The US-based Centre for Strategic and International Studies (CSIS) announced last Wednesday the annual cost of cybercrime for the global economy amounts to USD 600 billion or 0.8% of the world’s Gross Domestic Product (GDP). This is an increase from a 2014 study that put global losses at about USD 445 billion!
The Ponemon Institute recently announced that the average costs of a data breach in South Africa amount R36.5 million, which is increasing from R3 million in 2017.
Yet, we often neglect these and similar facts. There is, however, a reason, which is a focal point of this story. It is called ‘cybersecurity fatigue’.
‘Ordinary’ citizens and business users of modern but increasingly complex information and communication technologies are increasingly ‘sick and tired’ of horrifying cybercrime stories and frequent requests to change their passwords or pins. This is understandable as we now have to deal with 20 or 30 different passwords, keywords, logins, PINs, and other fancy words.
No wonder that many people have reached the saturation point, which desensitised them to cybersecurity. Being bombarded with numerous cybersecurity messages, advice and demands for compliance, users lose interest to listen and comply.
As such users tend to avoid these directives and, in order to regain control, behave irrationally by adopting a ‘head in the sand’ approach, embracing a carefree online attitude driven by impulse and immediate gratification. The usual motivation behind this behaviour is the perception that much of the shocking impact of cyber-attacks is due mainly to the bellicose headlines that often report on these stories.
This cybersecurity fatigue or ‘bury head in the sand’ phenomenon manifests itself in much the same way in what psychologists call ‘decision fatigue’ or ‘ego depletion’. It drains our mental energy making us less resistant to real dangers and lures us to do things without real consideration for consequences.
It is needless to say that this ‘bury head in the sand’ approach is the most damaging to those self-deceiving users. This behaviour can, for example, result in stolen identities, which can often end up in stolen money or reputation. Refusing to enhance online security because people loathe the added security pathways can cost businesses revenue and lost customers. Not securing access to a company’s data can cost organisations millions.
This fast emerging sentiment is, unfortunately, yet another way towards cybersecurity Armageddon in this country. As much as educating citizens and the workforce about the safe and secure use of the modern digital technologies is verbally understood and accepted by all major stakeholder in South Africa, is not even nearly enough done in this regard.
The electronic and traditional news outlet and web portal are still full of threatening stories. At the same time, the encouraging stories are as frequent as the appearance of the Himalayan Yeti. This simply contributes to our behaviour of switching off, believing that it will not happen to us.
The majority of cybersecurity experts that voice their opinion on the matter are technical people and are not trained in education people. Nor we should expect it from them.
Instead, our government and educational institutions should finally realise that we are living in a highly interconnected world that is, unfortunately, becoming rapidly hazardous. Spreading a balanced cybersecurity awareness and education of citizens of this country is not only desirable but simply a must.
It is particularly dangerous when the government officials take a ‘bury head in the sand’ approach and neglect protecting the country’s critical infrastructure, economy and population. Concentrating only on winning the next year election will not be of a particular benefit if the county’s already damaged economy gets further ruined by some cybersecurity Armageddon. The same message applies to all decision-makers in this country.