Cybersecurity and you: The iceberg e ect
In a recent study by Microsoft partnered with Frost & Sullivan titled “Understanding the Cybersecurity Threat Landscape in Asia Pacic: Securing the Modern Enterprise in a Digital World” (mouthful, I know). 1,300 IT decision makers, including CIOs and IT directors, across 13 Asia Pacic markets were surveyed, and the main takeaway was that cybersecurity threats have potentially cost an economic loss in Asia Pacic to a tune of US$1.745 trillion in 2017, or about 7% of the region’s total GDP.
In the report, Microsoft alluded to what they call an Iceberg Effect, where the direct nancial losses from cyberattacks, such as nes or clean up costs are just the tip of the iceberg. Often, indirect and induced losses are farther reaching. Indirect losses refer to opportunity
costs for an organization such as loss of customers and reputation. Induced losses can even affect the entire economy, such as reduced consumer spending and job losses. The report indicates that a large sized organization
(of 500 employees or more) could potentially lose US$30 million in a single cybersecurity incident. Of this number, the clearly visible direct loss only amounts to about US$3.4 million, while indirect losses could add up to US$9.7 million, with an induced loss of US$17.2 million.
Sobering, yes, “but what has this got to do with me?”, you’re asking right now. This isn’t something that you, or I for that matter, are particularly bothered by dayto-day. If news broke tomorrow that Microsoft lost some millions because of a security breach, and was ned by some governing body, you’d probably think that they deserved it.
But what if it was? While the report is squarely aimed at enterprise cybersecurity, the Iceberg Effect is very much true for the average person as well. Many of its ndings, both impact-wise as well as attitude towards cybersecurity can be applied right down to an individual perspective. Think about it.
The direct cost of a malware attack, such as ransomware, is usually an immediate loss of privacy, data, or the incapacitation of your device which you’ll likely have to spend extra cash to salvage. And this cost only spirals outward. In a personal capacity, the indirect cost is where your productivity is affected during the recovery phase. Whether it means formatting and scrubbing your devices, or having to re-authenticate and reapply for services and accounts that may have been affected, it all translates to loss of time and personal effort you’ll have to make up for at a later date.
What of induced losses? Surely, one person won’t affect the economy right? Well, in Microsoft’s report, another statistic that stood out was that 67% of their survey respondents, or about 7 in 10 companies affected by cybersecurity incidents resulted in job losses. What if you happened to be that guy? What if it was you that opened the email and became the vector for attack in your company? You could be facing disciplinary action and lose your job. That in turn affects your livelihood, family, future job prospects and spending power.
These are grim and extreme scenarios surely. You may even call me a doomsday prophet, but it does get one thinking that cybersecurity shouldn’t just be an afterthought that you can deal with, if, and when, it happens to you. Because by that time, it’s already too late to stop the outward ripple.
There was another part of Microsoft’s report that resonated with me on a personal level. 52% of the companies surveyed throughout Asia Pacic have either had a cybersecurity incident or worse yet, not even sure if they’ve been breached because they’ve never had a forensics assessment done. And yet, despite attacks, only 25% of these organizations considered cybersecurity as essential to their digital transformation projects. On the other end of the spectrum, 59% of respondents have said that they’ve put off or were cautious of digital transformation initiatives within their companies because they fear increased cyber-risks.
I know of so many people who wouldn’t enhance their personal cybersecurity with simple measures such as two-factor authentication, regular data backups and keeping devices/apps/services updated for similar reasons. They either don’t feel the need to, or have become so risk-adverse that they’d rather put off adopting newer technologies to avoid the hassle of cybersecurity in the rst place.
I feel the recommendations made by the Microsoft survey holds true down to the individual level because as tech becomes pervasive, we really cannot afford cybersecurity to be an afterthought. Just like how a the Iceberg Effect shows that cyberattacks can have far greater impact beyond what’s immediately noticeable, securing against cyberattacks isn’t all about large enterprises with million-dollar security solutions. Even Microsoft’s report acknowledges that over 90% of cyber incidents can be averted with individual basic best practices.
Yes, that means you, me, everyone.