Consequently, preventative measures against cybercrime seem to be seen as an issue that can be resolved by technology, ignoring, for example, its social engineering dimension.
Public sympathy for companies that are the victim of cybercrime will eventually wane, particularly where theft of personal data leads to identify fraud. Regulators can also be expected to take an increasingly stringent view of the appropriateness of the technological and organisational measures taken by businesses to protect information, and shareholders will take more interest where brand image is damaged and share values are reduced. These are medium-term drivers for change, where there is a more immediate need to drive good corporate behaviour.
An alternative approach
A more effective approach to collective security would be for government to encourage good corporate behaviour through the use of tax credits or similar schemes that provide a commercial incentive. The UK Government's Cyber Essential's initiative aims to achieve collective security for government by requiring all suppliers to the public sector to meet certain technological standards. This operates like a kitemark, but it does not do enough to encourage wide-scale adoption in the private sector.
The internet is a commercial vehicle controlled by business, and businesses are guided by the drive to be profitable, or at least to reduce overheads. Costs, like insurance, are a necessity that doesn't deliver profit, which includes expenditure on cyber-security. Public or shareholder demand will eventually require business to adopt more stringent cyber-security measures, but this will take time.
The creation of more criminal sanctions will not change the legitimate activities of business — but offering a financial incentive might, and spending on more security might also generate more economic growth in the process!
Sign up for CIO Asia eNewsletters.