When it comes to security, with a special focus on cybersecurity, there are haves and have-nots. The drab state of security in organisations warrants a second look these days. As we transition deeply to new technologies—the cloud, mobile, social, and IoT—and attack surfaces expand, it’s imperative that organisations establish a baseline to protect themselves from attacks at the most basic level. Over the past years, research has made it clear that the larger an organisation’s bottom line/revenue, the more willing it is to budget for cybersecurity.
The cybersecurity poverty line is widening, and malicious actors have exploited this gap to launch persistent attacks that go largely unreported. Nigeria lost tens of millions of dollars to cybercrime in 2016. Cumulatively, global cybercrime damages in 2017 exceeded US$2 trillion. There’s something abundantly clear when you look at the statistics over the years: most organisations, both private and public, underinvest in cybersecurity. Institutions providing oversight and law enforcement are already overwhelmed with cases, and when you look at it holistically, they lack the manpower and the right mix of intellectual heft to address these concerns.
Just as the United Nations has run persistent global campaigns to end poverty, the poverty analogy is also apt in our drive to curtail the cybercrime scourge. There must be deliberate, long-term, concerted efforts from decision-makers if we are to make headway. From 2008 to 2010, Microsoft ran a campaign called the Microsoft Internet Safety, Security, and Privacy Initiative for Nigeria (MISSPIN) to reduce the cybercrime scourge in Nigeria, which had reached alarming levels at the time. The efforts worked, and some Internet fraudsters became “repentant” as they found an alternative to engaging their skills in legitimate endeavours.
From an enterprise perspective, compliance measures and standards such as HIPAA, PCI DSS, and FERPA are being put in place, but they aren’t enough to engender trust in the computing space. These standards, at best, provide only a lowest-common-denominator approach to determining where they stand in the cybersecurity defence metric. After a major breach not long ago, Bank of America told the public that it has an unlimited budget for cybersecurity. The fact remains that not all organisations are as fortunate as Bank of America, and most small- to mid-sized organisations with revenues below or just above US$1 million will fall below the cybersecurity poverty line.
We all have a role to play in closing the cybersecurity poverty line. Governments worldwide have focused on improving standards and requirements, but that alone is not enough. The lethargy and slowness of governments, even when they have all the tools and resources in place, don’t spur solutions. There’s still a lot of work to be done at the regulatory and compliance level. The private sector has been highly innovative in developing new cybersecurity solutions; however, these solutions are expensive and out of reach for small and medium-sized enterprises. End users have the greatest impact on erasing the cyber poverty line through better cyber hygiene & education.
The first point of defence in the cyber kill chain is knowledge, and it’s time these triads—public, private, and individuals—invest more in cyber education and advocacy.