A 76-year-old mother opened up her MacBook Pro one day, only to find it covered in urgent tech support pop-ups. After calling the number on her screen, she was scammed out of $2,000 by a man claiming to be from Apple Support. According to U.S Today, her money was not recoverable. By now this is an all-too-familiar story for many Americans: according to NORC at the University of Chicago, 64% of adults over the age of 50 experience cyber abuse at least once in their lifetime. Cyber actors focus their attention on easy targets, and the organizations who could stand in their way do little to make a difference
The Need for a Victim Focus
Cybercrime is rising, and with it, so is the number of victims. In 2023, the global cost of cybercrime – including ransomware, fraud and phishing attacks – is expected to reach $8 trillion. And while businesses are spending a lot to protect themselves from cyber actors, those efforts are doing little to help their customers – sometimes, they even make things worse.
Part of the problem can be laid at the feet of a mentality that overlooks victims. Going forward, small businesses and big corporations must align their cybersecurity efforts with an ethical framework focused on protecting consumers. And since the federal government is slow to act, change must begin on a local level.
Why Businesses Are Losing the War on Cybercrime
Each year, the amount that businesses spend on cybersecurity is scaling with the number of cyberattacks. But today, cybersecurity efforts in corporate America are almost entirely focused on maintaining operations in the face of an attack, protecting businesses from liability in the event of a breach, or appeasing victims in the aftermath of an attack to stave off public scrutiny.
There is little to no focus on preventing the creation of new victims. By and large, consumers are just an accepted casualty of the war on cybercrime: just like big retail outlets count on a certain amount of property theft each fiscal year, big corporations accept that a certain amount of customer data will be stolen, and a certain number of online users will be scammed (the comparison between retail shrinkage and expected loss from cyberattacks was even made by CISA in a report from 2020.)
The urgency required to make a difference where it matters most will only come when victims are at the front and center of cybersecurity efforts, and not a minute sooner.
The Need for An Ethical Framework
Building a mindset that includes the victims of cybercrime will require businesses to adopt an ethical framework that puts their customer’s safety and wellbeing first.
Unlike industry-specific regulations (such as ISO 27001), the goal would not be to protect sensitive business information – and unlike emerging data privacy legislation (GDPR and CCPA) the goal would not be to prevent liability or appease customers in the aftermath of a breach.
Instead, the goal would be to prevent new victims by thwarting consumer-directed attacks. While the purpose of this article is not to create such a framework from scratch, it would incorporate at least a few essential tenets, such as:
- Trust is the cornerstone of all business relationships – conversely, the best way to protect business resilience over the long-term is to earn and protect the trust of customers – even if this means continuous vigilance and a higher upfront investment.
- Protecting customers is the number one goal of cybersecurity – overwhelmingly, customers are the most valuable target businesses provide for cyber actors. While some are seeking intellectual property (IP) and trade secrets, most want to steal logins, credit card numbers and social security numbers they can sell or use for fraud.
- Businesses have an ethical duty to know who they are working with – in recent years, the conversation around software supply chain security has clarified the risk that digital vendors can pose to businesses. Organizations need to understand this risk from the perspective of their customers, and work to ensure they aren’t harmed by unprotected digital assets.
Ultimately, this last point is among the most important: today, businesses work with hundreds of third-party vendors through their websites and mobile platforms without knowing who they are. Bad third parties are often the cause of fraud, data mishandling and misinformation that impacts the most vulnerable.
Why Change Must Happen Locally
For now, the prospects of a federal law requiring businesses to adopt a customer-centered code of cybersecurity ethics are low. The government has floundered on passing a national data privacy standard – meanwhile, recent federal cybersecurity initiatives (such as EO 14028) are myopically focused on national security rather than consumer safety.
This is obviously a mistake: with consumer devices representing the largest attack surface for nation state actors, the security of consumers is also a national security issue.
Either way, it is possible to work around the federal government – and there are at least as many chances to try as there are states. Cyberattacks happen on a local level, and it follows that they should be addressed by state and local governments. To make that happen, interest groups like the AARP can collaborate with NGOs, universities, churches, and other voices that represent the conscience of society.
Given the decentralized nature of the Internet, pushing businesses to change the way they use it has always been a difficult problem. But as GDPR has proved in Europe – and as other data privacy laws are proving in the U.S – local change often leads to national change, which leads to worldwide change in time.
The Future Depends on Trust
The future of our globally connected, digital economy depends on businesses cultivating and honoring consumer trust. But if trust is important to today’s corporations, it isn’t yet reflected in their approach to cybersecurity.
In 2023, consumers – the victims of cyberattacks – should be at the forefront of the global war on cybercrime: they should be discussed in board rooms and security operation centers. They should be what CISOs think about before they go to sleep, and when they wake up – only then will they have a chance of winning the war on cybercrime.