Cybersecurity is broken: Here's how we start to fix it

We are building our future on a creaking digital foundation. It's time for that to change.
Written by Steve Ranger, Global News Director

Cybersecurity is in a terrible state, possibly the worst it's ever been. Literally not a day goes by without another report of a security breach or a data spill or a hack spilling corporate secrets.

There is plenty of blame to go around, of course. Let's start with the obvious ones, the crooks and scammers – from petty criminals to organised crime – who are able to extort us with ransomware or steal corporate data or our credit-card details with phishing attacks.

Few police forces have the time, money and skill to catch these groups or bring them to justice. Then there are state-backed hackers who switch between espionage and cyberwarfare – and the governments that either turn a blind eye to their activities or positively encourage them.

Who else to blame? Perhaps the tech companies that are desperate to rush a new product to market to beat their rivals, and think that cutting corners on testing security is a good way to do it. And it's not just startups, either; witness the constant stream of security patches that flow from all the big tech companies every month, fixing problems with software that simply wasn't secure enough when it was sold.

What about the enterprise? There are software patches for all of the most regularly abused software flaws, just as there was a patch for the flaw that allowed WannaCry to spread. And yet those flaws go unpatched because firms don't want to spend the time and money fixing those flaws and patching those systems.

Read more

According to tech researcher Canalys, companies spent $37bn on cybersecurity last year, up nine percent on the year before. That might seem like a big number but despite the apparently high priority that organizations give to protecting data and networks, that still only accounts for two percent of total IT expenditure last year. And it's not just about the money; company bosses don't have a strong grasp of cybersecurity, even though they tick the boxes on compliance, while further down the organisation the tech workers don't think they've got the money or the skills to keep data safe.

While 10 or 20 years ago this might not have been much to worry about, now we're building our societies – our cities, our health services, transport and energy – on top of this digital infrastructure. There are plenty of excellent reasons to do so, but we need to be aware the foundations we are building on are in far worse shape than we realise. The ongoing row over the security of future 5G networks is just one example of the challenges to come.

But there is one other group that needs to acknowledge its share of the blame, too.


We've been too willing to let corporate giants collect and aggregate and slice and mechanically separate our data and sell it on. Not enough of us have reacted when our data has been leaked or stolen. It's not clear that a data breach stops us trusting a company anymore; what often happens is a small share-price dip when a company admits to a security breach but the impact is rarely long-lasting. Is that because there are so many breaches now that we simply cannot differentiate between them?

This to me is the way to turn the tide. First, we need to value our own personal data more. We need to understand the bargains that we make when we use the apps and services of big tech. We need to have a better understanding of what we are handing over, what they will do with our data, and how they will protect it. To not simply respond with a shrug when it is lost or stolen or misused. That will send a message throughout the rest of the ecosystem; to businesses that will have to spend more on IT security, to the software companies that need to prioritise security over the rush to market, to governments and law enforcement that change is needed.

We are building our futures on these digital networks; let's make it very clear that we want, and expect, them to be secure.


The Monday Morning Opener is our opening salvo for the week in tech. Since we run a global site, this editorial publishes on Monday at 8:00am AEST in Sydney, Australia, which is 6:00pm Eastern Time on Sunday in the US. It is written by a member of ZDNet's global editorial board, which is comprised of our lead editors across Asia, Australia, Europe, and North America.


Editorial standards