By: Oren Falkowitz

The World Economic Forum’s Global Risks Report 2018 ranks cyberattacks alongside extreme weather events and natural disasters as the most likely risks threatening the stability of society.

Roll that phrase around in your mind for a minute: One of the most likely and dangerous risks threatening the stability of society in 2018 includes cybersecurity. That means “attackers could trigger a breakdown in the systems that keep societies functioning.” In other words, we’ve moved far beyond tic-tac-toe, website defacement, stealing passwords and credit card numbers.

This is even more astonishing when you consider that, of all the global risks, cybersecurity is one of the few we have control over. If you run an ice cream shop, or a hospital, or a large multinational corporation, there isn’t much you’re going to be able to do about the next Category 5 hurricane or the Arctic melting. You’re also not in a position to do much about the increasingly likely prospect of a nuclear conflagration. But cybersecurity? You can do something about that. And that’s an important distinction.

Now, in all fairness, we haven’t been given very good tools to do that, and the cybersecurity industry as a whole has much to answer for, having sold billions of dollars of “solutions” that don’t seem to work very well. But it’s time for cybersecurity companies to be accountable to you, their customers, for the efficacy of their solutions. That’s the way the marketplace is supposed to work, and cybersecurity is a product or a service that needs to be responsive to the equilibrium of the market — the same way every other company has to be accountable for the performance of their products when they’ve been found lacking.

The resulting damage from ineffective cybersecurity is significant, with large-scale attacks becoming more commonplace as well as more damaging. Consider these statistics:

  • Companies revealed breaches of more than 4 billion data records in 2016.
  • The estimated annual cost of responding to cyberattacks is now $11.7 million per company, and there has been an average annual increase of 27.4% in the number of security breaches.
  • More than 10% of the $3.7 billion raised in initial coin offerings (ICOs) has been stolen via phishing.
  • Cybercrime carried out against businesses will cost them $8 trillion from now until 2022.

It’s clear we’re moving in a trajectory from data theft to data and network ransom. And if we don’t begin to change the economics of being a bad guy on the internet, which is a really good business today, it’s not going to get any better. But that involves demanding accountability from cybersecurity providers and focusing resources on the root cause of the problem –phishing.

You can start by not buying into the conventional wisdom that 1) these attacks are unprecedented, 2) hackers are too smart, and finally, 3) there’s nothing that could have been done. This is simply the most egregious example of “cargo cult science,” where erroneous conclusions are arrived at by misinterpreting the causality of results. So don’t be fooled by this line of so-called reasoning. We routinely send astronauts into space to live for months at a time. We can protect ourselves while we’re using the internet. Just because something cannot be done by certain methods does not mean it cannot be done at all.

We’ve already spent millions trying to solve this problem to little avail. It’s time to stop that. As an organization that spends a portion of that on your cybersecurity, you have economic power that you need to start using. Demand solutions you can depend on so that those of us in the cybersecurity industry can be held accountable for what we sell.

What if, from now on, we were to only offer our cybersecurity solutions on a pay-for-performance basis. As in, if it doesn’t perform, customers don’t have to pay for it. I believe it’s important that we make the cybersecurity industry accountable for the performance of our products.