Awareness of consumer security is on the rise in America. We should be grateful for that because indifference usually leads to bad outcomes – for companies, governments, and individuals.
But public engagement is still not where it should be. Only a third of Americans said defending against cyber attacks should be a top priority for the federal government in 2021, for example. When poor security now costs lives, disrupts food supply chains, increases the cost of gas, and interferes with our democratic process, why shouldn’t we care more?
There is no easy answer. But to get out of this loop, we need to refocus security as a team effort. This means that action must be taken across government, the private sector and the consumer domains.
Threats are everywhere.
Security threats are on the rise across the United States and the world. It takes many forms – from government electronic espionage to ransomware, personal data theft and fraud. The novel coronavirus COVID-19 has presented a huge opportunity for the multi-trillion dollar anti-cybercrime economy to expand even further. Global ransomware attacks are up 150% year-over-year in 2020, with the average amount of extortion doubling. In the US, the third quarter of 2021 saw the number of recorded data breaches surpass the figure for the whole of 2020, with estimates predicting a record year.
However, consumers are often desensitized by what they read in the news, and the security and fraud alerts that appear on their screens. We say one thing – we’ll walk away from a brand after a breach – but when it comes to it, many of us don’t actually do anything. This only encourages companies to prioritize cost and convenience over security.
Part of the problem is that many organizations run security awareness and training programs that are uninspiring to employees, or do not offer courses at all. According to Gartner, 60% of large companies will have a full-time equivalent dedicated to training by 2022. But that leaves some major gaps.
The result is that large segments of the population are not actively considering cybersecurity. We waive responsibility to the security teams – in our organization and to those who work within the manufacturers and service providers who pursue our habits.
Bring it home.
However, security has a greater impact on our whole life. How many hours did you wait for gas when the Colonial pipeline was hit by ransomware? How many had their personal and financial details passed in breaches like Equifax or Capital One, or spent countless hours trying to regain their identity and credit rating? How many have directly lost their money to a dating or investment scam? According to the FBI, it cost the former victim more than $600 million in 2020.
We’ve even seen how greater public participation can force companies to make improvements. Privacy concerns have forced Cambridge Analytica Facebook to make major changes to the way it operates. It’s certainly not perfect, but the company has improved a lot today. The public backlash against privacy-invading smart home assistants has also led to increased transparency from the likes of Google, Apple and Amazon and more control for users.
However, all too often, when it comes to cyber security, we still expect someone else to fix the problem. It is questionable whether a single issue can cause collective and immediate pain such as bringing about wholesale changes.
Make cyber security mainstream.
Present Management is doing its best To promote greater responsibility among the private sector through a “whole nation” approach to cybersecurity. But for that to really work, we also need to include consumers in the conversation. They can no longer be passive observers of events. This can be done. Here are three main pillars, all of which are essential to creating positive change:
- Countries can enact stronger cybersecurity laws: California’s Song-Beverly Consumer Guarantee Act (the “lemon law”) has a section that applies to electronic devices that cost more than $100. The manufacturer must provide spare parts even after the warranty period has expired. This should be extended to technical devices that have sufficient memory and data storage capacity to handle security updates, and set standards for when and how updates are provided. Ideally and by default, updates should be applied with minimal consumer intervention. Unfortunately, at this time, such measures must be a country-by-state effort.
- The private sector should set higher standards: In the same way that they have responded to government requirements for electronic devices to be more environmentally friendly, companies need to plan for a “security lifecycle” that goes beyond the 0, 90 or 365 day warranties typical of many consumer electronics. Forward-thinking vendors should also create an industry association certification for devices that meet published security standards.
- Businesses must proactively engage consumers: Customers must be involved in the conversation. In the past, increased awareness has led consumers to demand products that are more recyclable and less harmful to the environment. Companies can help create a similar consumer security demand by developing an industry standard with a custom certification logo for products and packaging, as noted above.
Bottom line: Technology is now too tightly wrapped in the economic and social fabric of the state to be ignored. We need to improve in protection and prevention from being a conduit for crime. This makes cyber security a problem for everyone today. Likewise, improving it is now everyone’s job.