cybercrime. Europol (The European Union Agency for Law Enforcement Cooperation) emphasised the seriousness of the threat in their annual report for 2017 and pointed to attacks such as ‘WannaCry’ that affected millions of computers.
Unsurprisingly, the FBI has a pretty good idea who is behind the cybercrime. From the FBI’s official government website:
“It runs the gamut – from computer geeks looking for bragging rights…to businesses trying to gain the upper hand in the marketplace by hacking competitor websites, from rings of criminals wanting to steal your personal information and sell it on black markets…to spies and terrorists looking to rob our nation of vital information or launch cyber strikes.”
One factor contributing to the escalation and expansion in online crime is the growing sophistication of the cybercrime community. Criminal groups are working together like never before, carving out their own sub-niches in the cybercrime marketplace, and offering sophisticated illegal services for profit.
The New Players
A sizable chunk of the estimated $200 billion a year spent on cybersecurity is going to someone, but the “who” has very recently changed in a big way. Once practically a cottage industry of anti-malware, virus and firewall companies on national or even regional levels, the new players in cybersecurity are heavyweights poised to elevate the industry far beyond cottage status.
Amazon, Apple, Cisco, Dell, Facebook, Google, IBM, Intel, and Microsoft to name a few, are either enthusiastically entering the cybersecurity industry, or actively attempting to grow their stake in it. The interest of these goliaths confirms what experts have been trumpeting: cybersecurity is currently the fastest growing tech sector.
In 2018, there’s a very good reason.
The EU Takes Aim
On May 25, 2018, the General Data Protection Regulation (GDPR) went into effect across the European Union, and implications to the private sector are immense.
The GDPR is a legal framework that sets guidelines for the collection and processing of personal information of individuals within the European Union. The GDPR sets out the principles for data management and the rights of the individual, while also imposing fines that can be revenue-based. It covers all companies that deal with data of EU citizens.
The GDPR is considered a critical regulation for corporate compliance officers at banks, insurers, and other financial companies but it doesn’t stop there.
“It’s a huge concern that could affect all global business,” said Jeff Knechtel, Senior Director of Product Management at Exchange Solutions Inc., a North American based company that innovates data-driven customer engagement programs.
“Big companies and little companies both have to comply if they want to do business in the EU, and the fines can be potentially enormous.”
However, it’s not just the possibility of fines or the costs associated with a cybersecurity strategy that has powerful implications in the private sector – there is a fundamental shift in the way companies do business and develop products.
“10 years ago, security was an afterthought. You would build the best product you could, then plug any vulnerabilities afterwards. But now you have to bake security and privacy in from the beginning – it’s a concern right from day one.”
The shift goes beyond product development, extending to staffing strategies where organisations are placing a priority on those who qualify as a Certified Information Systems Security Professionals (CISSP).
No longer is it enough to merely keep a data breach out of the papers – the new regulations and fines have made compliance imperative. It’s part of the cost of doing business now. In this environment, smaller companies who choose not to comply without the benefit of a PR department and powerhouse legal team could find themselves shuttered after a single data breach.
As Jeff Knechtel succinctly put it, “In today’s cyber marketplace, trust is everything.”
Is It Enough?
What of those 64 per cent in senior leadership who still don’t see cybersecurity as a priority? It may merely be a matter of duelling philosophies that time and necessity will eventually sort out. In contrast with many in the EU, the United States has always leaned in the direction of libertarianism, opting for cooperation in place of “regulation” and relying on state and civil remedies. Also, depending on the nature of their commerce, many American businesses may not fall under the purview of the GDPR.
There is still a real push to implement complementary legislation to the GDPR in the United States, and it may end up being consumers who demand it, but until the private sector worldwide uniformly embraces cybersecurity, they might want to be careful what they put in their cereal boxes.