How Much Does a Reputation For Security Matter Anymore?

dasButcher writes "We often hear that businesses risk their corporate reputations if they don't have adequate security. It's been a common refrain among those selling security technologies: protect your data or suffer the reputational consequences. But, as Larry Walsh points out, the evidence is against this notion. Even companies that have suffered major security breaches — TJX, Hannaford, etc. — have suffered little lasting damage to their reputation. So, does this mean that reputational concerns are simply bunk?"

bad news is good news?

[An anonymous Frank]

Outside of geek circles, people might assume that if a firm has just suffered a security blunder, that they'll sure be addressing the issue seriously, and that they will make sure it doesn't happen again, as opposed to firms that haven't and presume that security is something other people need to worry about.

Don't know about repeat offenders though.

Size matters

[mcrbids]

From what I can see, size matters. The impact of a security breach on the business is inversely proportional to the size of the business. Small companies, big deal. Big companies, Eh - whataya gonna do?

Corporations and reputations

[homer_s]

Here [econlib.org] is an interesting piece about corporations and their incentives to protect their reputations.

It is not about IT (it is about insurance companies in Nazi Germany), but provides a very good insight nonetheless.

Depends what industry

[mewsenews]

If you're a relatively mundane manufacturing company and you leak customer data -- who cares?

If you're a Visual Effects studio and you leak shots from a major new film, "sonny, you ain't gonna work in this town again".

Re:It only matters if you're affected

[eldavojohn]

Once your identity is stolen, it doesn't matter what precautions the leaking company took or what their reputation is.

I disagree. I might not file suit against TJ Maxx if it was beyond their control to stop this from happening. If, on the other hand, poor unreasonable company policy allowed a low level employee to sell it on the black market, I would probably be interested in a class action lawsuit against the company for poor protection of privacy.

Real security is not measurable by reputation.

Unfortunately, for a lot of these things, reputation is all you have to judge. And nobody's walking down the street passing up shopping at TJ Maxx because of the credit card leak. Or selecting a retail clothing store based on their security reputation. These are discussions of problems with stores that are not in IT or a technology industry. If it's their primary job to protect my private financial data (i.e. paypal or online banking), you bet I'm going to seek action.

Lack of large-scale consequences

[JoeD]

It's because so far, there haven't been any large-scale consequences resulting from the widely-publicized breaches.

Sure, a bunch of people's info got released, and some of those people had serious identity-theft issues resulting from it, but most of the people affected got new credit card numbers and moved on.

When there's a data breach that results in a bank going belly-up, or major stock fraud, or large loss of life, then a reputation for security might start to matter.

Re:bad news is good news?

[Anonymous Coward]

Inside of geek circles, if a company had even a minor security breach back in 1946*, stubbornness and a "NEVAR FORGIVE NEVAR FORGET" mentality kicks in and persists until a few years after the geek is no longer able to interact with the world at large due to his/her hundreds of boycotts self-locking him/her out, forcing a begrudging sort of "Okay, FINE, maybe I'll trust you to ONE of my l33t aliases..." response.

*: Okay, I kid, I kid. This is only if the company makes really shiny or candy-colored junk. Otherwise, there's a far greater chance that if the company hasn't had any security breaches, the geek will assume they just hide them better and use that as "evidence" to not trust them.

Re:No 9-11. Yet.

[AdmiralXyz]

Your statement actually has rather terrifying implications, since after 9/11 we saw a rush of hysterics that created a) illusory security practices like the nonsense we have to put up with at airports and b) several wars in the Middle East that have done anything but make us more safe. I can't help but think that when (not if) there is a break-in like you describe, the government is going to start keeping track of everyone who downloads nmap, etc.

Re:Duh

[hey!]

It's not so much forgiveness, I think, as resignation.

For the public, worrying about computer security is like worrying about an invisible, odorless poison gas that appears in completely random places. If they knew where the gas would strike, they'd fear those places. If the gas had an odor, they'd learn to fear it. If they knew who was responsible for creating the gas, they'd demand that outfit be shut down.

But if there's nothing they can do to protect themselves, they'll just ignore it and hope for the best.

That's what computer security is like for most people. They don't understand it, and they have good reason to suspect that the people who run the companies they deal with don't understand it. If a company gets hit with an embarrassing breach, they might reasonably conclude that its claim to have learned its lesson is just as credible as a different company's claim it hasn't been hit because it already knows better.

If you want to fix this, there are two ways, neither of them popular. The first is ore regulation of record keeping practices. The second is to establish liability of companies when information it is holding is misused.

Re:bad news is good news?

[plover]

The biggest blunder a company can make is to try to hide that there has been a security breach

Correction: the biggest blunder a company can make is to hide that there has been a security breach AND THEN GET CAUGHT. If they're successful at hiding it, there is no penalty at all.

This is just one form of the classic Prisoner's Dilemma [wikipedia.org].