Just yesterday, the Dutch negotiators came to an agreement on leading the country. One of the most interesting things mentioned in the agreement is the increase in the budget for cybersecurity. An increase to 95 million euros in the upcoming years seems necessary, but is it really?
With the increase of the digital economy, digital risks have grown, too. Examples such as the Wannacry ransomware and Cloudbleed hack come to mind. Both hacks have direct on impact on both businesses as private citizens. These risks imply large costs for companies when they actually happen, far surpassing the cost for prevention. But there are large government risks too. In the US, 198 million voter records going back more than 10 years were publicly accessible, exposing a large cybersecurity risk. Closer to our borders we can identify the Macron campaign hack. Hackers dumped 9GB of emails from the party of Macron to undermine his run for the presidency. While these risks may not imply large costs in euros, they imply large social value.
Cybersecurity has been increasingly in the news for the last years and large companies seem to be increasingly aware of the threats. Average security budgets for companies are growing: Where a lot of companies in 2014 spent an average of 4-6% of their IT budget on security, in 2016 this number has grown to an average of 8-10% of this (meanwhile) increased budget. This budget varies based on the industry a company is in. With financial services leading at 12%, IT services sitting at 7% and education only at a mere 1-3%(Sans, 2016).
What about governments? Do they go with the trend of spending on cybersecurity? According to SANS Institute governments on average do spend 7% of their digital budget on cybersecurity, too. Looking at the increase in the upcoming Dutch cybersecurity budget, the table below shows what the spending for the leading countries in cybersecurity may look like based on a percentage of GDP. The Netherlands will grow to a 5th place internationally, following just behind the UK, France, Denmark and Australia. The US is leading the cybersecurity market by a large margin, mostly driven by its high spending on military (HCSS, 2016).
Cybersecurity risks will keep growing as the digital economy is taking a bigger part of the total economy each year. For governments, elections and citizen private information are issues to be more aware of. As the Internet of Things is growing, so do the risks going arm in arm with this. The Netherlands seems to realize the risks with this new agreement, showing Europe and the world that they should too.
https://www.nu.nl/internet/4957952/tientallen-miljoenen-extra-cybersecurity-nieuwe-regering.html
Click to access HCSS-Dutch-Investments-in-ICT.pdf
https://financieel-management.nl/artikel/wereldwijde-uitgaven-cybersecurity-72-miljard-euro
https://www.sans.org/reading-room/whitepapers/analyst/security-spending-trends-36697
Hi Koen!
Interesting blog you wrote today. I agree with your opinion that it is a good thing the Dutch government is increasing its expenditures on cybersecurity and that this should be viewed as an example by the rest of Europe. I do have a question regarding your opinion on this topic. The question came up to me, because nowadays companies posses so much (sensitive) information about citizens that if those leak it can have large consequences for the life of citizens. An example of this is the Ashley Madison hack, where the personal information of people who had a profile on that site was leaked (the example is not about whether the site is morally right, rather it is about what can happen when personal information gets leaked). This even caused some of the victims to commit suicide (BBC, 2015). So, do you think the government should get more involved with cybersecurity in businesses? e.g in the form of regulations regarding the topic. And is it even possible to do so in any way? I think these kind of issues might become very relevant in the near future as more and more data about everything we do in our daily life is stored.
Kind Regards,
Justin Heini
BBC, 2015: http://www.bbc.com/news/technology-34044506
Comment on Cyber Security:
Thank you for your insights Koen and Justin.
Cyber security certainly is one of the topic with the most rapidly growing importance in IT. Both of you outlined good examples of cases in which the necessary measures were not taken and the worst case scenarios did actually happen. The financial and personal damages are enormous: Last month Fedex admitted to having lost $300m from the NotPetya cyber attack in its dutch branch TNT Express (Heise, 2017).
Start-ups and investors are increasingly picking up on those issues and try to turn them into an opportunity. Earlier this year market researcher Quid published a list of the most promising start-ups you probably never heard of and unsurprisingly the start-ups with by far the most investments are operating in the Online Security & Fraud Detection sector (Bloomberg, 2017).
With investments that high on the private side it is not surprising that the governments are trying to keep up and develop their own cyber security services in order to protect their economies.
Germany for example has a department for cyber security (BSI) and is providing services to companies based in the country. When a treat is detected by the BSI, it will provide information to the companies that are in danger of being affected so they can provide the necessary safety measures before damage can be done (BSI, 2017). This already proved effective in the past when information could be provided early enough. Similar to the Netherlands the German government approved 180 new jobs in that department to ensure better cyber security for economy and government (Bundeshaushalt, 2017).
So regarding to your comment Justin, governments are already starting to be more involved in cyber security in the private sector. And at the moment it only looks like that will increase even more in the future.
Greetings,
Alex
Sources:
https://www.heise.de/newsticker/meldung/NotPetya-Auch-Fedex-kostet-die-Cyber-Attacke-300-Millionen-US-Dollar-3838159.html
https://www.bloomberg.com/graphics/2017-fifty-best-startups/
https://www.bsi.bund.de/DE/DasBSI/Aufgaben/aufgaben_node.html
https://www.bundeshaushalt-info.de/fileadmin/de.bundeshaushalt/content_de/dokumente/2017/soll/Gesamt_Haushalt_2017_mit_HG.pdf
Thanks Koen for your enlightening blog post and thanks Alex and Justin for your contribution. After you have all spoke about the effects cyber security may have in companies as well as in the public sector I would like to elaborate shortly on the cyber security within the healthcare industry. You mentioned briefly the Wannacry cyber-attack; but I would like to elaborate on the effects it had on the National health Service (N.H.S.).
According to the Telegraph at least 17 healthcare institutions have been affected by the attack, arguably disputing life essential treatments! I believe the cyber security investments within commercial companies should be paid by themselves, as they are only covering their own risks. Nevertheless, I believe a large amount of resources should come from the government to improve cyber security within the Healthcare industry, as many healthcare institutions in the Netherlands are public institutions. Furthermore, I believe the private institutions should also be subsidized to improve cyber security, as all healthcare companies are interrelated and maintaining their security benefits our society as a whole. Future attacks could be catastrophic; possible affecting ongoing operations, leading to deaths!
Interesting to argue about government spending after we have just seen the government plans for the upcoming years! I did not research the current investments in Cyber Security, but maybe another contributor could have a look 🙂
http://www.telegraph.co.uk/news/2017/05/13/nhs-cyber-attack-everything-need-know-biggest-ransomware-offensive/