IDG Contributor Network: The potential costs of cybercrime that can’t be calculated

Analysis of the cost of cyberattacks often comes with a price tag attached. We regularly read reports highlighting the average and cumulative costs of data breaches, and those figures can be staggering, such as in a Juniper Research report that asserts the global cost of breaches could exceed $2 trillion by next year. While such whopping estimates rightfully garner attention, often overlooked is an even deeper and more jarring consideration — the relationship between information and cyber security and our physical security. 

Cybersecurity risk often is treated as a nebulous, abstract concept. Except for those working on the front lines as a security practitioner, it is easy to make a distinction between our digital and our physical environments — our homes, our offices, the park where we take our children and grandchildren. We read about cyberattacks in the headlines, but it probably does not rate as visceral of a reaction as when we read about a physical assault or a bank robbery, where the imagery that springs to mind is more harrowing and personal. Yet, as the volume of cyberattacks continues to rise and the attack methods of cybercriminals becomes more wide-ranging and less predictable– and more potent — the barrier between our digital and physical worlds is becoming thinner and more fragile. Increasingly, the possibility of kinetic attacks — those that can start as cyber incidents but turn out to be a precursor or conduit to physical attacks — are commanding more and more of our attention and vigilance.

Threats apply to individuals and wider society alike

The connection between cyber and physical security applies on both a broad scale — cybersecurity is unquestionably a major national security issue, and critical infrastructure attacks carry the potential for widespread damage to our physical well-being — as well as on an individual level, particularly when it comes to the exposure of personally identifiable information (PII). Data breaches resulting in home addresses, contact information and other PII falling into the wrong hands can provide the starting point for those with malevolent intent to carry out kinetic attacks resulting in physical harm. Physical threats stemming from cyberattacks can target the most vulnerable among us — those dependent on life-saving medical treatment and devices. The potentially chilling consequences of bad actors hacking medical devices such as pacemakers or insulin pumps place a high responsibility on healthcare organizations to be diligent in making strategic investments in security and risk management programs capable of providing patients the peace of mind they deserve. 

While attacks on individuals are concerning enough, threats impacting critical infrastructure pose a larger-scale threat to our physical security. As noted in a 2017 Massachusetts Institute for Technology (MIT) report, “the digital systems that control critical infrastructure in the United States and most countries are easily penetrated and architecturally weak.” The proliferation of connected IoT devices, for all their benefits, make industrial control system inviting targets for cybercriminals, with potentially grave consequences. Attacks on critical infrastructure introduce a range of serious safety threats, including explosions at plants that would jeopardize workers, injuries to those using public transportation, and power grid failures that could leave thousands of people without food, water and sanitation services. The loss of power for an extended period would also create a dangerous environment in the streets for residents and businesses. Perhaps most disturbingly, it is conceivable to envision a brazen attack by a nation-state on a country’s critical infrastructure spiraling in a way that transitions cyber warfare into a military conflict that puts large-scale loss of life at risk.