How Much Does a Reputation For Security Matter Anymore?

dasButcher writes "We often hear that businesses risk their corporate reputations if they don't have adequate security. It's been a common refrain among those selling security technologies: protect your data or suffer the reputational consequences. But, as Larry Walsh points out, the evidence is against this notion. Even companies that have suffered major security breaches — TJX, Hannaford, etc. — have suffered little lasting damage to their reputation. So, does this mean that reputational concerns are simply bunk?"

bad news is good news?

[An anonymous Frank]

Outside of geek circles, people might assume that if a firm has just suffered a security blunder, that they'll sure be addressing the issue seriously, and that they will make sure it doesn't happen again, as opposed to firms that haven't and presume that security is something other people need to worry about.

Don't know about repeat offenders though.

There is no "might" about it

[Anonymous Coward]

People want to feel safe. To that end, most people wind up playing mental games with themselves. Rather than make themselves aware of the danger (so they can make educated decisions that further their own safety) they just tell themselves stories about how governmental regulation or economic self-interest will drive these companies to provide the desired level of safety.

It isn't too different from doublethink (from the book, "1984").

It is so common, in fact, that those who refuse to engage in this practic

Re:

[Dan541]

It isn't too different from doublethink (from the book, "1984").

I would read it but it was deleted.

Re:

[Z00L00K]

The biggest blunder a company can make is to try to hide that there has been a security breach because if they do try to hide a breach and it leaks then there may have been other breaches that aren't revealed.

Being open about breaches and the impact of the breach is not hurting a business, and it may also cause other businesses to look after their measures.

Repeated offenses may of course have an impact on the reputation.

For any laptop owners out there with sensitive data - use things like TrueCrypt. If you

Re:

[plover]

The biggest blunder a company can make is to try to hide that there has been a security breach

Correction: the biggest blunder a company can make is to hide that there has been a security breach AND THEN GET CAUGHT. If they're successful at hiding it, there is no penalty at all.

This is just one form of the classic Prisoner's Dilemma [wikipedia.org].

CD Universe died from bad reputation?????

[winkydink]

In 2000, I think the thing that killed an online store selling CD's wasn't a bad online rep.

Think back. What was all the rage in 2000? Napster.

Re:

[Fulcrum of Evil]

Now really think: did napster drive CD sales up or down?

Re:

[artgeeq]

Why not look at broader behavior? People jaywalk, drive while intoxicated or talking on their cell phones, etc. There is some popular notion of what acceptable risk is, and somehow that includes shopping at TJX stores.,

Re:

[xmvince]

"So, does this mean that reputational concerns are simply bunk?"

No, it simply means nothing is secure and if we stopped shopping from places that got hacked, there wouldn't be anywhere left to shop!

It only matters if you're affected

[BadAnalogyGuy]

Once your identity is stolen, it doesn't matter what precautions the leaking company took or what their reputation is.

And if your identity hasn't been stolen yet, it might be better to go with a company that has suffered an attack because they likely won't make the same mistake twice.

Reputations are just rationalizations. Real security is not measurable by reputation.

Re:

[eldavojohn]

Once your identity is stolen, it doesn't matter what precautions the leaking company took or what their reputation is.

I disagree. I might not file suit against TJ Maxx if it was beyond their control to stop this from happening. If, on the other hand, poor unreasonable company policy allowed a low level employee to sell it on the black market, I would probably be interested in a class action lawsuit against the company for poor protection of privacy.

Real security is not measurable by reputation.

Unfortunately, for a lot of these things, reputation is all you have to judge. And nobody's walking down the street passing up shopping at TJ Maxx because of the credit card

Re:

[Maximum Prophet]

And nobody's walking down the street passing up shopping at TJ Maxx because of the credit card leak.

Of course not, your liability is limited by law to $50, and most CC companies waive that. When this happens again to TJ Maxx, the CC companies are going to have a come-to-Jesus talk with the execs of TJ Maxx and if they don't shape up, they won't be able to process credit cards anymore. *That* will put them out of business, not singular Joes and Janes Q. Public not shopping there.

Re:

[himself]

The esteemed eldavojohn wrote, "And nobody's walking down the street passing up shopping at TJ Maxx because of the credit card leak."

I am. Bob's Store, too, and the one thing that I bought from Marshall's since then, I paid for with cash. I even told my wife not to go there any more if she's going to need a credit card: they're idiots and deserve to lose business.

Re:

[timeOday]

"Real security" is not measurable at all. Let's look at a relatively tiny sub-problem in the overall picture of enterprise security: which OS is the most secure? The answer is, there are a thousand variables, and even though OS's are the most accessible garden-variety software, and we all deal with them all the time, there is still no consensus even on this single website as to which is "best." Now try to scale that problem back up to a huge bank, (say you're looking at bankrate.com considering opening a

Duh

[BobMcD]

Look, people make mistakes. It happens. Even when those people are gathered into large groups. People also tend to forget things that aren't presently being trumpeted on the news as a "Big Deal".

Also, most folks don't like to worry about Security, and aren't too quick to criticize when others don't like it either. It is a classic PITA for the general public, without any measurable return on investment, so they're even further inclined to forgive. Only fear keeps us all in line, and people don't generally seem to criticize when the fear isn't working.

Re:

[Stenchwarrior]

Well, TJX's "mistake" was to use WEP instead of WPA; WEP has been a known-security hole since 2001 and yet they continued to keep using it. Maybe blatant laziness should be punished by Federal law rather than relying on the public to decide whether or not they deserve disciplinary action.

Re:

[betterunixthanunix]

It is easier and more politically expedient to lay the blame on "hackers." You know, "hackers" who can just sit down and within 5 minutes completely take over bank and government systems. Obviously, we are powerless to stop "hackers," despite all of our best efforts, so it is their fault, not the fault of a company that had extremely poor security practices. In no way can the company that decided to hook its systems up to the Internet without spending the money on serious security, or to allow a radio co

Re:

[Mal-2]

This depends what kind of business it is. If they're providing hardware and/or services to the geek crowd, it matters a lot. If they're selling shoes and their credit card information database gets stolen, it will probably have little (if any) lasting impact because even if people hear about it, they won't understand it and thus won't remember it. If they do remember, they'll pay cash the next time they go there, but they'll still go.

Mal-2

Re:

[noundi]

No I think it's much simpler than that. I think it's more about the teenage mentality of "well if everybody is doing it, so should I". 15 years ago we didn't hear about security breaches daily, such as we do now, and the scarcity of these cases separated and labeled the affected few as "careless". Today there are so many reports regarding so many businesses that it has become rather blase (/. hates stress [wikipedia.org]). What's to be "marked" about when both the business left and right to me have had similar issues? Unfo

Re:

[dkleinsc]

Look, people make mistakes. It happens. Especially when those people are gathered into large groups.

FTFY.

There are a bunch of reasons for that: mob mentality, political considerations, and being able to duck any responsibility for screwing up are definitely a part of that story though.

Re:

[interploy]

And don't forget the "It'll never happen to me" mentality that most people have.

If a company really wants to ruin its reputation, it'll get caught stealing from customers. Much more of a direct impact and much more identifiable by everyone, even those not directly affected, because - let's face it - who hasn't been ripped off at one point or another?

Re:Duh

[hey!]

It's not so much forgiveness, I think, as resignation.

For the public, worrying about computer security is like worrying about an invisible, odorless poison gas that appears in completely random places. If they knew where the gas would strike, they'd fear those places. If the gas had an odor, they'd learn to fear it. If they knew who was responsible for creating the gas, they'd demand that outfit be shut down.

But if there's nothing they can do to protect themselves, they'll just ignore it and hope for the best.

That's what computer security is like for most people. They don't understand it, and they have good reason to suspect that the people who run the companies they deal with don't understand it. If a company gets hit with an embarrassing breach, they might reasonably conclude that its claim to have learned its lesson is just as credible as a different company's claim it hasn't been hit because it already knows better.

If you want to fix this, there are two ways, neither of them popular. The first is ore regulation of record keeping practices. The second is to establish liability of companies when information it is holding is misused.

Re:

[plover]

For the public, worrying about computer security is like worrying about an invisible, odorless poison gas that appears in completely random places. If they knew where the gas would strike, they'd fear those places. If the gas had an odor, they'd learn to fear it. If they knew who was responsible for creating the gas, they'd demand that outfit be shut down.

But if there's nothing they can do to protect themselves, they'll just ignore it and hope for the best.

You've also just described "terrorism" (little-t) and included the most practical, rational approach to coping that we humans have. Unfortunately, our politicians and news media have adopted "Terrorism(TM)" as their poster child to manipulate the voters into marching to their prescribed beat of "fear, fear, spend, spend, attack, attack, vote, vote."

I just wish your suggested fixes worked as well in that problem space.

Obvious

[d3l33t]

Maybe because it's not a matter of "if" but "when"...

No security available anywhere

[Anonymous Coward]

Essentially, no business properly secures their data. This means there are no alternatives, so there can be no repercussions from failure to enact proper security. People may moan and complain, but it isn't that they chose a company with poor security, it's that the industry just does business without security. For instance, no one will go without banking, and no bank is known for properly securing their data. Thus, clients can't create loss of profits for businesses with a poor security reputation.

Additionally, most consumers don't consider security as a main part of what they get from a service, thus not making it a major part of their decision. People don't look at banks (example) for how securely they store passwords, but instead for the interest rates provided. Again, until some start doing it right, none will be forced to.

Re:

[noidentity]

Essentially, no business properly secures their data. This means there are no alternatives, so there can be no repercussions from failure to enact proper security. People may moan and complain, but it isn't that they chose a company with poor security, it's that the industry just does business without security. For instance, no one will go without banking, and no bank is known for properly securing their data. Thus, clients can't create loss of profits for businesses with a poor security reputation.

Let's r

Re:

[shentino]

Maybe it's because security would also stop corporate fat cats from siphoning from the till?

Re:

[Maximum Prophet]

Barings Bank of London had poor internal security. Now they are no more. http://en.wikipedia.org/wiki/Barings_Bank [wikipedia.org]

Barings Bank (1762 to 1995) was the oldest merchant bank in London[1] until its collapse in 1995 after one of the bank's employees, Nick Leeson, lost £827 million ($1.3 billion) speculating - primarily on futures contracts.

Size matters

[mcrbids]

From what I can see, size matters. The impact of a security breach on the business is inversely proportional to the size of the business. Small companies, big deal. Big companies, Eh - whataya gonna do?

For me they did

[FranTaylor]

I live very close to stores from both companies and only pay cash at them now.

Re:For me they did (no they didn't)

[cblack]

So then their security breach had no effect on their bottom line as far as you as a customer are concerned. In fact it could be argued that now they are making more $$ off you than before as they don't have to pay credit card transaction processing fees for your purchases.

Re:

[u38cg]

It's not that clear-cut, actually. Cash handling is expensive, although it has more of a fixed cost element than CC fees.

Poor reporting

[SIGBUS]

Outside of the geek world, these data breaches either go unreported or just get a passing mention between breathless coverage of $CELEBRIDEATH and breathless coverage of $REALITY_SHOW_CONTESTANT. A lot of people simply don't realize that these things are going on.

Re:

[betterunixthanunix]

I think more to the point is that a lot of people place the blame on "hackers" when they hear about these blunders, rather than on companies that had poor security practices. People seem to think that a "hacker" is someone who can sit down, instantly bypass any security system, and then steal information -- and the innocent companies did everything they could to stop it from happening. Nobody has any concept of the common textbook mistakes that these companies cannot find the money to correct, or just how

Re:

[squallbsr]

The same thing can be said for the people who have a bot-infested XP machine sitting in their office. Instead of spending the money on AV and security, investing time into making sure they aren't stupid on the web - they just go on with life and blame the hackers.

Another thing that goes against us is the portrayal of hacking in tv shows and movies - they make it look super easy to hack into NSA systems and other HIGH-SECURITY systems that people start to believe its possible.

Corporations and reputations

[homer_s]

Here [econlib.org] is an interesting piece about corporations and their incentives to protect their reputations.

It is not about IT (it is about insurance companies in Nazi Germany), but provides a very good insight nonetheless.

And it's not even a long thread

[bigngamer92]

Godwinned!

Depends what industry

[mewsenews]

If you're a relatively mundane manufacturing company and you leak customer data -- who cares?

If you're a Visual Effects studio and you leak shots from a major new film, "sonny, you ain't gonna work in this town again".

Re:

[Col. Panic]

if you are a bank and your database of credit card number was compromised, your customers might think twice before opening any new accounts with your. or continuing their current one/s

Re:

[Grizzled Old Scout]

But the point of TFA is that there is little evidence (from the author's viewpoint; it doesn't appear as if this has been rigorously studied) that this is true. It seems like business which suffer breaches do not see a corresponding loss of customers or revenue. I'd bet that this is true.

Re:

[vlm]

If you're a relatively mundane manufacturing company and you leak customer data -- who cares?

"Chinese Employee Loses iPhone Prototype Kills Self"

http://mobile.slashdot.org/story/09/07/21/1814212/Chinese-Employee-Loses-iPhone-Prototype-Kills-Self [slashdot.org]

Most people not monetarily involved, think he was killed, not killed himself.

Reputation means very little; Response means a lot

[wbren]

Remember, the company you see on the news regarding their first ever data breach had a sterling security reputation... until it didn't.

I expect companies I do business with to do everything possible (within reason) to prevent breaches, but I also accept the fact that breaches are inevitable.

Be upfront and honest with me about it. Make sure it doesn't happen again. Repair any damage that was done. Do those things, and you'll have my business.

Re:Reputation means very little; Response means a

[BlueKitties]

*slap* Reputation comes from good response. If I have bad response, I will probably end up with bad reputation. Reputation is a collective social standing brought about from overall performance.

Re:

[wbren]

TFA links a company's security reputation to whether or not a breach occurred in the first place, not how the company responded to the breach.

There is a subtle difference between a reputation for having no security breaches and a reputation for responding well to security breaches.

I am claiming the former is not as important as the latter.

Re:

[BlueKitties]

Oh, well if you're taking that definition of security reputation, I fully agree; My mistake.

Not in Finance

[Foofoobar]

Banks, Hedge funds, Insurance companies and anyone dealing with money ... this is a real and valid concern because not only are stock holders and nvestors watching your every move but the Feds are as well and you get audited regularly to see that you are in compliance with a variety of guidelines.

Failure to meet, match or getting caught with your pants down on security can mean clients will not sign up with you due to your ranking or lack of credentials.

Re:

[squallbsr]

Dealing with regulations for the banking industry: There is a requirement that SSNs are encrypted, unfortunately under the regulation, ROT-13 would pass under the definition of encryption under the regulation.

TJX breach didn't matter.

[MaerD]

The TJX breach didn't matter to the vast majority of TJX customers.
Most didn't hear of it, and those that did went "Oh, it was only X store and I wasn't affected"

Look at the TJ Maxx stores, they are a low end bargin retail chain, most of their business probably isn't even done with credit cards. Even those customers that were affected probably disputed the charges and moved on, without understand how crappy the security was. Most customers probably bought the "oh my, we're sorry this happened, we'll ma

Reputation doesn't matter in some industries

[Anonymous Coward]

A credit card transaction processing company, Heartland Payment Systems, suffered a serious data breach [2008breach.com] in 2008. My credit card information was compromised. Unfortunately, there is nothing I can do about the situation, other than get a new card.

I called Heartland. They told me they were implementing end-to-end encryption (I don't understand how such a company could possibly not already be using extensive encryption). I asked them for a list of the companies that process transactions through Heartland so

Re:

[idiotnot]

If I had modpoints, you'd get one, AC. The Heartland breach kinda makes TJX look minor, and many people who might have been affected would never know.

Shame TFA didn't mention this, because it's a much more serious vulnerability than one large retail chain, precisely because the customers don't know about it.

But to answer the question posed, I think I might be more likely to shop at a chain that's been compromised. Not right when the story is breaking, mind you, but several months later, certainly. If the

Not at all

[Opportunist]

It's insanely hard to sell security with the reputation angle. Why? Because neither companies nor customers give a rat's fuzzy bottom about it. Did you hear of anyone who canceled their account with a bank after said bank lost customer data by the gigabyte? Nah. Why? After all, now they fired that idiot that lost their data and now they're safe again. They said it themselves!

(if people actually heard about it, that is)

You sell security with the liability angle. If, and only if, there are some sizable fines

In the long term, it's irrelevant.

[xdroop]

In the long run, nobody cares. Initially everyone cares because there's a big negative blow-up in the press, the stock takes a beating, and everyone spins their heads off. Then the quarter ends, the media loses interest, the stock comes back, and it's business as usual. And the real potential losers, the customers, never cared at all, they just want their latest fashions. The six people who might care do their shopping elsewhere, but they're statistically irrelevant. Now if you'll excuse me, I'm off to

Two kinds of reputation

[gurps_npc]

There is a reputation for being bad and a reputation for being good.

Having a reputation for being bad doesn't mean much anymore because so many people have screwed up. But a reputation for being good is worth it's weight in gold.

If I told you about how horrible my credit card company treated me, would you care? No, because you expect all credit card companies to suck. But if I told you they were fantastic, did a great job dealing with an Identify theft case, then you might want to know about it.

The Government Will Save Us

[Aladrin]

We've been trained all our lives that the Government will step in and save us. Is it any wonder that people no longer bother to research things before they put their money in them?

I research dang near everything I buy, right down to my toaster-oven. Because I do so much research, I know how to read the information out there, and it has been a -long- time since I bought something that was crap. (Except some toys I bought on impulse without researching!) Most people can't be bothered, so they pay the pric

Lack of large-scale consequences

[JoeD]

It's because so far, there haven't been any large-scale consequences resulting from the widely-publicized breaches.

Sure, a bunch of people's info got released, and some of those people had serious identity-theft issues resulting from it, but most of the people affected got new credit card numbers and moved on.

When there's a data breach that results in a bank going belly-up, or major stock fraud, or large loss of life, then a reputation for security might start to matter.

Of course it doesn't matter.

[ak3ldama]

Government agencies lose secure/private data all the time, and we respect still them.

Ask ChoicePoint if this is No Big Deal

[thepainguy]

They had a major problem a few years ago, where due to some poor sales policies they gave bad guys access to tons of SSNs. That led to pushes on Capitol Hill for major changes in how all personal data providers do business, and in particular how they handle SSNs.

That had a non-trivial impact on a bunch of companies, including one I worked for. It caused us to spend a lot of time and money checking to see if we had a similar vulnerability (because our business was very SSN driven).

A difficult problem

[rjhubs]

The issue is that there is little incentive to take proper precautions in protecting personal data. Yes, reputation might affect customer decisions a little, but the problem is so broad what are you going to do.. change your bank? I had a former employer send me a letter once that my personal data may have been exposed as they moved office buildings, what option did I have then? The only real answer I can think of is to have some legislation that penalizes a company if such a breach of personal data occur

a requirement

[Lord Ender]

Many potential customers won't to business with you if you don't pass security audits. There's one major reason why having some security pays off.

The other reason, of course, is breach notification. It is very expensive to tell one million people you left their billing info on an anonymous FTP server.

Re:

[Arimus]

What? How many Walmart customers do you know who do a full security audit (both physical and IT infrastructure) before shopping there?

We're talking about b2c as customers here not b2b... so most Joe Public customer's are not going to do security audits before shopping somewhere.

What's the correlation?

[webagogue]

We're talking fear of identity theft with these kinds of lapses/buffoonery, yeah? Are there identified spikes in identity theft over a period following these incidents? Are there any numbers?

Factors

[natehoy]

A lot of the impact depends on how important that company is to your daily life. When Hannaford got breached, well, here in Maine there are basically three major food chains. Wally World sells truly awful produce but has decent prices. Shaws sells really good quality stuff but tends to charge a bit more. Hannaford is the "happy medium" for most folks. Then, of course, there are the mom-and-pops and smaller chains who have their loyal following, and that's great too. But a lot of folks went to Hannafor

It depends on the customers view of the company

[haus]

TJX is not a company that any one expects much out of from the standpoint of security. While it would be nice if they were not idiots, but they were and it is unlikely that anyone who has done business with them would be surprised.

If a company where to have a solid reputation for security, and have a large chunk of their revenue based on security offerings and where then to be discovered to not only have been exploited, but to have been exploited because they failed to make even a reasonable effort to prote

It mattered to Card Systems...

[matthewmok]

Tell Card Systems it doesn't matter...

http://www.consumeraffairs.com/news04/2005/cardsystems_sold.html [consumeraffairs.com]

Look at the Cyber Security Industry

[lib3rtarian]

[disclaimer, I work in cyber security] Look at Matasano.com, John Bambanek, or Kevin Mitnick, they are all famous security researchers or companies. And all of them have been very publicly hacked in the past. None of them even speak about being publicly defaced and hacked, but all you have to do is read ZF0 and boom, evidence. Matasano's website still isn't even back up, and they charge inordinate amounts to profess to be security experts. I'm sure the big bucks are still rolling in for all of them, eve

No 9-11. Yet.

[Hasai]

The problem is there hasn't been the digital equivalent of a 9-11 yet. Once someone breaks into one of the major banks and zeroes the accounts of several million Americans, then you'll see a reaction. Too late. As usual.

Re:No 9-11. Yet.

[AdmiralXyz]

Your statement actually has rather terrifying implications, since after 9/11 we saw a rush of hysterics that created a) illusory security practices like the nonsense we have to put up with at airports and b) several wars in the Middle East that have done anything but make us more safe. I can't help but think that when (not if) there is a break-in like you describe, the government is going to start keeping track of everyone who downloads nmap, etc.

Re:

[misexistentialist]

And it will be the wrong reaction. Incompetence doesn't mean one learns from failure.

Not what it means at all

[kheldan]

What it means is that the average person doesn't have any idea what "data security" is all about, not even when they read news stories about breaches in data security. The only time any of it gets through their heads is when their identity has been stolen and their lives are ruined because of it.

The bank is always right

[plopez]

And if the bank is wrong, it is still right.

Banks have *very* little liability. Many of the breaches have had to due with credit cards issued by, guess who? Banks. So who cares. The onus is on the card holders. The only rights a card holder has is in the creditors rights laws which do not cover identity theft.

So the bank can walk away from any civil liability in the case of identity theft. And just dare to try to impose liability. The banks will scream "We're too important to the economy! We'll stop lending

only accountants place value on intangibles

[petes_PoV]

for everyone else, if you can't measure it, it's worthless.

Whether it's "goodwill", "reputation", "contacts" or whatever. Yo often see these so-called assets listed when a business is up for sale. However no-one has ever found a way to measure the amount of any of these things that a company claims to have - klet alone being able to place an objective value on it. All these attributes are pretty much meaningless - either to customers or shareholders. The only thing that matters is price. Take low-cost air

It can happen to anyone

[bytesex]

It's the general feeling, even among professionals, that security breaches are arbitrary. That, for every laptop with unencrypted harddrives and/or data left in the train, there is a remote root hole on the securest system that defies explanation because it was never thought of before.

Choice is almost as good.

[bcrowell]

It would be great if companies with sloppy security practices would be punished severely, go out of business, have all their executives waterboarded and sent to Guantanamo, etc. But the next best thing is if I, as an individual, have a meaningful opportunity for choice. I switched from Ameritrade to Scottrade because I, like many other people, was getting pump-and-dump spam sent to the email address that I used only with Ameritrade. (For years they claimed it was dictionary attacks, even though I and many o

SHA-1 is cracked!

[Coolhand2120]

It seems that everyone is ignoring the 800lb gorilla in the room.

http://it.slashdot.org/article.pl?sid=05/02/19/1424201&tid=93&tid=172&tid=218 [slashdot.org]

My theory is that security experts (and novices like myself) feel totally... betrayed, flummoxed, frustrated, whatever, that we are still using security algorithms that have been compromised. I know you need a supercomputer to crack SHA-1, however last I checked there are quite a few of those, and you can basically make a mini-supercomputer with a d

stopped shopping

[squoke]

I, myself, have stopped shopping at TJX stores since the breach and I will not shop there again.

It's about Business, not Security

[photonrider]

There was a story quite awhile back comparing two companies who suffered judgments in court. One company had followed all the rules and provided the archived emails/documents the prosecution wanted. They were found guilty and fined $200 million. The other company had no document retention policy, no archived emails and could not produce anything the prosecution wanted. They were scolded and fined $20 million. Which was the best business decision with regard to document retention policies? Not a perfect exam

Re:

[Maximum Prophet]

The other company had no document retention policy, no archived emails and could not produce anything the prosecution wanted. They were scolded and fined $20 million.

And if they had a document retention policy that said "We don't keep anything, we burn it before we read it", they would have escaped the $20 million fine. (:-)