One of the biggest challenges with public opinion on cyber is perception. It’s very hard to illustrate the true impact of a breach. There are a couple of reasons for that, let’s explore them:
Problem 1: Terrible Reporting
This is the core of the problem. Day to day cybercrime goes unreported, both in the media and to law enforcement. In the news, we’ll hear all about incidents like Colonial and SolarWinds. We’ll hear a blurb about healthcare breaches that impact millions of patients. We will not hear about the ransomware incident that impacted 15 jobs in a small town, the small tax firm whose data was stolen via ProxyLogon, or the small health clinic brought to its knees. Why not? It’s not exciting news. Media companies (every one of them, I’m not getting political here) aren’t here to report important facts to you. They’re here to make money, and exciting news brings viewers which brings money.
The Colonial Pipeline attack is interesting news. It impacted the availability of fuel to a whole region of the country. The SolarWinds incident resulted in breaches of top Federal agencies and Fortune 100 companies. People eat that up. Unfortunately, there seems to be a lack of care around the local bakery getting hit because of problem two.
Problem 2: Lack of Understanding
This is a really crucial point to cover. Not everyone understands the shockwave created by even a small incident. In fact, most people do not understand this. I understand it, my circle understands it, most of you reading this probably do. It’s obvious to us because we see it day in and day out. But we must remember that not everyone is a cybersecurity practitioner. Unless you’ve been personally impacted by an event, it’s hard to understand the impact. A lack of understanding leads to a lack of empathy. Assuming the incident is reported, it’s reported as “Tom’s accounting firm was breached and you’re at risk and it’s 1000% their fault.” In fact, I would argue that cybercrime is the one type of crime where victim blaming is seen as socially acceptable.
This is a really big and complex problem. Sure, there are plenty of scenarios where sheer negligence was the cause of the breach. But the fact is that we’re facing more sophisticated adversaries every day. Even companies partnering with great channel partners are going to get breached. As Matt Lee likes to say, cybersecurity is like (American) football. You’re going to lose yards, it comes with the territory. Even if we have the best defenders on the field, we’re going to lose from time to time.
We need to bring that to light, and educate the public. We need them to understand 2 key points:
Cybersecurity is a bit of a sick sport. We go into this line of work (or at least should) with FULL AWARENESS what we’re going to lose every now and again. Every time defenders roll up to work, it’s with the understanding that we’re going to play our best game and hope for the best.
The totality of the impact. Even for small targets, a cyber-attack can be devastating. A simple ransomware attack can impact the livelihood of everyone working at an SMB. A breached health clinic can’t effectively treat their patients if they can’t get into the charts. Cyberattacks have a real-world impact on real peoples’ lives, yet we never illustrate that. The narrative around an attack should absolutely highlight the fact that “X in lost revenue is going to cost Y jobs” or whatever the true impact of that attack is. The truth is, cybercrime literally kills people.
At the end of the day, cybercrime needs to be reported like all other forms of crime. We need the public to know how much this is impacting their neighbor’s lives before they are going to take a keen interest in being part of the solution. There’s no politics to be had here, we simply must improve the way we attack cybercrime. This can only be made possible if the general public understands this on an intimate level.