dasButcher writes "We often hear that businesses risk their corporate reputations if they don't have adequate security. It's been a common refrain among those selling security technologies: protect your data or suffer the reputational consequences. But, as Larry Walsh points out, the evidence is against this notion. Even companies that have suffered major security breaches — TJX, Hannaford, etc. — have suffered little lasting damage to their reputation. So, does this mean that reputational concerns are simply bunk?"
Outside of geek circles, people might assume that if a firm has just suffered a security blunder, that they'll sure be addressing the issue seriously, and that they will make sure it doesn't happen again, as opposed to firms that haven't and presume that security is something other people need to worry about.
The biggest blunder a company can make is to try to hide that there has been a security breach because if they do try to hide a breach and it leaks then there may have been other breaches that aren't revealed.
Being open about breaches and the impact of the breach is not hurting a business, and it may also cause other businesses to look after their measures.
Repeated offenses may of course have an impact on the reputation.
For any laptop owners out there with sensitive data - use things like TrueCrypt. If you
The biggest blunder a company can make is to try to hide that there has been a security breach
Correction: the biggest blunder a company can make is to hide that there has been a security breach AND THEN GET CAUGHT. If they're successful at hiding it, there is no penalty at all.
This is just one form of the classic Prisoner's Dilemma [wikipedia.org].
Once your identity is stolen, it doesn't matter what precautions the leaking company took or what their reputation is.
And if your identity hasn't been stolen yet, it might be better to go with a company that has suffered an attack because they likely won't make the same mistake twice.
Reputations are just rationalizations. Real security is not measurable by reputation.
Once your identity is stolen, it doesn't matter what precautions the leaking company took or what their reputation is.
I disagree. I might not file suit against TJ Maxx if it was beyond their control to stop this from happening. If, on the other hand, poor unreasonable company policy allowed a low level employee to sell it on the black market, I would probably be interested in a class action lawsuit against the company for poor protection of privacy.
Real security is not measurable by reputation.
Unfortunately, for a lot of these things, reputation is all you have to judge. And nobody's walking down the street passing up shopping at TJ Maxx because of the credit card
"Real security" is not measurable at all. Let's look at a relatively tiny sub-problem in the overall picture of enterprise security: which OS is the most secure? The answer is, there are a thousand variables, and even though OS's are the most accessible garden-variety software, and we all deal with them all the time, there is still no consensus even on this single website as to which is "best." Now try to scale that problem back up to a huge bank, (say you're looking at bankrate.com considering opening a
Look, people make mistakes. It happens. Even when those people are gathered into large groups. People also tend to forget things that aren't presently being trumpeted on the news as a "Big Deal".
Also, most folks don't like to worry about Security, and aren't too quick to criticize when others don't like it either. It is a classic PITA for the general public, without any measurable return on investment, so they're even further inclined to forgive. Only fear keeps us all in line, and people don't generally seem to criticize when the fear isn't working.
Well, TJX's "mistake" was to use WEP instead of WPA; WEP has been a known-security hole since 2001 and yet they continued to keep using it. Maybe blatant laziness should be punished by Federal law rather than relying on the public to decide whether or not they deserve disciplinary action.
It is easier and more politically expedient to lay the blame on "hackers." You know, "hackers" who can just sit down and within 5 minutes completely take over bank and government systems. Obviously, we are powerless to stop "hackers," despite all of our best efforts, so it is their fault, not the fault of a company that had extremely poor security practices. In no way can the company that decided to hook its systems up to the Internet without spending the money on serious security, or to allow a radio co
This depends what kind of business it is. If they're providing hardware and/or services to the geek crowd, it matters a lot. If they're selling shoes and their credit card information database gets stolen, it will probably have little (if any) lasting impact because even if people hear about it, they won't understand it and thus won't remember it. If they do remember, they'll pay cash the next time they go there, but they'll still go.
No I think it's much simpler than that. I think it's more about the teenage mentality of "well if everybody is doing it, so should I". 15 years ago we didn't hear about security breaches daily, such as we do now, and the scarcity of these cases separated and labeled the affected few as "careless". Today there are so many reports regarding so many businesses that it has become rather blase (/. hates stress [wikipedia.org]). What's to be "marked" about when both the business left and right to me have had similar issues? Unfo
Look, people make mistakes. It happens. Especially when those people are gathered into large groups.
FTFY.
There are a bunch of reasons for that: mob mentality, political considerations, and being able to duck any responsibility for screwing up are definitely a part of that story though.
It's not so much forgiveness, I think, as resignation.
For the public, worrying about computer security is like worrying about an invisible, odorless poison gas that appears in completely random places. If they knew where the gas would strike, they'd fear those places. If the gas had an odor, they'd learn to fear it. If they knew who was responsible for creating the gas, they'd demand that outfit be shut down.
But if there's nothing they can do to protect themselves, they'll just ignore it and hope for the best.
That's what computer security is like for most people. They don't understand it, and they have good reason to suspect that the people who run the companies they deal with don't understand it. If a company gets hit with an embarrassing breach, they might reasonably conclude that its claim to have learned its lesson is just as credible as a different company's claim it hasn't been hit because it already knows better.
If you want to fix this, there are two ways, neither of them popular. The first is ore regulation of record keeping practices. The second is to establish liability of companies when information it is holding is misused.
by Anonymous Coward
on Wednesday August 12, @10:56AM (#29039347)
Essentially, no business properly secures their data. This means there are no alternatives, so there can be no repercussions from failure to enact proper security. People may moan and complain, but it isn't that they chose a company with poor security, it's that the industry just does business without security. For instance, no one will go without banking, and no bank is known for properly securing their data. Thus, clients can't create loss of profits for businesses with a poor security reputation.
Additionally, most consumers don't consider security as a main part of what they get from a service, thus not making it a major part of their decision. People don't look at banks (example) for how securely they store passwords, but instead for the interest rates provided. Again, until some start doing it right, none will be forced to.
From what I can see, size matters. The impact of a security breach on the business is inversely proportional to the size of the business. Small companies, big deal. Big companies, Eh - whataya gonna do?
So then their security breach had no effect on their bottom line as far as you as a customer are concerned. In fact it could be argued that now they are making more $$ off you than before as they don't have to pay credit card transaction processing fees for your purchases.
Outside of the geek world, these data breaches either go unreported or just get a passing mention between breathless coverage of $CELEBRIDEATH and breathless coverage of $REALITY_SHOW_CONTESTANT. A lot of people simply don't realize that these things are going on.
I think more to the point is that a lot of people place the blame on "hackers" when they hear about these blunders, rather than on companies that had poor security practices. People seem to think that a "hacker" is someone who can sit down, instantly bypass any security system, and then steal information -- and the innocent companies did everything they could to stop it from happening. Nobody has any concept of the common textbook mistakes that these companies cannot find the money to correct, or just how
The same thing can be said for the people who have a bot-infested XP machine sitting in their office. Instead of spending the money on AV and security, investing time into making sure they aren't stupid on the web - they just go on with life and blame the hackers.
Another thing that goes against us is the portrayal of hacking in tv shows and movies - they make it look super easy to hack into NSA systems and other HIGH-SECURITY systems that people start to believe its possible.
if you are a bank and your database of credit card number was compromised, your customers might think twice before opening any new accounts with your. or continuing their current one/s
Remember, the company you see on the news regarding their first ever data breach had a sterling security reputation... until it didn't.
I expect companies I do business with to do everything possible (within reason) to prevent breaches, but I also accept the fact that breaches are inevitable.
Be upfront and honest with me about it. Make sure it doesn't happen again. Repair any damage that was done. Do those things, and you'll have my business.
Banks, Hedge funds, Insurance companies and anyone dealing with money... this is a real and valid concern because not only are stock holders and nvestors watching your every move but the Feds are as well and you get audited regularly to see that you are in compliance with a variety of guidelines.
Failure to meet, match or getting caught with your pants down on security can mean clients will not sign up with you due to your ranking or lack of credentials.
Dealing with regulations for the banking industry: There is a requirement that SSNs are encrypted, unfortunately under the regulation, ROT-13 would pass under the definition of encryption under the regulation.
The TJX breach didn't matter to the vast majority of TJX customers.
Most didn't hear of it, and those that did went "Oh, it was only X store and I wasn't affected"
Look at the TJ Maxx stores, they are a low end bargin retail chain, most of their business probably isn't even done with credit cards. Even those customers that were affected probably disputed the charges and moved on, without understand how crappy the security was. Most customers probably bought the "oh my, we're sorry this happened, we'll ma
A credit card transaction processing company, Heartland Payment Systems, suffered a serious data breach [2008breach.com] in 2008. My credit card information was compromised. Unfortunately, there is nothing I can do about the situation, other than get a new card.
I called Heartland. They told me they were implementing end-to-end encryption (I don't understand how such a company could possibly not already be using extensive encryption). I asked them for a list of the companies that process transactions through Heartland so
If I had modpoints, you'd get one, AC. The Heartland breach kinda makes TJX look minor, and many people who might have been affected would never know.
Shame TFA didn't mention this, because it's a much more serious vulnerability than one large retail chain, precisely because the customers don't know about it.
But to answer the question posed, I think I might be more likely to shop at a chain that's been compromised. Not right when the story is breaking, mind you, but several months later, certainly. If the
It's insanely hard to sell security with the reputation angle. Why? Because neither companies nor customers give a rat's fuzzy bottom about it. Did you hear of anyone who canceled their account with a bank after said bank lost customer data by the gigabyte? Nah. Why? After all, now they fired that idiot that lost their data and now they're safe again. They said it themselves!
(if people actually heard about it, that is)
You sell security with the liability angle. If, and only if, there are some sizable fines
In the long run, nobody cares.
Initially everyone cares because there's a big negative blow-up in the press, the stock takes a beating, and everyone spins their heads off. Then the quarter ends, the media loses interest, the stock comes back, and it's business as usual.
And the real potential losers, the customers, never cared at all, they just want their latest fashions. The six people who might care do their shopping elsewhere, but they're statistically irrelevant.
Now if you'll excuse me, I'm off to
There is a reputation for being bad and a reputation for being good.
Having a reputation for being bad doesn't mean much anymore because so many people have screwed up. But a reputation for being good is worth it's weight in gold.
If I told you about how horrible my credit card company treated me, would you care? No, because you expect all credit card companies to suck. But if I told you they were fantastic, did a great job dealing with an Identify theft case, then you might want to know about it.
We've been trained all our lives that the Government will step in and save us. Is it any wonder that people no longer bother to research things before they put their money in them?
I research dang near everything I buy, right down to my toaster-oven. Because I do so much research, I know how to read the information out there, and it has been a -long- time since I bought something that was crap. (Except some toys I bought on impulse without researching!) Most people can't be bothered, so they pay the pric
It's because so far, there haven't been any large-scale consequences resulting from the widely-publicized breaches.
Sure, a bunch of people's info got released, and some of those people had serious identity-theft issues resulting from it, but most of the people affected got new credit card numbers and moved on.
When there's a data breach that results in a bank going belly-up, or major stock fraud, or large loss of life, then a reputation for security might start to matter.
They had a major problem a few years ago, where due to some poor sales policies they gave bad guys access to tons of SSNs. That led to pushes on Capitol Hill for major changes in how all personal data providers do business, and in particular how they handle SSNs.
That had a non-trivial impact on a bunch of companies, including one I worked for. It caused us to spend a lot of time and money checking to see if we had a similar vulnerability (because our business was very SSN driven).
The issue is that there is little incentive to take proper precautions in protecting personal data. Yes, reputation might affect customer decisions a little, but the problem is so broad what are you going to do.. change your bank? I had a former employer send me a letter once that my personal data may have been exposed as they moved office buildings, what option did I have then? The only real answer I can think of is to have some legislation that penalizes a company if such a breach of personal data occur
Many potential customers won't to business with you if you don't pass security audits. There's one major reason why having some security pays off.
The other reason, of course, is breach notification. It is very expensive to tell one million people you left their billing info on an anonymous FTP server.
TJX is not a company that any one expects much out of from the standpoint of security. While it would be nice if they were not idiots, but they were and it is unlikely that anyone who has done business with them would be surprised.
If a company where to have a solid reputation for security, and have a large chunk of their revenue based on security offerings and where then to be discovered to not only have been exploited, but to have been exploited because they failed to make even a reasonable effort to prote
The problem is there hasn't been the digital equivalent of a 9-11 yet. Once someone breaks into one of the major banks and zeroes the accounts of several million Americans, then you'll see a reaction. Too late. As usual.
Your statement actually has rather terrifying implications, since after 9/11 we saw a rush of hysterics that created a) illusory security practices like the nonsense we have to put up with at airports and b) several wars in the Middle East that have done anything but make us more safe. I can't help but think that when (not if) there is a break-in like you describe, the government is going to start keeping track of everyone who downloads nmap, etc.
What it means is that the average person doesn't have any idea what "data security" is all about, not even when they read news stories about breaches in data security. The only time any of it gets through their heads is when their identity has been stolen and their lives are ruined because of it.
Banks have *very* little liability. Many of the breaches have had to due with credit cards issued by, guess who? Banks. So who cares. The onus is on the card holders. The only rights a card holder has is in the creditors rights laws which do not cover identity theft.
So the bank can walk away from any civil liability in the case of identity theft. And just dare to try to impose liability. The banks will scream "We're too important to the economy! We'll stop lending
for everyone else, if you can't measure it, it's worthless.
Whether it's "goodwill", "reputation", "contacts" or whatever. Yo often see these so-called assets listed when a business is up for sale. However no-one has ever found a way to measure the amount of any of these things that a company claims to have - klet alone being able to place an objective value on it. All these attributes are pretty much meaningless - either to customers or shareholders. The only thing that matters is price. Take low-cost air
It's the general feeling, even among professionals, that security breaches are arbitrary. That, for every laptop with unencrypted harddrives and/or data left in the train, there is a remote root hole on the securest system that defies explanation because it was never thought of before.
It would be great if companies with sloppy security practices would be punished severely, go out of business, have all their executives waterboarded and sent to Guantanamo, etc. But the next best thing is if I, as an individual, have a meaningful opportunity for choice. I switched from Ameritrade to Scottrade because I, like many other people, was getting pump-and-dump spam sent to the email address that I used only with Ameritrade. (For years they claimed it was dictionary attacks, even though I and many o
My theory is that security experts (and novices like myself) feel totally... betrayed, flummoxed, frustrated, whatever, that we are still using security algorithms that have been compromised. I know you need a supercomputer to crack SHA-1, however last I checked there are quite a few of those, and you can basically make a mini-supercomputer with a d
bad news is good news? (Score:4, Interesting)
Outside of geek circles, people might assume that if a firm has just suffered a security blunder, that they'll sure be addressing the issue seriously, and that they will make sure it doesn't happen again, as opposed to firms that haven't and presume that security is something other people need to worry about.
Don't know about repeat offenders though.
Re: (Score:3, Insightful)
The biggest blunder a company can make is to try to hide that there has been a security breach because if they do try to hide a breach and it leaks then there may have been other breaches that aren't revealed.
Being open about breaches and the impact of the breach is not hurting a business, and it may also cause other businesses to look after their measures.
Repeated offenses may of course have an impact on the reputation.
For any laptop owners out there with sensitive data - use things like TrueCrypt. If you
Re: (Score:3, Interesting)
The biggest blunder a company can make is to try to hide that there has been a security breach
Correction: the biggest blunder a company can make is to hide that there has been a security breach AND THEN GET CAUGHT. If they're successful at hiding it, there is no penalty at all.
This is just one form of the classic Prisoner's Dilemma [wikipedia.org].
CD Universe died from bad reputation????? (Score:2)
In 2000, I think the thing that killed an online store selling CD's wasn't a bad online rep.
Think back. What was all the rage in 2000? Napster.
Re: (Score:2)
It only matters if you're affected (Score:5, Insightful)
Once your identity is stolen, it doesn't matter what precautions the leaking company took or what their reputation is.
And if your identity hasn't been stolen yet, it might be better to go with a company that has suffered an attack because they likely won't make the same mistake twice.
Reputations are just rationalizations. Real security is not measurable by reputation.
Re: (Score:3, Interesting)
Once your identity is stolen, it doesn't matter what precautions the leaking company took or what their reputation is.
I disagree. I might not file suit against TJ Maxx if it was beyond their control to stop this from happening. If, on the other hand, poor unreasonable company policy allowed a low level employee to sell it on the black market, I would probably be interested in a class action lawsuit against the company for poor protection of privacy.
Real security is not measurable by reputation.
Unfortunately, for a lot of these things, reputation is all you have to judge. And nobody's walking down the street passing up shopping at TJ Maxx because of the credit card
Re: (Score:2)
Duh (Score:4, Insightful)
Look, people make mistakes. It happens. Even when those people are gathered into large groups. People also tend to forget things that aren't presently being trumpeted on the news as a "Big Deal".
Also, most folks don't like to worry about Security, and aren't too quick to criticize when others don't like it either. It is a classic PITA for the general public, without any measurable return on investment, so they're even further inclined to forgive. Only fear keeps us all in line, and people don't generally seem to criticize when the fear isn't working.
Re: (Score:2, Insightful)
Re: (Score:2)
Re: (Score:2)
This depends what kind of business it is. If they're providing hardware and/or services to the geek crowd, it matters a lot. If they're selling shoes and their credit card information database gets stolen, it will probably have little (if any) lasting impact because even if people hear about it, they won't understand it and thus won't remember it. If they do remember, they'll pay cash the next time they go there, but they'll still go.
Mal-2
Re: (Score:2)
Re: (Score:2)
Look, people make mistakes. It happens. Especially when those people are gathered into large groups.
FTFY.
There are a bunch of reasons for that: mob mentality, political considerations, and being able to duck any responsibility for screwing up are definitely a part of that story though.
Re:Duh (Score:4, Interesting)
It's not so much forgiveness, I think, as resignation.
For the public, worrying about computer security is like worrying about an invisible, odorless poison gas that appears in completely random places. If they knew where the gas would strike, they'd fear those places. If the gas had an odor, they'd learn to fear it. If they knew who was responsible for creating the gas, they'd demand that outfit be shut down.
But if there's nothing they can do to protect themselves, they'll just ignore it and hope for the best.
That's what computer security is like for most people. They don't understand it, and they have good reason to suspect that the people who run the companies they deal with don't understand it. If a company gets hit with an embarrassing breach, they might reasonably conclude that its claim to have learned its lesson is just as credible as a different company's claim it hasn't been hit because it already knows better.
If you want to fix this, there are two ways, neither of them popular. The first is ore regulation of record keeping practices. The second is to establish liability of companies when information it is holding is misused.
Parent
No security available anywhere (Score:5, Insightful)
Essentially, no business properly secures their data. This means there are no alternatives, so there can be no repercussions from failure to enact proper security. People may moan and complain, but it isn't that they chose a company with poor security, it's that the industry just does business without security. For instance, no one will go without banking, and no bank is known for properly securing their data. Thus, clients can't create loss of profits for businesses with a poor security reputation.
Additionally, most consumers don't consider security as a main part of what they get from a service, thus not making it a major part of their decision. People don't look at banks (example) for how securely they store passwords, but instead for the interest rates provided. Again, until some start doing it right, none will be forced to.
Size matters (Score:5, Interesting)
From what I can see, size matters. The impact of a security breach on the business is inversely proportional to the size of the business. Small companies, big deal. Big companies, Eh - whataya gonna do?
For me they did (Score:2)
I live very close to stores from both companies and only pay cash at them now.
Re:For me they did (no they didn't) (Score:5, Insightful)
So then their security breach had no effect on their bottom line as far as you as a customer are concerned. In fact it could be argued that now they are making more $$ off you than before as they don't have to pay credit card transaction processing fees for your purchases.
Parent
Poor reporting (Score:3, Insightful)
Outside of the geek world, these data breaches either go unreported or just get a passing mention between breathless coverage of $CELEBRIDEATH and breathless coverage of $REALITY_SHOW_CONTESTANT. A lot of people simply don't realize that these things are going on.
Re: (Score:2)
Re: (Score:2)
Another thing that goes against us is the portrayal of hacking in tv shows and movies - they make it look super easy to hack into NSA systems and other HIGH-SECURITY systems that people start to believe its possible.
Corporations and reputations (Score:3, Interesting)
It is not about IT (it is about insurance companies in Nazi Germany), but provides a very good insight nonetheless.
Depends what industry (Score:3, Interesting)
If you're a relatively mundane manufacturing company and you leak customer data -- who cares?
If you're a Visual Effects studio and you leak shots from a major new film, "sonny, you ain't gonna work in this town again".
Re: (Score:2)
if you are a bank and your database of credit card number was compromised, your customers might think twice before opening any new accounts with your. or continuing their current one/s
Re: (Score:2)
If you're a relatively mundane manufacturing company and you leak customer data -- who cares?
"Chinese Employee Loses iPhone Prototype Kills Self"
http://mobile.slashdot.org/story/09/07/21/1814212/Chinese-Employee-Loses-iPhone-Prototype-Kills-Self [slashdot.org]
Most people not monetarily involved, think he was killed, not killed himself.
Reputation means very little; Response means a lot (Score:2)
Remember, the company you see on the news regarding their first ever data breach had a sterling security reputation... until it didn't.
I expect companies I do business with to do everything possible (within reason) to prevent breaches, but I also accept the fact that breaches are inevitable.
Be upfront and honest with me about it. Make sure it doesn't happen again. Repair any damage that was done. Do those things, and you'll have my business.
Re: (Score:2)
TFA links a company's security reputation to whether or not a breach occurred in the first place, not how the company responded to the breach.
There is a subtle difference between a reputation for having no security breaches and a reputation for responding well to security breaches.
I am claiming the former is not as important as the latter.
Not in Finance (Score:2)
Failure to meet, match or getting caught with your pants down on security can mean clients will not sign up with you due to your ranking or lack of credentials.
Re: (Score:2)
TJX breach didn't matter. (Score:2)
Most didn't hear of it, and those that did went "Oh, it was only X store and I wasn't affected"
Look at the TJ Maxx stores, they are a low end bargin retail chain, most of their business probably isn't even done with credit cards. Even those customers that were affected probably disputed the charges and moved on, without understand how crappy the security was. Most customers probably bought the "oh my, we're sorry this happened, we'll ma
Reputation doesn't matter in some industries (Score:2, Insightful)
A credit card transaction processing company, Heartland Payment Systems, suffered a serious data breach [2008breach.com] in 2008. My credit card information was compromised. Unfortunately, there is nothing I can do about the situation, other than get a new card.
I called Heartland. They told me they were implementing end-to-end encryption (I don't understand how such a company could possibly not already be using extensive encryption). I asked them for a list of the companies that process transactions through Heartland so
Re: (Score:2)
If I had modpoints, you'd get one, AC. The Heartland breach kinda makes TJX look minor, and many people who might have been affected would never know.
Shame TFA didn't mention this, because it's a much more serious vulnerability than one large retail chain, precisely because the customers don't know about it.
But to answer the question posed, I think I might be more likely to shop at a chain that's been compromised. Not right when the story is breaking, mind you, but several months later, certainly. If the
Not at all (Score:2)
It's insanely hard to sell security with the reputation angle. Why? Because neither companies nor customers give a rat's fuzzy bottom about it. Did you hear of anyone who canceled their account with a bank after said bank lost customer data by the gigabyte? Nah. Why? After all, now they fired that idiot that lost their data and now they're safe again. They said it themselves!
(if people actually heard about it, that is)
You sell security with the liability angle. If, and only if, there are some sizable fines
In the long term, it's irrelevant. (Score:2)
Two kinds of reputation (Score:2)
Having a reputation for being bad doesn't mean much anymore because so many people have screwed up. But a reputation for being good is worth it's weight in gold.
If I told you about how horrible my credit card company treated me, would you care? No, because you expect all credit card companies to suck. But if I told you they were fantastic, did a great job dealing with an Identify theft case, then you might want to know about it.
The Government Will Save Us (Score:2)
We've been trained all our lives that the Government will step in and save us. Is it any wonder that people no longer bother to research things before they put their money in them?
I research dang near everything I buy, right down to my toaster-oven. Because I do so much research, I know how to read the information out there, and it has been a -long- time since I bought something that was crap. (Except some toys I bought on impulse without researching!) Most people can't be bothered, so they pay the pric
Lack of large-scale consequences (Score:3, Interesting)
It's because so far, there haven't been any large-scale consequences resulting from the widely-publicized breaches.
Sure, a bunch of people's info got released, and some of those people had serious identity-theft issues resulting from it, but most of the people affected got new credit card numbers and moved on.
When there's a data breach that results in a bank going belly-up, or major stock fraud, or large loss of life, then a reputation for security might start to matter.
Ask ChoicePoint if this is No Big Deal (Score:2)
That had a non-trivial impact on a bunch of companies, including one I worked for. It caused us to spend a lot of time and money checking to see if we had a similar vulnerability (because our business was very SSN driven).
A difficult problem (Score:2)
a requirement (Score:2)
Many potential customers won't to business with you if you don't pass security audits. There's one major reason why having some security pays off.
The other reason, of course, is breach notification. It is very expensive to tell one million people you left their billing info on an anonymous FTP server.
It depends on the customers view of the company (Score:2)
TJX is not a company that any one expects much out of from the standpoint of security. While it would be nice if they were not idiots, but they were and it is unlikely that anyone who has done business with them would be surprised.
If a company where to have a solid reputation for security, and have a large chunk of their revenue based on security offerings and where then to be discovered to not only have been exploited, but to have been exploited because they failed to make even a reasonable effort to prote
No 9-11. Yet. (Score:5, Insightful)
The problem is there hasn't been the digital equivalent of a 9-11 yet. Once someone breaks into one of the major banks and zeroes the accounts of several million Americans, then you'll see a reaction. Too late. As usual.
Re:No 9-11. Yet. (Score:5, Interesting)
Parent
Not what it means at all (Score:2)
The bank is always right (Score:2)
And if the bank is wrong, it is still right.
Banks have *very* little liability. Many of the breaches have had to due with credit cards issued by, guess who? Banks. So who cares. The onus is on the card holders. The only rights a card holder has is in the creditors rights laws which do not cover identity theft.
So the bank can walk away from any civil liability in the case of identity theft. And just dare to try to impose liability. The banks will scream "We're too important to the economy! We'll stop lending
only accountants place value on intangibles (Score:2)
Whether it's "goodwill", "reputation", "contacts" or whatever. Yo often see these so-called assets listed when a business is up for sale. However no-one has ever found a way to measure the amount of any of these things that a company claims to have - klet alone being able to place an objective value on it. All these attributes are pretty much meaningless - either to customers or shareholders. The only thing that matters is price. Take low-cost air
It can happen to anyone (Score:2)
It's the general feeling, even among professionals, that security breaches are arbitrary. That, for every laptop with unencrypted harddrives and/or data left in the train, there is a remote root hole on the securest system that defies explanation because it was never thought of before.
Choice is almost as good. (Score:2)
It would be great if companies with sloppy security practices would be punished severely, go out of business, have all their executives waterboarded and sent to Guantanamo, etc. But the next best thing is if I, as an individual, have a meaningful opportunity for choice. I switched from Ameritrade to Scottrade because I, like many other people, was getting pump-and-dump spam sent to the email address that I used only with Ameritrade. (For years they claimed it was dictionary attacks, even though I and many o
SHA-1 is cracked! (Score:2)
http://it.slashdot.org/article.pl?sid=05/02/19/1424201&tid=93&tid=172&tid=218 [slashdot.org]
My theory is that security experts (and novices like myself) feel totally... betrayed, flummoxed, frustrated, whatever, that we are still using security algorithms that have been compromised. I know you need a supercomputer to crack SHA-1, however last I checked there are quite a few of those, and you can basically make a mini-supercomputer with a d