Meta’s plan to introduce user-pays verification has thrust the ethics of cyber security under the microscope. The social media giant announced in early 2023 that it would launch its own user-pays verification service, Meta Verified, offering additional verification, security and customer service features for Instagram and Facebook – at a monthly cost to the user. It’s the second major platform to make such an announcement, after X (formerly known as Twitter) introduced its own user-pays “blue check” verification earlier in the year.
These announcements have met with widespread concern that they signal consumers that cyber safety is an optional extra – a luxury to be paid for. Meanwhile, as so many aspects of our lives are going digital, companies and individuals are ever more vulnerable to increasingly sophisticated cyber criminals. So how should both approach the rising costs of cyber security?
According to Jon Brandt, Director of Professional Practices and Innovation at digital trust specialist ISACA, creating “haves and have nots” of cyber security is the wrong approach. “It sends the wrong message and undermines work to advance both cybersecurity and online safety,” claims Brandt.
Presenting security costs to end users as an option offers them a choice they shouldn’t have to make, given that online security breaches have serious consequences for individuals and businesses alike. An IBM report put the average cost of a corporate data breach at USD 4.35 million in 2022, with costs growing yearly. Meanwhile, a Deloitte survey showed that nearly one-fifth of U.S. teens and adults reported being victim to social media account hacks within the first quarter of 2022.
Considering this, perhaps the debate should focus less on who should pay, and more on the hidden costs of presenting basic cyber security as optional in the first place.
It’s true it poses challenges and affects costs for vendors, but regulation also acknowledges cyber security as critical infrastructure. In a way, it’s actually becoming a licence to sell [any digital service] in the 21st century.
According to Brandt, asking deeper questions around risk-appetite should be the first action a company takes when deciding on the time, money, and effort invested in prevention, detection, response, and recovery.
“Companies need to ask themselves: What are the risks of not being digitally trustworthy? Which is a much larger issue than the presence of cybersecurity controls,” says Brandt. “Potential risks not only relate to sensitive data, but also to reputational cost, the cost of non-compliance or even criminal liability.”
Although we commonly see companies experiencing declines in market value for unpopular business decisions, he says, the same has not yet materialized for those who have had lapses in cybersecurity. However, this will doubtless change as consumers, too, gain more understanding of their own vulnerabilities.
“Individuals must demand better – and be willing to walk away from companies who breach their trust,” he adds.
A basic level of cyber security should be something we’re all ready to invest in, like airbags or seat belts – from research and development through to maintenance and the end-user. Working out to what extent we should each make this investment – not to mention who should be responsible for establishing and enforcing minimum standards – is more nuanced. Although a regulatory landscape is developing, it doesn’t hold all the answers.
Many national governments, such as the US and Japan, have had regulations in place for a decade or more, but legislation can struggle to keep up with technological innovation – and sometimes it takes a catastrophe for governments to act. For example, the Australian government only announced plans to overhaul its cybersecurity policies in the wake of disastrous data breaches that compromised the personal data of almost 10 million citizens.
Companies need to ask themselves: What are the risks of not being digitally trustworthy? Which is a much larger issue than the presence of cybersecurity controls. Potential risks not only relate to sensitive data, but also to reputational cost, the cost of non-compliance or even criminal liability.
The private sector is sometimes capable of more regulatory agility. Particularly across the energy industry, various regions have identified increased exposure to cyber security risks and costs, moving to regulate their own minimum standards. Meanwhile, in the marine sector, IACS recently announced that it will impose mandatory cyber security regulations for all new builds by 1 January 2024. Kim Eklund, Director of Security Engineering and Architecture at Wärtsilä believes that a global regulatory landscape is just around the corner for both sectors.
“We already see changes in regulation shaping our industry and customer procurement language. It’s true it poses challenges and affects costs for vendors, but regulation also acknowledges cyber security as critical infrastructure,” he says. “In a way, it’s actually becoming a licence to sell [any digital service] in the 21st century.”
It follows that for digital service providers like Wärtsilä, it’s natural to build security costs into service and product offerings. “While financial cost will always be a consideration, cyber security is acknowledged as a lifecycle expense. Mature companies are looking at cyber security beyond regulation, acknowledging its importance, and ultimately the degree to which they do that is relative to risk management and risk appetite,” says Eklund. And although regulation sets a solid baseline, there can be a competitive advantage in going that extra mile, he adds.
Meanwhile, ISACA’s Brandt has a more cautious view of regulation. “Compliance has bred a checklist mentality which counters the better practice of risk-based decision-making,” he warns, reminding that companies should also be closely following legal developments across the globe with regards to intellectual property and privacy.
Ultimately, who should pay for cyber security, and how much, demands we all weigh our risks vs. costs – with potential rewards for providers who get the balance right. What’s less nuanced is that a collective failure to invest in cyber security is something none of us can afford.
