Measuring the hidden cost of cyber attacks

In case you missed it, last week iDcare's David Lacey revealed his organisation's efforts to track the impact of data breaches on individuals in terms of the human cost.

I find it shameful that this is not included when we assess the cost of cybercrime on the global economy.

What about the amount of time people spend cleaning up the mess after their identity is stolen? What about the psychological harm involved in being violated by an unknown attacker? We seem to understand how burglary, armed robbery, and murder affect people, but this silent threat can do as much damage.

The new Australian cyber security strategy [pdf] outlined the government's plans to get a better understanding of the true costs of malicious cyber activities to the Australian economy.

For this research project to be effective and not just repeat the same old stuff we’ve seen in the Ponemon study [pdf], it needs to pay attention to the work being done by iDcare. No-one is discussing the human cost, but this is exactly what will affect victims for years to come, with untold costs across the medical sector that are hard to account for.

If we look back over the past few years, some of the large-scale data breaches could well have these kind of far reaching consequences. When the US Office of Personnel Management was attacked back in 2013, few were considering the long term human impact of losing all of that valuable data.

Over five million US government staffers having their personnel records pilfered marks one of the most significant espionage attacks of all time. Not only has this massively cost the US government in having to redesign its systems [pdf], but every single one of those government workers now faces a lifetime of risk from attack through the release of their personal information.

The fact that your identity - and your biometrics - are known to a malicious actor would be a worry for any worker, whether it’s a clerk or a CIA operative, but we hear little about the health impacts this has on those involved. 

The not-for-profit iDcare, however, is studying the human side of cyber attacks in the hope of quantifying the impact on Australian victims.

Anyone who’s been unfortunate enough to have their home burgled will know you go through a period of feeling anxious and paranoid that the intruder will come back, wondering whether you should go on that holiday, fearing that on returning home, the house will once again have been ransacked.

Cybercrime has a similar effect. People who have had their ID stolen can suffer for months if not years as yet another false credit agreement is set up in their name, continually reminding them of the violation, which can lead to ensuing anxiety and mental health issues.

As iDcare’s chief, David Lacey, said, “Once you have your identity compromised, it’s not like you can get it back.”

So all those victims in the US who had their ID stolen from Anthem, Sony Pictures, Target and the OPM face potentially years of hardship where their data is used for criminal gain. Even a small percentage of these people developing real mental health issues related to anxiety will place a burden on the healthcare system.

One thing we can all do to help ourselves, since we’re not being helped by the companies that are charged with protecting our data, is look for a way to trip an alarm that our personal data is being accessed.

Tools like Canary Tokens are one potential way we can create alarms that notify us that someone has gained unauthorised access to our data.

Tokens will send you an email alert whenever a specific embedded URL is requested. You might embed a token within an unread email in your inbox, putting something enticing as your subject line, such as, “Banking details for Westpac,” or “LinkedIn password change.”

If an intruder has managed to grab your details from another account and broken into your email, they’ll soon scroll through and open the unread lure. You'll get an email from the Canary Token server saying your alarm has been tripped and you can immediately consider that account compromised and respond accordingly.

However, the reality is we need the government to get involved if we are going to measure this human impact effectively. 

Hopefully, the government's research into the cost of cybercrime as part of its new cyber strategy will include a discussion with iDcare to ensure human costs are included in its findings.

It’s only by properly understanding the full cost that we’ll ever be in a position to know how much to invest in fighting cybercrime.