With huge hacks and massive breaches making regular headlines over the past couple of years, cybersecurity has become a critical issue. Hacks not only cause financial and personal harm, but can also result in important national security problems.
With cybersecurity events more frequently making mainstream news, why does it seem that few people outside of the information technology sector are concerned?
Cybersecurity seems complicated and technical
For many individuals, cybersecurity seems like an overly complicated and highly complex issue that is best left to those with degrees in computer science.
This is partially true. Cybersecurity is an ever-evolving field, making safety a moving target. Experts and researchers are continually kept on their toes by similarly educated opponents who leverage their experience and technical knowledge to poke holes in networks and probe for weaknesses that can be exploited for financial or political gain.
However, basic, easy to implement security principles still go a long way when it comes to individual protection.
The world has always been populated by intelligent, savvy criminals who carefully plan and execute their crimes in nefarious ways. The vast majority of bad guys, however, are opportunists who are quick to move on to softer targets when faced with something as simple as a locked door.
In much the same way that engaging the deadbolt on your front door dissuades burglars in search of an easy score, hackers tend to look elsewhere when an obstacle is encountered.
Some of the largest hacks in recent history could have been avoided had simple, foundational cybersecurity protocols been followed. Whether it’s poorly protected passwords, an easily accessible data center or a forgotten VPN, many people are surprised to learn that the bedrock of proper cyber safety requires little more than a few clicks and no in-depth computing knowhow.
Naturally, the comparison between cybersecurity and a locked apartment can only go so far. Unlike physical theft that typically only affects an individual, cybersecurity lapses can lead to hundreds or thousands of victims if a criminal gains access to a database or network.
Because of this, cybersecurity is a group effort that is enhanced when everyone establishes a baseline security strategy.
Major organizations lack a financial incentive to bolster their cybersecurity
The cybersecurity headline cycle repeats itself regularly:
- An organization is hacked, resulting in potentially thousands of peoples’ private information being accessed, stolen or sold.
- The organization makes a PR statement regarding the alleged “sophistication” of the attack, claiming victimhood by implying that there was simply no way to defend against a targeted plot devised by calculated cyber experts.
- Complicated and “boring,” the hack recedes from mainstream news headlines before it can be revealed that it took place not at the hands of a legion of expert hackers, but due to a lack of adherence to the most basic cybersecurity principles involving password strength, outdated software, etc.
- The organization either suffers no consequences for their negligence, or can simply afford any incurred legal fees and move on unscathed.
At the expense of implying cynicism, the world’s billion dollar corporations and organizations can afford to weather cyberattacks that jeopardize the privacy and finances of their customers. With no aggressive regulations in place that hold them deeply accountable for preventable security lapses, any expenses paid out as a result of a breach is merely the cost of doing business in today’s environment.
Until government regulations are passed that financially incentivize proactive cybersecurity by imposing devastating fines on organizations that fail to meet basic requirements, there is little reason for big business to allocate significant funds to breach protection. Currently, it is easier for companies to address cybersecurity events after the fact as opposed to making an effort to get in front of them.
Because the biggest corporate entities can skate through cybersecurity incidents without serious or long-lasting repercussions, it further downplays their importance. Dodged consequences only perpetuate the idea among the general public that cybersecurity is not only so complex that even the richest companies in the world can’t maintain it, but also not a big enough deal to stay newsworthy or result in punishment for those who are careless about it.
In fact, it can often be a challenge to even find mention of a company’s response after a hack has faded from the headlines.
In spite of this, those that are acutely aware of the critical nature of cybersecurity aren’t shy about their views on how those who handle customer data poorly should be punished. A 2020 survey indicated that 23% of those asked feel that the CEO of a company that neglected its security responsibilities should serve prison time. Until this line of thinking reaches the mainstream, we can likely expect most corporations to continue to protect their brand over the privacy of their customers.
A lack of technical understanding among elected officials
While it is fair to say that we often expect too much of our elected officials, modern times require an understanding of our current technology and the public concerns therein.
Anyone who has witnessed the line of questioning faced by Silicon Valley CEOs when forced to speak before Congress will agree that elected officials often have difficulty grappling with even familiar technological concepts involving everything from social media to smartphones.
While we can speculate that this may be the result of the average age of our leadership (58 in Congress, 64 in the Senate), issues with the public educational system or one more result of the general population’s lack of interest in cybersecurity, the end result is clear: scientific illiteracy is a major obstacle amongst those in positions of leadership when it comes to dissecting security concerns.
Until the public is wary enough about cybersecurity to make it an issue that demands dialog and influences election results, it is unlikely that many of those in positions of power will make it a focus of their campaigns or policy. As a result, meaningful regulations regarding cybersecurity will continue to be absent from the majority of political discourse.
A lack of emotional, visceral effects
Unlike crimes like bank robberies or acts of violence, cybercrime has yet to have an emotional impact on the public.
Gruesome photos accompanying news articles about acts of terrorism have a visceral effect on the viewer. We feel for those who are suffering and long for guilty parties to be held accountable. We can sympathize with those who have been the victim of material theft, empathizing with the injustice inflicted when something is physically stolen.
Cybercrime, however, is largely invisible. The theft of thousands of peoples’ financial data does not lend itself to gut wrenching illustrations, and the idea of selling information on the dark web is an abstract concept that most people understand as if it were science fiction.
Even those personally roped into large scale data breaches rarely feel an immediate impact. Some organizations offer affected customers complimentary credit and identity monitoring services after an event takes place, but even that offer is sometimes ignored by people who feel that issues related to cyberspace simply don’t bleed into the real world.
As attacks become more brazen, however, this may change.
An attack on a municipal water supply, for example, could lead to poisoning and death. State-sponsored hacks that result in power outages or internet service disruption would likely inspire people to demand better action.
Just this last year, supply chain attacks have led to disruptions in food shipments and fuel delivery. These hacks illustrate the effect that cybercrime can have on day to day life, and have inspired more chatter in government about how to protect the public from cybercrime.
Public exhaustion and media prioritization
In spite of the aforementioned recent supply chain attacks and their effects, a population already exhausted from a turbulent political atmosphere and burdened with years of pandemic fatigue often seems too overextended and disorganized to give cybersecurity its full attention.
Due to security and personal stresses inherent to the COVID-19 pandemic’s effect on the world’s population, as well as advances in connected devices and the sheer amount of people interacting with them, cybercrime has expanded at an unprecedented rate and yet still flown under the radar when it comes to most peoples’ biggest current concerns.
It is no coincidence that our increasing access to information has resulted in more bad actors looking to capitalize on those who are unaware of the dangers lurking online. An internet awash with conspiracy theories, misinformation and polarization has provided people with a staggering amount of issues to either fight for or against. It has also created chaos and exhaustion, allowing cybercriminals to operate consistently with the knowledge that the general public may not have the energy for yet another crusade.
Additionally, modern media has built an environment in which issues are prioritized when they result in polarization. News articles and social media posts that generate engagement in the form of public commentary and argument, both for and against the subject covered, rise to the top and influence the tone and direction of today’s discourse.
Cybersecurity is one topic that could easily generate bipartisan support and public agreement on its importance. However, the very characteristics that should make it a relatively painless discussion also result in it not gaining traction socially or politically.
Unfortunately, issues that appeal to general notions regarding safety, security and wellbeing have difficulty being heard above the noise generating by a revolving door of attention-grabbing controversies from celebrities, politicians and media outlets alike as they battle for the spotlight.
Cybersecurity moving forward
Thankfully, cybersecurity awareness as a whole is increasing. Both on the national, political stage and at home, people are beginning to think more clearly about how to protect themselves, their finances and their data from hackers.
However, it remains to be seen to what degree our appreciation of cybersecurity is able to outpace a public that is either uninterested in privacy or considers data breaches to be an inevitability in a world that traffics increasingly in pure data.
Especially as major tech companies move towards embracing AR and VR within the metaverse, we can only assume that connectivity among us will increase and therefore create more opportunities for data theft as the very concept of “privacy” itself becomes antiquated.
In the meantime, the following basic cybersecurity steps can be followed to ensure that your home network and devices are fundamentally protected:
- Practice password hygiene. Use a password generator to create hard to guess passwords, and don’t use the same password across multiple accounts.
- Train your staff to identify suspicious emails and messages. Critical data can even be gained via social engineering attempts over the phone.
- Keep up regularly with cybersecurity news blogs and online cybersecurity resources.
- Keep your entire system, updated. You can easily update your hardware by purchasing refurbished equipment from a reputable supplier.
- Politicians Don’t Understand Cybersecurity, Say 82% of IT Security Professionals by Philip Truta, 10 Sep 2019, Security Boulevard
- Politicians Are Ignorant Of Cyber Security 7 July 2021, Cyber Security Intelligence
- Most Companies Don’t Care About Your Data Security by Dori Zinn, 7 March 2019, Debt.com
- Fed Up With Corporate Cybersecurity Failures, Consumers Want CEOs Punished by Salvatore Stalfo, 3 Aug 2020, Forbes
- People Don’t Care About Cybersecurity by Nathan Hamiel, 7 March 2019, ModernCISO
- Why Cyber Security Is Still So Complex by Elena Kvochko, 25 Oct 2020, Forbes
- Membership of the 117th Congress: A Profile