Cybersecurity: is it worth the investment?
In November 2016, Tesco suspended part of its online banking system after it detected attempts to steal cash from around 40,000 customer accounts in a situation described by the media as one of the biggest cases of online fraud at a UK bank. Data from more than one billion Yahoo accounts was compromised in December 2016, while nearly 157,000 TalkTalk customers had their data breached in a cyberattack on the telecoms giant in 2015.
Cyberattacks have been widely described as one of the biggest corporate threats in existence. The general advice for companies is to make sure they protect their assets by purchasing the latest data security technology – but is it really worth the investment? That’s the question posed by Dr Karen Elliott, lecturer in innovation and enterprise at Newcastle University Business School, in a research paper entitled “Action, Inaction, Trust and Cybersecurity’s Common Property Problem”.
Dr Elliott worked with Professor Julian Williams (Durham University) and Professor Fabio Massacci (Trento University, Italy) to assess the risk of corporate cyberattacks and how companies can best manage that risk, focusing primarily on additional factors that firms must consider before deciding to invest in data security measures – including the firm’s existing security provision, the economics of the security and hacking markets and even the motives behind a hacker’s attack.
Dr Elliott says: “Investing large sums of money isn’t always the wisest decision. Our research shows that while the underground hacker market is a well-functioning economy, it is significantly smaller than the cybersecurity industry. Hackers tend to be lazy and persist in using malware that has caused damage in the past, rather than investing in new tools that can exploit new vulnerabilities in
network systems. This means that the likelihood of an attack is significantly reduced.”
Dr Elliott et al analysed transactions in a Russian online hacker market, which Google and the US Federal Bureau of Investigation indicate accounts for the majority of online deployed malware tools. The study found that transaction sizes were “quite low”, often in the hundreds of dollars and only rarely in the tens of thousands. They looked at insurance claims made by US firms for cyberattacks and found that the amounts claimed were similarly small; between 2011 and 2013, the median claim was just $750,000. The highest claim, $13.5 million, represented around 10% of the total claims made.
This data suggests, perhaps, that the threat of cyberattacks is not as severe as portrayed in the media. Dr Elliott says: “The press is brilliant at scaremongering and blowing things out of proportion. If you look at the Tesco case, the amount of money stolen from most of the accounts was actually very small. Also, while hackers got hold of a lot of data from TalkTalk customers, they did nothing with the personal data, in reality there was very little damage caused to the consumer. Rather TalkTalk suffered some reputational damage which passed and they still retain a market share.”
“While some companies spend thousands of pounds on data security for peace of mind, this study considered different response positions such as taking a reactive stance and waiting until something happens, such as a cyberattack on a competitor. Standard economic models indicate that in many cases, the most appropriate course of action is to delay investment until the nature of the threat is clear. Some, however, would deem this to be a poor risk management strategy.”
Either way, a manager who invests in cybersecurity must weigh up the cost of action versus the cost of inaction. The research will help companies properly assess the risk posed by perceived cyberthreats and devise a strategy for dealing with them. She believes that the risk of future attacks could be reduced by adopting emerging technologies such as blockchain, which is a digital distributive ledger of transactions, contracts or any other form of agreement that needs to be independently recorded and verified.
This ledger can be distributed across hundreds or thousands of computers around the world and everyone in the network can access an up-to-date version of it via encryption. The technology keeps data secure and private because the cryptographic key is only known to those making the transaction. Dr Elliott suggests that blockchain technology could radically change the way in which financial transactions are completed. She says: “Blockchain has the potential to revolutionise the financial services industry. If banks no longer have entire control over the payment systems, they won’t be able to charge fees on transactions, for example.
Payments are transferred from person to person over the Internet so long as those people agree on the details – the amount of money to be transferred, for instance – there’s no need for a third party such as a bank. With these agreements in place we may see a reduction in the number of legal disputes, which might not be good news for lawyers!” There are limitations to blockchain, however, as current mobile phone technology means crypto payments are not sufficiently quick to meet market demand.
“We still have a long way to go in terms of developing the technology,” says Dr Elliott. “It would need to fit around consumer needs, such as making purchases on the go from a mobile phone. There’s also the issue of trust. People perceive that making payments via an established bank system are secure and are wary of using new technology. The new technology will therefore, need to be promoted in a way which removes negative misinterpretations of the advantages of this technology. However, given the pace of development, the mobile technology should be fit for purpose within five years and then we’ll start seeing major benefits of cryptocurrencies which has the potential to change the way we bank and purchase goods online.”
Discover more research carried out by the Newcastle University Business School.