When it comes to security, with a special focus on cybersecurity, there are haves and the have-nots. The drab state of security in organisations is worth giving a second thought these days. As we begin to transition deeply in the use of new technologies — the cloud, mobile, social, IoT and with attack vectors increasing on these new surfaces, it’s imperative that organisations establish a baseline to protect themselves from attacks at the most basic of levels. Over the past years, research has made it very experient that the bigger the bottom-line/revenue of an organisation the more they will be willing to budget for cybersecurity.
The cybersecurity poverty line is widening and malicious actors have taken advantage of this gaping hole to unleash persistent attacks and it goes underreported. Nigeria lost tens of millions of Dollars to cybercrime in 2016. Cumulatively, cybercrime damages in 2017 across the world are in excess of US$2 trillion. There’s something abundantly clear when you look at the statistics over the years, most organisations — both private and public underinvest in cybersecurity. Institutions providing oversight and law enforcement are already submerged with cases and when you look at it holistically, they lack the manpower with the right mix of intellectual heft to ameliorate these concerns.
Just as the United Nations have run persistent campaigns globally on ending poverty, the poverty analogy is also very apt in our drive to curtail the cybercrime scourge. There have to be deliberate and long-term concerted efforts from decision-makers if we are to make headway. For instance, from 2008–2010, Microsoft got on a campaign called the Microsoft Internet Safety, Security and Privacy Initiative for Nigeria (MISSPIN) to organically reduce the cybercrime scourge in Nigeria which had reached escalating points at the time. The efforts worked and some Internet fraudsters became “repentant” as they found an alternative to engaging their skills in legitimate endeavours.
From an enterprise perspective, there are compliance measures and standards being put in place such as HIPAA, PCI DSS, FERPA etc. but these aren’t enough to engender trust in the computing space. These standards at best just provide a lowest common denominator approach to decipher where they stand in the cybersecurity defence metric. After a major breach not too long ago, Bank of America posited to the public that it has a limitless budget for cybersecurity. The fact of the matter remains, that not all organisations are as lucky as Bank of America and most small to mid-sized organisations with revenues below or a little above US$1 million will fall below the cybersecurity poverty line.
We all have a role to play in closing the cybersecurity poverty line. Governments across the world have been focused on improving standards and requirements but that in itself is not enough. The lethargy and snail-pace of governments even when they have all the tools and resources in place doesn’t spur solutions. There’s still a lot of work to be done at the regulatory and compliance level. The private sector has been very innovative in building and crafting new cybersecurity solutions, however, the solutions are very expensive and out of reach for small and medium enterprises. End users have the biggest impact when it comes to erasing the cyber poverty line through better cyber hygiene & education.
The first point of defence in the cyber kill-chain is knowledge and it’s time this triad — public, private and individuals invest more in cyber education and advocacy moving forward.