The Impact of Cybersecurity on Consumer Behavior

New ISACA Paper Enables Enterprises to Use Cyberrisk Quantification to Improve Approach to Cybersecurity Risk
Author: ISACA Now
Date Published: 3 October 2022

Internet users in recent years have seen the rise of two-step authentication processes, CAPTCHA tests asking you to identify all the buses in a set of images, and text or email alerts about new logins to your devices. These are all methods of combating the increase in cyberattacks and are examples of the impact of cybersecurity on daily life.

When most people think of cybersecurity, they likely think of notable cyberattacks to large organizations, such as the SolarWinds hack or the Colonial Pipeline hack; however, cybersecurity is becoming more of an everyday conversation, as consumers increasingly shop online and are more concerned about what that means for their data. But what do we know about the often-overlooked consumer side of cybersecurity? In this blog post, we will break down the experiences and perceptions of consumers in relation to cyberthreats, digital trust and the organizations they interact with through data from ISACA’s “Cybersecurity 2022: A Consumer Perspective” global survey report.

How Does Digital Trust Affect Cybersecurity?
Digital trust is defined by ISACA as “the confidence in the relationship and transactions among providers and consumers within the digital ecosystem. This includes the ability of people, organizations, process and technology to create and maintain a trustworthy digital world.” ISACA Principle of Privacy Professional Practices Safia Kazi emphasized the importance of the relationship between digital trust and privacy in a recent episode of ISACA Live. “If you are trying to gain digital trust, you also have to be sure that you’re protecting people’s privacy. The two really do go hand-in-hand,” Kazi said.

Consumer confidence in an organization is crucial for that organization’s reputation, finances and opportunities for growth. If a consumer does not trust in that enterprise’s stability in managing its threat landscape, security and privacy of their personal data, or integrity and transparency regarding company values and cybersecurity, there is a greater risk of losing business and reputational success. Ninety-five percent of cybersecurity breaches are caused by human error, so it is important that consumers trust the humans behind the businesses they interact with to protect their information.

ISACA’s survey report revealed that consumers are more confident doing business with organizations that hire certified cybersecurity professionals. Certifications continue to secure their place in the industry as important signifiers of professionals’ experience, knowledge and skills in IT and cybersecurity fields, and they can be a great method of establishing such skills with consumers and stakeholders to increase digital trust and confidence in business interactions.

Why is Cybersecurity Important to Consumers?
With the rise in class action settlements, like those involving Facebook and Snapchat in the US state of Illinois alone, the perhaps overdue reality of consumers taking cybersecurity more seriously is emerging. Kazi mentioned that these settlements are one way the average person is learning more about privacy and the importance of keeping their data safe. “I ultimately think that the average person’s expectations for organizations with which they’re giving their data are only going to increase. … We might see more class action lawsuits, fines, penalties and just the reputational damage that comes with not protecting privacy,” Kazi said.

ISACA surveyed more than 3,000 consumers in the US, UK, Australia and India about their perspectives on cybersecurity. About one in three consumers, or a member of their household, have had their personal information stolen. When consumers engage with a business, they expect their information to be protected—and when such information is compromised, one in three consumers will cease their interactions with the business that failed to protect consumers’ Personal Identifiable Information (PII). Respondents to the survey only demonstrated moderate confidence in businesses’ ability to safely secure consumers’ PII. It is clear that consumers are taking the protection of their PII seriously and are therefore more likely to support businesses that do the same.

Despite recent regulations like the California Consumer Privacy Act (CCPA) and the General Data Protection Regulation (GDPR), and bills that have not yet been officially introduced like the American Data Privacy and Protection Act (ADPPA), 70 percent of consumers still do not feel like businesses are doing enough to keep their information safe and default to assuming it has been compromised without them knowing. This reiterates how crucial enterprises’ transparency is in establishing digital trust to ensure reputational and financial success.

Kazi’s advice for organizations: “If you can be clear about why you’re collecting data and how you’re going to process it, odds are [that] you’re going to do a good job of protecting privacy and gaining trust from your data subjects.”

How Do Cyber Attacks Affect Customers?
In addition to imperiling consumers’ PII, cyberattacks also cause consumers to feel helpless about their ability to protect their own data. According to ISACA’s survey report, about one in five consumers in the US, UK and Australia (and triple that number in India) experience a sense of resignation that there is nothing they can do to protect themselves from cybercrimes. Nearly half of consumers in the US, UK and Australia think that they are likely to be a victim of cybercrimes.

Although the initial cyberattack occurs just once, the lasting impacts of that attack continue for an unknown amount of time. If consumers’ data are stolen during cybercrimes and are subsequently sold to malicious actors, one attack can turn into a headache of fraud, identity theft and social engineering scams for the foreseeable future. Cyberattacks that compromise personal medical information in the healthcare industry or important account details in the financial services industry can cause emotional and financial stress. In the United States, the public is beginning to worry about state-sponsored cyberattacks against national security and defense systems and government agencies, in addition to their own personal information.

Of course, the cost of cybercrime is more than just emotional—it is financial, too. According to IBM, the amounts of money that malicious actors are holding stolen data ransom for have grown to seven and eight figures. The average cost of a ransomware attack, not even including the ransom payment itself, was US$4.62 million in 2021. Although this seems to be more of a financial concern for the company rather than the consumer, these costs will affect the company’s budget and prices as they attempt to offset the damages of data compromises and cyberattacks. These rising costs will ultimately be reflected in the price of affected companies’ products and services, hurting consumers’ budgets.

What Does the Future of Cybersecurity Look Like for Consumers?
Consumers are growing more aware of and concerned about cybersecurity than ever before. With so much of their personal information and data existing online, consumers are increasingly seeking out businesses that value and demonstrate transparency around their data collection and storage processes, as well as those that are putting sound cybersecurity practices in place. Enterprises’ communication to consumers about what they are doing to safeguard their data will be vital in this new era. In this age of digital transformation, it is critical that the world of cybersecurity evolves rapidly to counter the rise of cyber threats and cyberattacks in order to maintain consumer confidence.