How Much Does a Reputation For Security Matter Anymore? 98
dasButcher writes "We often hear that businesses risk their corporate reputations if they don't have adequate security. It's been a common refrain among those selling security technologies: protect your data or suffer the reputational consequences. But, as Larry Walsh points out, the evidence is against this notion. Even companies that have suffered major security breaches — TJX, Hannaford, etc. — have suffered little lasting damage to their reputation. So, does this mean that reputational concerns are simply bunk?"
It only matters if you're affected (Score:5, Insightful)
Once your identity is stolen, it doesn't matter what precautions the leaking company took or what their reputation is.
And if your identity hasn't been stolen yet, it might be better to go with a company that has suffered an attack because they likely won't make the same mistake twice.
Reputations are just rationalizations. Real security is not measurable by reputation.
Duh (Score:4, Insightful)
Look, people make mistakes. It happens. Even when those people are gathered into large groups. People also tend to forget things that aren't presently being trumpeted on the news as a "Big Deal".
Also, most folks don't like to worry about Security, and aren't too quick to criticize when others don't like it either. It is a classic PITA for the general public, without any measurable return on investment, so they're even further inclined to forgive. Only fear keeps us all in line, and people don't generally seem to criticize when the fear isn't working.
No security available anywhere (Score:5, Insightful)
Essentially, no business properly secures their data. This means there are no alternatives, so there can be no repercussions from failure to enact proper security. People may moan and complain, but it isn't that they chose a company with poor security, it's that the industry just does business without security. For instance, no one will go without banking, and no bank is known for properly securing their data. Thus, clients can't create loss of profits for businesses with a poor security reputation.
Additionally, most consumers don't consider security as a main part of what they get from a service, thus not making it a major part of their decision. People don't look at banks (example) for how securely they store passwords, but instead for the interest rates provided. Again, until some start doing it right, none will be forced to.
Poor reporting (Score:3, Insightful)
Outside of the geek world, these data breaches either go unreported or just get a passing mention between breathless coverage of $CELEBRIDEATH and breathless coverage of $REALITY_SHOW_CONTESTANT. A lot of people simply don't realize that these things are going on.
There is no "might" about it (Score:1, Insightful)
People want to feel safe. To that end, most people wind up playing mental games with themselves. Rather than make themselves aware of the danger (so they can make educated decisions that further their own safety) they just tell themselves stories about how governmental regulation or economic self-interest will drive these companies to provide the desired level of safety.
It isn't too different from doublethink (from the book, "1984").
It is so common, in fact, that those who refuse to engage in this practice, and instead aspire to learn what the actual state of security is and to take actions that protect themselves from danger, are given the label "paranoid."
Re:Duh (Score:2, Insightful)
Re:bad news is good news? (Score:3, Insightful)
The biggest blunder a company can make is to try to hide that there has been a security breach because if they do try to hide a breach and it leaks then there may have been other breaches that aren't revealed.
Being open about breaches and the impact of the breach is not hurting a business, and it may also cause other businesses to look after their measures.
Repeated offenses may of course have an impact on the reputation.
For any laptop owners out there with sensitive data - use things like TrueCrypt. If you do then it's at least possible to claim that the data was encrypted and therefore not likely to spread.
Re:For me they did (no they didn't) (Score:5, Insightful)
So then their security breach had no effect on their bottom line as far as you as a customer are concerned. In fact it could be argued that now they are making more $$ off you than before as they don't have to pay credit card transaction processing fees for your purchases.
Reputation doesn't matter in some industries (Score:2, Insightful)
A credit card transaction processing company, Heartland Payment Systems, suffered a serious data breach [2008breach.com] in 2008. My credit card information was compromised. Unfortunately, there is nothing I can do about the situation, other than get a new card.
I called Heartland. They told me they were implementing end-to-end encryption (I don't understand how such a company could possibly not already be using extensive encryption). I asked them for a list of the companies that process transactions through Heartland so I could avoid those businesses. No such list is available -- precisely because it could damage the reputation of these businesses.
Heartland doesn't care, and there is no reason they ought to. This is why they didn't already encrypt my data. As far as I can tell, there is absolutely nothing I can do as an American consumer to discourage this type of corporate behavior from this industry in the future.
The people truly holding the reins in situations like these are the investors. What we need are investors who respond to ethical news as rapidly as they respond to financial news. But investors seem to like news of unethical behavior and corner-cutting, because it implies the firm will do anything to cut costs and maximize profits. The truly greedy people aren't the CEOs and the suits, it's the multi billion dollar pension funds and investors who want only to grow their money at the expense of everything good.
No 9-11. Yet. (Score:5, Insightful)
The problem is there hasn't been the digital equivalent of a 9-11 yet. Once someone breaks into one of the major banks and zeroes the accounts of several million Americans, then you'll see a reaction. Too late. As usual.