A few months ago, I was wrapping up at the office on a chilly Friday afternoon. I turned off my music, walked to my car, plugged in my phone, and found a surprise waiting on my Spotify. Within five minutes, I had 10 new playlists saved to my account, including “Baby Making Music” and “The Best of Cindy Jay” (for anyone curious, Cindy Jay’s best is still not great). I racked my brain to figure out if I somehow “pocket-saved” playlists on my walk to my car, but with the phone safely locked in my bag I knew that this was unrealistic.
Unfortunately, my account had been hacked due to a previous data breach from another company. Although I quickly changed my most-used accounts’ passwords like my bank login, email, and Amazon, over the coming weeks I had notifications from Groupon and Paypal of suspicious activity — accounts which I had entirely forgotten I had. Luckily, these accounts didn’t have an active credit card attached so nothing from this hack was compromised besides my musical integrity.
This was a great lesson to have learned about password security with few serious repercussions; however, now Spotify’s data is a misrepresentation of my true musical behaviour, since my hacker’s activity was significant enough to be noted in my 2019 year in review statistics. This story could have had an entirely different ending had my current banking information been attached to any of these accounts, or had these companies had weaker security systems.
It began to make me question: in a world with an increasing cyber risk, increasing expense to mitigate this risk, and increasing repercussions for being compromised, will corporations ever just go back offline?
Rising Threat of Hacking
In the past ten years, 10 of the largest 15 breaches in history have occurred, and research from Accenture states that the average number of security breaches has increased between 2017 and 2018, moving from 130 to 145. The frequency of breaches are not only increasing, but breaches are also increasing in ultimate repercussions. In the U.S., the average total cost of data breaches for companies has increased 130% from $3.54 million in 2006 to $8.19 million in 2019.
Depending on which article you’re reading, the payout a hacker receives varies with one quoting $2.50 for a hacked Facebook account and $8 for a hacked iTunes account. Regardless of actual details, the important aspect is that your data has financial incentive attached to it. And where there is money, there are people; where there are people, there is creativity in competition. For example, it was recently found that hackers specifically targeted customers of plus-sized clothing companies to sell their data at a premium for advertisers. Hackers are finding new and innovative ways to monetize your personal information, and it’s not going to end. The annual cost of data breaches is predicted to increase by $2 trillion by 2024.
So, which organizations suffer the most from the cyber threat? The answer is small businesses. A 2019 report from Verizon found that 43% of breach victims were small businesses, which is actually surprisingly low considering that smaller organizations (1–250 employees) have the highest-targeted malicious email rate at 1 in 323. Additionally, the financial consequences of a security breach of a small business are much higher than average. The total cost for large organizations (greater than 25,000 employees) averaged $5.11 million, which is $204 per employee, and smaller organizations (between 500 and 1,000 employees) had an average cost of $2.65 million or $3,533 per employee. Based on that statistic, it’s not surprising that 93% of SMEs that have experienced a cyber incident have reported severe impact to their business including loss of money and savings. It is estimated that somewhere between 65% and 75% of businesses aren’t around after 6 months of a breach.
So, to recap… Data breaches are increasing in cost and frequency, and small businesses are at a greater risk and are facing greater consequences. As this continues to play out, how can small businesses stay secure? I’m presenting a potential future scenario in which, due to this immense threat, small businesses may have to pull as offline as possible. In this article, we will talk about why the increasing cost of cybersecurity, the increasing cost of compliance to data security legislation, and the advent of quantum computing may be too big of a burden for SMEs (such as restaurants and boutique stores) to manage, and how the best solution could be an offline existence.
Cost of Cybersecurity
Cyber criminals are getting more advanced, causing a direct correlation of cybersecurity requiring advancement as well; more complicated protection = more expensive protection. The average annual security spend per employee doubled from $584 in 2012 to $1,178 in 2018, and worldwide spending on cybersecurity is forecasted to reach $133.7 billion in 2022. It’s not just the technical protection that businesses need to spend money on, it’s also employee training to prevent Gladys in the back office from clicking on that sketchy link. In fact, 33% of breaches are a social attack.
The issue is that a cyber program is an additional and increasing business expense for companies that have relatively similar profit structures. A pizzeria which is newly spending $25,000 on cybersecurity doesn’t automatically receive $25,000 more in sales. Although there are ties to better cyber protection increasing customer loyalty and decreasing future costs, cash strapped companies don’t care when this year’s profits are $25,000 lower than expected. Many companies don’t have the money to pump into extensive cybersecurity programs, and hackers know this. Hackers often utilize a software that automatically scans the internet for companies with specific weaknesses (such as poor password protocol) making it easy and efficient to identify targets. Companies struggling to afford the right protection are facing a glaring target on their backs. With no significant cybersecurity innovations on the horizon that may drop pricing, it’s feasible that some companies may just not be able to afford the correct protection for the increasing threat.
Cost of Compliance
One of the largest regulations of the past decade in regards to data security was the EU’s General Data Protection Regulation (GDPR) which came into full effect in 2018. The aim of GDPR is to provide businesses and individuals with a common understanding of appropriate data collection, storage, and usage. Tactical repercussions of this regulation include things such as companies facing more restricted data collection and usage rules, needing more security protection than just standard firewalls, integrating network access endpoints, and rolling out more robust data processing strategies. Any firm that has ties to the EU (including with vendors or customers) is responsible for upholding compliance. These changes did not come cheap.
Large British firms reportedly collectively spent $1.1 billion on compliance, and American firms spent $7.8 billion. Another international survey found that 88% of large and small firms spent over $1 million on compliance. Some companies such as Wetherspoons found it easier to dump data than to retroactively change their systems to be compliant. And if you mess up, it’s expensive. GDPR fines in the first year were approximately $62 million (although for full disclosure: a significant portion of that was due to a hefty fine given to Google) and that number is expected to increase in the upcoming years. GDPR isn’t the end of cybersecurity regulation, in fact it’s just the beginning. There are regulatory grumbles in the US, Canada, and even Kenya that align with the intent of GDPR and further cybersecurity issues. Governments have identified that cyber risk is a clear threat to their citizens, and regulatory action ultimately pushes another significant cost onto businesses. If these costs are deemed too large, there may be companies like Wetherspoons that will choose to just not store customer information.
The Threat of Quantum Computing
There’s a chance you may have heard of quantum computing, but don’t yet understand the tangible impacts of the technology; that’s okay, because a lot of researchers aren’t yet confident of the predicted impacts either.
One thing that they are comfortable in, is that quantum computers will break our standard RSA encryption. That means your bank account and everything you value as being private and secure would now be open to whoever wants it, regardless of your attempts at protection. Our current encryption methods are designed off of mathematical functions that would take so long for a classical computer to crack that they are essentially impossible to break at all. It works based off of a one-way model that is difficult to reverse without the key. For example, it’s easy to determine that the prime numbers 317 and 421 multiply to 133,457 but it’s extremely difficult to reverse that and determine which two prime numbers multiply to 133,457.
Unless of course… you are a quantum computer.
Researchers determined quite a few years ago that quantum computers would be able to break encryption, but figured it would take at least a billion qubits (quantum bits) to do this reliably, which is quite far off of our current leading-edge 72 qubit quantum processor. However, recently researchers determined that we may not need quite so many to crack encryption. Craig Gidney at Google in Santa Barbara and Martin Ekerå at the KTH Royal Institute of Technology in Stockholm found that it may actually only take 20 million qubits to break RSA encryption and it could be successfully completed in only 8 hours. This finding drops the current qubit estimates by an order of two magnitudes, drastically shifting the timeline of potential impact.
If it’s any comfort, there are already encryption methods that are theorized to be quantum-secure (one of which being from IBM), but they have not yet been standardized for the industry. Additionally, there also should be little effect on consumers. The industry has enough foresight into the risks of quantum computers that there should be a solution in the market long before our data is at risk. However, implementing a solution will come at a cost to businesses. Not only will companies need to switch to post-quantum secure encryption in the future, but it’s also recommended they switch their cryptographic infrastructure to one that is agile and can be easily adapted to future requirements.
On the flip side, it is likely that small businesses won’t have to implement these changes directly themselves and instead their software providers will be responsible. However, the costs software companies incur still could be passed onto their business customers, and if we learned anything from GDPR, that likely won’t come cheap.
What does this all mean…
Cyber risk is increasing, the costs of protection are increasing, and the global economy is slowing down. I believe it would not be unreasonable to see small businesses in the future shifting away from the digitized economy as much as possible, as a means of fiscal survival. If the options are:
- Spend an infeasible amount on cybersecurity
- Face a significant risk of being hacked that statistically will end up with you shutting down your business
- Switch to the old-school “pen and paper” CRM management tool
I would definitely be picking option C since it may be the only way I can guarantee I’ll stay in business. Now, if you think I’m off my rocker, all I say to that is “fair”; however, I would quickly follow that up with a recent example out of France, where a hospital pulled offline for a few hours in response to a hack. The University Hospital Centre (CHU) in Rouen, France faced a ransomware attack in mid-November that rendered their computers completely unusable. Instead of paying off the hackers and rewarding them, the 1,300-bed hospital refused and instead, reverted back to the “good old method of paper and pencil”. The hospital later addressed that “no patients were endangered by this decision”, but a facility that is in charge of keeping people alive was willing to go offline.
Although the hospital’s attack-response was more of a “flipping-the-bird” to the hackers as opposed to a statement on future responses to cyber threat, it is a signal that this response isn’t out of the question. Now I agree, by going offline these companies would be losing out on a competitive advantage that technology brings, but it’s important to keep in mind the type of companies I’m talking about. I’m talking about small-scale, quaint, retail or food shops whose value propositions are based off of unique, in-person experiences. Unless something drastically changes in their model, a presence of (or a lack of) technology likely won’t significantly affect their customer engagement.
Bringing it back to my initial question — in a world with an increasing cyber risk, increasing expense to mitigate this risk, and increasing repercussions for being compromised, will corporations ever just go back offline? I think it’s possible.
I think (for certain companies) the value of staying online will just not be worth the cost or risk. Do I want this to happen? No. I want every corporation, despite their size or business model, to be enabled to play in the digitization of our economy if they so choose; that said, if we let the world keep going the way that it is, I’m not sure that that is feasible.
I do want to end this article on a reassuring note. Governments are aware of the difficulty for small businesses to afford cybersecurity and meet regulation, and are starting to work towards solutions in this space. For example, the Canadian government released Baseline Cyber Security Controls for Small and Medium Organizations to help small businesses maximize effectiveness of their cyber programs. I’m hoping that movements like this along with this article can be a continued call to action to form the cyber secure and technology-enabled world we dream of, because if we don’t make some progress soon, you might find yourself dusting off that good-old cheque-book.