Who suffers the most from cyberattacks?
The cybersecurity industry tends to focus on large organizations: the corporations and government bodies that represent big targets and can command big ransoms.
Yet research shows that cyberattacks disproportionately affect those with fewer resources: marginalized communities, small businesses and institutions that lack the budgets of a major government department.
The issue raises important questions for the impact investing community. Can cybersecurity startups be a vehicle for social progress? Should impact investors begin investing in security companies? If so, in what circumstances does a cybersecurity company merit impact funding, and when does it not?
System vulnerabilities
The disparities we see in our physical lives are echoed in our digital ones: cyber inequality is driven by resource limitations, skills gaps, regulatory blind spots, and lack of prioritization.
Cybercrime exacerbates these inequalities. Women are more likely to report feeling unsafe online than men, and people of color and the elderly are more likely to become victims of cybercrime. Immigrant communities, veterans and people recovering from natural disasters are also disproportionately targeted by cybercriminals: a widely cited survey from Malwarebytes found that Indigenous, Black and other people of color experience social media hacks and identity theft more than white people.
Vulnerable small businesses and rural institutions often lack the financial bandwidth or skills to put adequate cybersecurity measures in place. Organizations that provide core public services, including healthcare, local government, energy and education, are also more exposed and are targeted for cybercriminals.
In the healthcare sector, for instance, hospitals and other medical institutions host a range of sensitive data, including personal medical records and financial information. That combination makes hospitals “basically a one-stop shop for an adversary,” according to Chris Callahan of the federal Cybersecurity and Infrastructure Security Agency. Cyberattacks are particularly devastating for rural health systems, which lack the security resources of larger health systems in urban areas.
For government bodies, especially small local and municipal organizations, cyberattacks can limit the ability to provide public services, resulting in a loss of public trust. On election day in the US two years ago, hackers launched a distributed denial-of-service attack on state websites containing voter information in Mississippi. In Maryland, cybercriminals stole the EBT benefits of thousands of adults and families in 2022 and 2023.
The energy system in the US is also vulnerable to cyberattacks. In April 2024, the North American Electric Reliability Corp. reported that the number of susceptible points in electrical networks increases by about 60 per day. Outages are likely to be more prolonged and damaging for low-income communities, because these communities have comparatively fewer resources to survive blackout periods.
And in the education sector, a ransomware attack in 2023 shut down the Tucson Unified School District for two weeks. The cost of rebuilding the school district’s systems exceeded $1 million, only a portion of which was covered by insurance.
“Young students are especially desirable targets because their credit records are unmonitored and can be exploited for years,” explained Doug Levin of K12 SIX, a nonprofit working to prevent cyberattacks in schools.
Cybersecurity startups have an opportunity to address these issues and support vulnerable populations and institutions. Solutions that promote online safety, security hygiene and digital literacy could be considered by impact investors. Any solution that addresses the gap in digital resilience between large, well-resourced institutions and smaller organizations would merit impact investment.
Gauging potential impact
The opportunity for impact investment in cybersecurity seems obvious based on this kind of data and these examples. Not every cybersecurity company is worthy of support by default, however. The vast majority of cybersecurity companies don’t consider addressing inequities to be part of their core mission.
Theoretically, any cybersecurity vendor can increase resilience for a rural hospital or K-12 school district. A vendor that aims primarily to serve large enterprises and happens to support some civic institutions along the way is not an impact investment.
Cybersecurity has not historically been a target for the impact investing community, and investors should maintain a high bar for the intentionality of investments. But impact investors shouldn’t shy away from opportunities that could effectively support their mission. Companies bolstering cyber resilience for comparatively vulnerable populations are worthy of impact funding.
Startups operating in cyber-adjacent areas, including companies addressing digital literacy and skills shortages, could meet a high bar for impact investment. Additionally, vertical-specific companies that target industries like healthcare and education would also have a more justifiable impact case than those targeting the market more broadly.
At SJF Ventures, many of our portfolio companies don’t self-identify as “impact companies,” but we’re able to find common ground when accelerating their growth in areas that happen to also deliver measurable impact. Impact investors can help startups succeed in underserved verticals where deal sizes are large but founders may lack experience. School districts and rural care networks may have unique procurement procedures and lack understanding of cybersecurity services; impact funds can support vendors navigating these sectors, helping to maximize value and accelerate deals that deliver meaningful impact while bolstering the startup’s bottom line.
As the gap in digital literacy and resilience widens, we should see impact investors roll up their sleeves and begin to step in.
Dan Geballe is a Managing Director and Elizabeth Roberts is a Senior Analyst at SJF Ventures.
