Sad Reality: It's Cheaper To Get Hacked Than Build Strong IT Defenses (theregister.co.uk) 184
It's no secret that more companies are getting hacked now than ever. The government is getting hacked, major corporate companies are getting hacked, and even news outlets are getting hacked. This raises the obvious question: why aren't people investing more in bolstering their security? The answer is, as a report on The Register points out, money. Despite losing a significant sum of money on a data breach, it is still in a company's best interest to not spend on upgrading their security infrastructure. From the report: A study by the RAND Corporation, published in the Journal of Cybersecurity, looked at the frequency and cost of IT security failures in US businesses and found that the cost of a break-in is much lower than thought -- typically around $200,000 per case. With top-shelf security systems costing a lot more than that, not beefing up security looks in some ways like a smart business decision. "I've spent my life in security and everyone expects firms to invest more and more," the report's author Sasha Romanosky told The Reg. "But maybe firms are making rational investments and we shouldn't begrudge firms for taking these actions. We all do the same thing, we minimize our costs." Romanosky analyzed 12,000 incident reports and found that typically they only account for 0.4 per cent of a company's annual revenues. That compares to billing fraud, which averages at 5 per cent, or retail shrinkage (ie, shoplifting and insider theft), which accounts for 1.3 per cent of revenues. As for reputational damage, Romanosky found that it was almost impossible to quantify. He spoke to many executives and none of them could give a reliable metric for how to measure the PR cost of a public failure of IT security systems.
The power of a concentrated marketplace (Score:4, Insightful)
People have no options in the market for strong security, otherwise they'd punish these companies in sales.
Re: The power of a concentrated marketplace (Score:5, Insightful)
The loss of reputation has a direct impact on revenue.
And how much were you paying them before?
Even the summary mentions the companies are having a hard time quantifying the costs of lost PR.
Just ask yahoo. I trust them even less now.
And how much is your trust worth to yahoo? How much money were they getting from you before? How much now?
Most people don't really seem that affected by breaches. Hell, I would have thought the breach at Ashley Madison would have done them completely in on reputation loss alone...
Re: (Score:2)
Hell, I would have thought the breach at Ashley Madison would have done them completely in on reputation loss alone...
It is not always easy to kill a company dead with just one thing happening to it, even something like this. There are people invested in it, and they have reason enough to work to keep it going. And if you're one of the people who got into business of helping people have affairs, you're already going to be someone who is somewhat impervious to other people's opinion of you. Many of these companies keep going until they must declare bankruptcy, so there's no reason for them to not give it a college try.
Th
Re: (Score:2)
I would have thought the breach at Ashley Madison would have done them completely in on reputation loss alone...
Reputation loss? Ashley Madison? You must be joking.
Re: (Score:3)
Analyzing the cost of security breaches is the wrong model because it's not the cost of cleaning up the mess than affects your profits. The loss of reputation has a direct impact on revenue. Just ask yahoo. I trust them even less now.
Yahoo is probably very thankful right now, they probably got quite a few ad impressions from 500 millions of accounts logging in just to change the password ;)
Re: (Score:2)
The only thing I've used yahoo for in over ten years is for a site login when I'm going to troll someone.
I did use them as a news aggregator, but their innovation turned into moving things around and changing the font sizes, to the point where while the content never changed the look and feel did change enough to make it easy to just give up on them and use something that just did what it was supposed to do and didn't change layouts every 3 months.
Now I'm supremely pleased that I ignored their constant effo
Bottom line... (Score:3, Insightful)
Re:Bottom line... (Score:5, Insightful)
It's safest to assume that no matter how good your security, someone will eventually break through. As such, any sensitive user data should be encrypted so that it's not feasible for it to be exploited or used nefariously by the hackers who broke in. Everything else is just mitigating risk or delaying attackers. A locked door or alarm system won't stop a truly dedicated burglar, but it will make most look for another target or make it easier for them to slip up during the process in some way that leads to finding them.
Re:Bottom line... (Score:4, Insightful)
Re: (Score:3)
In order for encrypted data to be used the decryption key must be somewhere, failure to protect the keys can occur just as easily as any other form of security failure.
Also as users we have no idea how companies are storing our data anyway, so the only option available is for us to not hand it over in the first place.
Re: (Score:3)
In the Libertarian fantasy world, all of these companies with poor security would be punished by the Invisible Hand of the Market. People would boycott them and they'd go out of business.
But we know for a fact that never actually happens, which is why people laugh at Libertarians and their childish, magical ideas about how the world works.
Re: (Score:2)
The problem with the extreme libertarian ideal of what would happen is that it assumes that no one can generate a monopoly. Particularly the monopoly of force of a government.
If that was not possible, it is possible that there would be more freedom for that mechanism to work, but as you say, those conditions don't seem to ever actually occur.
The reality is that I think people want something that prevents anarchy, but they don't want it to become oppressive. I think government is okay in moderation, but it
Re: (Score:2)
Re: (Score:2)
The weakness of the whole Libertarian ideal is that it turns out there are a lot of legal ways for one person to totally screw over another.
Yes, and with corporations who can field armies of lawyers and PR campaigns, it's a million times worse than what one person can do.
Re: (Score:2)
Re: (Score:2)
In the Libertarian fantasy world, all of these companies with poor security would be punished by the Invisible Hand of the Market. People would boycott them and they'd go out of business.
But we know for a fact that never actually happens, which is why people laugh at Libertarians and their childish, magical ideas about how the world works.
That's a rather retarded way of looking at things. The "Invisible Hand of the Market" is essentially the total sum of people giving a shit (and amount of shit being given by said people) about an issue one way or another. The article being discussed is prime example of people simply not (yet, currently) giving a shit about getting hacked. Nobody promised you that the "Invisible Hand of the Market" will do shit that YOU want to happen.
Re: (Score:2)
The real problem with the Libertarian ideal is that markets need accurate information in order to function properly. Accurate information is very hard to get in certain fields. Accurate information is hard to get when the major media outlets are controlled by a small number of people.
For example, what percentage of security breaches become public knowledge? I would doubt that it is as high as 10%.
Re: (Score:2)
The real problem with the Libertarian ideal is that markets need accurate information in order to function properly. Accurate information is very hard to get in certain fields.
Like when a huge corporation decides to mount a PR campaign to cover up their misdeeds. Even when people have all the information they need to make a decision, they still act against their own best interests. For a classic example, look no further than the Catholic church and their record of molesting children. It's proven that they've been doing this literally for centuries, and yet the suckers still line up to fill the donation plates.
If you won't boycott them to save your own child, why would you bother
Re:Bottom line... (Score:4, Insightful)
History (numerous recent examples) proves you wrong.
But what is wrong with your argument is that, in order to fail, you have to be worse than your competitors. When everyone is untrustworthy, there is no downside to it.
Also, there is the very real problem posed by the concept of a limited liability company. We know that the absence of limited liability prevents investment, but the very real effect of limited liability is that, without regulation, people will take actions that externalize their real costs.
Or, to summarize: to have a healthy economy, you need limited liability companies. If you have limited liability companies, then you need regulation.
Re: (Score:2)
That's a rather retarded way of looking at things.
I agree; the Libertarian notion of how things work is indeed a retarded way of looking at things.
-
The "Invisible Hand of the Market" is essentially the total sum of people giving a shit
And since most people won't give a shit for any number of reasons (lack of interest, lack of info, etc) then the "Invisible Hand of the Market" is a fantasy. It simply isn't a real thing.
-
Nobody promised you that the "Invisible Hand of the Market" will do shit that YOU want to happen.
Exactly, and I thank you for making my point for me. And to take it a step further, nobody can promise anyone that the "Invisible Hand of the Market" will do anything at all, period. That's because it doesn't actually exist in
Re: (Score:2)
Exactly, and I thank you for making my point for me. And to take it a step further, nobody can promise anyone that the "Invisible Hand of the Market" will do anything at all, period. That's because it doesn't actually exist in the real world.
So you are basically saying nothing ever happens because noone ever gives shit about anything. How did you come to this blatantly false conclusion?
Re: (Score:2)
Seems the yacht design costs win every decade.
And you can bill the hacker the costs to fix stuff (Score:3)
And you can bill the hacker the costs to fix stuff even when the system had no security at all.
Like our doors had no locks on them at all and some one broke in and now we have costs of $ to install locks on the doors.
Re:And you can bill the hacker the costs to fix st (Score:5, Insightful)
It is also cheaper (and usually more pleasant) to live in houses with breakable glass windows and pickable locks, and just prosecute the burglars who flaunt the niceties and come in anyway.
Re: (Score:2)
Re: (Score:2)
Your house is protecting YOU first and foremost.
It's only really protecting me from the weather. Any theft protection is purely notional — that is, it's based on the notion that breaking and entering is prosecuted more severely than if I just had my stuff lying around outside in boxes. It's trivial to get into almost any house.
We all do reasonable measures to protect ourselves but are hardly spending a large portion of our income to do so.
If I were expected to protect other people's stuff, then I'd also be expected to spend a reasonable amount of money to do that. A gun dealer who didn't put extremely valuable guns in a secure safe would not be trusted by cust
He spoke to many executives and none of them could (Score:2)
lower infosec budgets will INCREASE hacking damage (Score:4, Insightful)
This report looks at a lot of data, but (as noted in the Limitations section) it's only what was publicly available. Lots of breaches, especially w.r.t. ransomware, go unreported. Lots of breaches go undetected and/or aren't as easily measured as money (e.g. a rival company steals your un-patented trade secrets).
However, my biggest issue with this analysis is that its conclusion makes no sense. It says that the cost of cyber breaches is roughly equal to the cost of maintaining a defense. This paper fails to account for how money spent on cyber-defense reduces the money lost to cyber-attacks. If you're advocating for a radical reduction in InfoSec, this is the (only!) figure that matters.
Information Security is important, and there is good work being done here and more work needed. Cutting the InfoSec teams down will correlate to an increase in attacks that get through. This paper seems to be suggesting that reduced InfoSec budgets will somehow also limit the damage they combat. That makes no sense.
Re: (Score:3)
In an optimal world, the costs would balance. If you spend zero on defense, then the breaches will increase due to the lack of defense. So, spend some on defense, make it harder to breach, breaches will always be possible, so where's the sense in spending more on defense than the breaches are costing?
Now, in military systems, the potential cost of a breach is rather high...
Re: (Score:2)
127.0.0.1, or if you prefer, ::1
Re: (Score:2)
I don't think his advice is particularly bad, it's more of an admission of reality. Spend the money to make a good solid security program, but let's face it, with all the 0-days out there and the threat sources, it is probably best to understand that successful attacks are inevitable. At least then, you also set aside time, money, and resources to deal with the impacts, and do planning that assumes that since breaches are possible, they need to be taken seriously when they happen.
I'm less concerned that s
Re: (Score:3)
More important to me than the cost of keeping out a professional thief (after all, it's only money), is the inconvenience of a bulletproof security system - that's impacting quality of life at home, and similarly impacts the efficiency of businesses that over secure their assets.
Re: (Score:2)
you're kidding, right?
$200K is a drop in the bucket of possible spend on security.
Stateful firewalls can cost more than that if you need to support a decent number of users at wire rate.
Add mail filters and the need for beefier servers to handle the crypto overhead compared to what you could have used without crypto...
My previous employer spent *at least* $200k/mo on security in IT.
Of course they were protecting IP that led to $34Bn profit on $55Bn gross...
-nB
Re: (Score:2)
Security solutions and spending also often includes the security people operating the solutions. And just one of them can easily be almost $200,000 a pop, not necessarily in salary, but in benefits, salary, and even getting a headhunter to find one.
As far as security software, that's pretty expensive too, but varies based on your level of security. I've seen packages that keep the records of every keystroke made on every server that you connect to it. Real Big Brother types of packages. That easily cos
Re: lower infosec budgets will INCREASE hacking da (Score:2)
Cheaper Until Lawsuit Damages Occur (Score:4, Interesting)
Then the spending on security will go up.
Re: (Score:3)
When are we going to start spending effort on "Lawyer control"?
Re: (Score:2)
Companies already thought of that (Score:3)
Re: (Score:3)
Although lawsuit comes far too late to protect the people who needed to protect their data more than they needed a $30 rebate from a class action suit.
Make no mistake, the article makes this very clear. Most of the downside of not spending on security is on the customers, not on the business that got hacked.
Best defense (Score:4, Interesting)
Don't use the internet for anything business related until business gets serious about fixing the problem. These people just want their profits and, like they learned getting that MBA, the easiest way to do profits is to re-direct costs. In this case, put the costs of doing business online onto the customers. Seriously, who pays the real price when a business gets hacked and all the customer data goes walking out the door/server? The customers suffer from having their data abused, that is who suffers.
Do you trust your ISP with your bank account number, address, phone number, etc? How about your bank? Your employer? Your local utilities? How many of these types of businesses have you seen hacking reports on these past years? All of them, repeatedly, every year.
Do you remember in 1995 when the business and banking communities were warned that the internet was not designed with security in mind, but the complete opposite? Do you remember that they all just said the business opportunities were just too great to ignore and that security would naturally follow usage?
The internet is not for business; the internet is for porn!
Re: (Score:2)
Clouds (Score:2, Funny)
It depends (Score:4, Interesting)
I'm hearing about cases where companies got hit with cryptolocker type viruses. And it wasn't something just just happened in a 30 minute period. It was a sleeper virus that waited 72 hours before activating, which invalidates all of your recent backups. All it would take is a sleeper to take 1 month, 6 months, etc to activate and then bam - you're done. No good backups. No data = no company. It would be a nightmare.
Re: (Score:2)
Someone would notice even within 72 hours that their database had been encrypted and was inaccessible. You simply restore the database from a backup, after restoring the code. My understanding is that regular 'data backups' only back up the database, and that the software platform that the server runs is backed up to a separate location, only when intentionally modified, and thus less frequently. If the code were modified by a virus, then you'd restore from a version from before the intrusion. If people are
Re: (Score:2)
Re: (Score:2)
The virus is still there and will immediately re-activate on restoration because the current date is past its activation date.
Re: (Score:2)
No, a virus will not "immediately re-activate on restoration". For a virus to "activate", some form of execution is required. Restore your data files only, or don't run infected executables from your backup.
Yes, there have been viruses that infect data files, such as PDF documents, Word documents, or graphics files, but even so, these would not "immediately re-activate on restoration".
Re: (Score:2)
You're right, I was thinking full image backups, such as you might use to get the system running again in a pinch. Those would just immediately collapse again.
Re: (Score:2)
Re: (Score:2)
That's why you don't back up servers, you back up data.
Installed server software like the application and OS, especially in this day and age, should be completely disposable. Unless they can cryptolock you somehow from a dump file or an oplog, all they have done is cause a short outage and annoy the shit out of some admins.
Wipe the hardware, reinstall from your golden image and have your configuration management software reconfigure things, and then restore from backup.
Not to mention with any redundant DB
Companies must be embarassed (Score:2)
Remember, there are companies out there that still don't hash passwords.
Re: (Score:2)
If you find a vulnerability, companies must be exposed loudly and embarrassingly as possible [medium.com]. That (or legal threats) are the only things that can stop them. Remember, there are companies out there that still don't hash passwords.
One major flaw in your theory here. When everyone these days gets hacked, it's not really embarrassing for anyone to admit it's happened.
It's kind of like admitting you've had diarrhea before. Big fucking deal. So has the other 99.9% of the human race.
Re: (Score:2)
I hope you aren't suggesting the government is going to do a better job of making that happen.
All the government makes you do is a shitload of paperwork and then when you fail because you spent more time on filling out your 400 page system security plan than actually securing anything, they throw the book at you anyway. Or not, if you're golfing partners with your tame congressman.
Then they need an incentive (Score:5, Insightful)
If it's truly the case that it's cheaper to let data breaches happen than to protect against them, then some sort of incentive (or, punishment) needs to be put into place to change that situation. This is one of the few areas where government intervention is actually warranted: When something is not in the best interest of corporations but is very much in the best interest of citizens.
It's probably cheaper to let factory workers die on the job than it is to put all the safety measures in place to ensure they don't. Yet corporations put those safety measures in place anyway. They don't do it out of fondness of the workers, they do it because the government will shut them down if they don't.
Re: (Score:2)
Are you saying you want an internet version of osha?
Data centers could have a calendar with the number of days since the last breach... and a nifty poster about securing data in the break room.
Re: (Score:2)
Are you saying you want an internet version of osha?
Not quite but, kinda. I think data breaches should be very expensive to a company. Expensive enough that it's worth protecting against them. It's obvious that the market isn't going to go out of its way to prevent these breaches because, frankly, the costs are externalized (onto the people who have had their data breached). If the costs were internalized, you can bet your ass that companies would take security more seriously.
If, on average, a data breach costs each breached customer like $5, then fine t
Re: (Score:2)
Yahoo told the world about this breach about 2 years after it happened. If there were a company destroying fine, they might never have told anyone ? Such fines will also give rise to a kind of insurance against it. Since such fines are large, insurance companies might take over the disclosure of this breach - making it the business of even deeper pockets to hide this information.
If, on average, a data breach costs each breached customer like $5, then fine the company $10 per breached record
Do you see this average being computed across all service providers? Specific industry?
If the cost is per breached customer regard
Re: (Score:2)
Re: (Score:2)
If someone was going to die as a result of a malfunction or breach of a system, we'd demand it be air-gapped and have robust CM. There would be hell to pay as a result of failure - think hospital systems. Or military systems.
Yes, these systems never get hacked. And people never die because of the hacks...
The thing is, most of the systems businesses use aren't all that important in the grand scheme of things. No one is going to die if Twitter or Walgreens has a breach.
Nonsense. It's entirely possible to have a company let your data get stolen and then not learn about that breach until years later (Yahoo). That information leak could lead to all sorts of things (particularly, credit reports) that would genuinely and profoundly affect your life. This isn't "Oh noez, hackers know my home address", this is, "Fuck, they know enough about me to open credit cards in my name".
Cue "assumed breach"...we must assume that systems like Twitter and Walgreens are breached and are leaking data. Therefore, conduct any business with them while insulating yourself from the consequences of said breach.
Agreed. And, as it
Why? (Score:2)
Re: (Score:2)
Yeah, except the government can't secure itself, and you think they are the solution to securing everyone else?
It's going to be security theater all the way down.
Re: (Score:2)
The government can't secure itself but, it can certainly impose fines on companies that don't secure themselves.
Just like shoplifting? (Score:2)
A persistent threat that can't be effectively eliminated in a cost effective manner and the easiest way to deal with it is to just make it sort of hard and pass the remaining costs onto consumers?
Except... (Score:2)
Except that the best defense against hacking is user training, policies, network segmentation and other low-tech solutions combined together into an intelligent overall strategy...
If you think you can just go out and buy security, you are most likely getting fleeced.
Re: (Score:2)
Two words: "Ford Pinto" (Score:5, Insightful)
113 million dollars to fix.
49 million dollars for the death and destruction costs.
Ford chose death and destruction over the lives of customers.
To this day I won't own Ford.
http://www.popularmechanics.co... [popularmechanics.com]
Re: (Score:2)
113 million dollars to fix.
49 million dollars for the death and destruction costs.
Hate to break it to you, but the choice here is obvious. You compare values and go for the option with the highest value (or lower cost). Tasty food is worth more than life itself. Money is worth more than life itself (see people skimping on their own safety equipment to save money). Fun things like mountain climbing and skydiving are worth more than life itself.
When people overvalue life they start making decisions like strip-searching all passengers before allowing them on an airplane slightly reduce an a
Re: (Score:2)
Well, it is important to point out that no one really thinks their life is less important than tasty food. The real factors are:
There is always a reasonable probability that it won't be what kills you. That bacon triple cheeseburger may eventually kill you, but your smoking habit will probably do that first. You're going to die of something, you're betting you don't live long enough so that all of your bad decisions play out.
Second, people just have really bad perception of relative risk. That's why so
Re: (Score:2)
If X is less than the cost of a recall, we don't do one. [youtu.be]
Re: (Score:2)
From your link: In the ensuing years, though, some doubt has been cast on the relative severity of the defect. Reports range from 27 to 180 deaths as a result of rear-impact-related fuel tank fires in the Pinto, but given the volume of more than 2.2 million vehicles sold, the death rate was not substantially different from that of vehicles by Ford's competitors. The far more damaging result for Ford was the PR disaster. The company long endured a reputation for putting profits ahead of build quality, which,
The engineers lament (Score:2)
Get ready to change your mind! Hear from the engineer who caused the pinto not to be recalled:
Not necessarily (Score:2)
If your idea of defense is buying hyper expensive checkboxes, then yes. If you do the little things like actually doing updates, actually configuring your servers properly, etc than perhaps not.
Thank-you (to "sjames") (Score:2)
I was just going to post when your comment made me rethink the whole thing and write this reply instead.
Having worked in I.T. for 25 years or so now, I'm pretty familiar with the "computer security" marketplace. Most of the time, you've got a combination of "former hackers who decided they could make a living out of selling comp-sec stuff" and big companies seeing $$$$'s by getting behind these initiatives to sell solutions.
Meanwhile, in the rest of corporate America, I.T. expenditures are increasingly unde
Re: (Score:2)
I don't know, I've been in IT for about as long as you have, and I have never seen where IT was more than overhead, unless the company itself was a tech company, and even then, internal IT is still overhead.
Re: (Score:2)
Right. We don't make money for the company. We are overhead. That is exactly it.
But... even without a huge budget, it is not that hard to come up with good security practices that cost next to nothing extra. Things like user training, keeping on top of updates, good policies and good enforcement are huge parts of security... because really, people are the insecure parts of networks.
Re: (Score:2)
I agree that some pretty routine protection can give you a considerable amount of value.
But it wouldn't stop a concerted attack on you. You'd have been vulnerable to something like Heartbleed for two years, even if you patched every hour of every day of that two years. There have been other examples of obscure vulnerabilities that have been very serious and still missed for all of that. There are definitely things out there that no one knows about, or no one has gotten around to fixing yet. All it takes
Re: (Score:2)
And what would the expensive checkbox appliances have done about heartbleed? Nothing.
You are correct that there is no such thing as perfect security. That is true no matter what approach you take and no matter how much time or money you throw at it.
They cut off this important quote... (Score:2)
He also noted that the effects of a data incident typically don't have many ramifications on the stock price of a company in the long term. Under the circumstances, it doesn't make a lot of sense to invest too much in cyber security.
And that's the bottom line. And this should worry people that put so much personal data on social media, but it won't. Honestly, there's no news here, considering that not many care about their own personal data's security.
It's not just a cost issue. (Score:5, Insightful)
Having tried the preventive approach on computer security for years, I came to the reluctant conclusion that it's a losing game. In every business scenario I've dealt with, it is simply impossible to protect against every threat and every zero-day exploit that comes down the pipe. Software patching, firewalls, antivirus, specialized appliances, you name it - they all have their limitations. You can protect against any number of possible exploits, but if only one gets through, you lose. So businesses must weight the costs spending more and more on preventive security solutions versus the cost of a security breach.
Obviously the implications of a breach are more severe for some businesses than others, but in many cases I deal with it makes more sense to focus on a good recovery solution rather than focussing mainly on prevention.
Re: (Score:2)
You bring up an interesting point. Recovery is the last line of defense. There may not BE a defense (at any price) to ward off the latest zero-day exploit. When security measures become difficult or expensive, it's important to remember that there is no such thing as 100% prevention. At some point, beefing up security reaches a point of diminishing returns. Although a business model MAY collapse due to security issues, it will SURELY collapse if overhead cost exceeds revenue.
Re: (Score:2)
Having tried the preventive approach on computer security for years, I came to the reluctant conclusion that it's a losing game. In every business scenario I've dealt with, it is simply impossible to protect against every threat and every zero-day exploit that comes down the pipe. Software patching, firewalls, antivirus, specialized appliances, you name it - they all have their limitations. You can protect against any number of possible exploits, but if only one gets through, you lose. So businesses must weight the costs spending more and more on preventive security solutions versus the cost of a security breach.
Obviously the implications of a breach are more severe for some businesses than others, but in many cases I deal with it makes more sense to focus on a good recovery solution rather than focussing mainly on prevention.
You're exactly right. The first thing that I tell people about computer system security is that there is no such thing.
As you said, in computer security when you're on the defense -- you lose. All you can do is raise the bar as high as you can with the budget and resources given to you, and then you plan for recovery with the expectation you'll need to at some time. Security is risk mitigation and nothing more.
I think the issue here is that when people are having their information compromised in a widely pu
Re: (Score:2)
In every business scenario I've dealt with, it is simply impossible to protect against every threat and every zero-day exploit that comes down the pipe
A lot of the exploits we've seen haven't been zero-days or complex attacks. They've been low-hanging fruit that would never be left open by an admin like you.
Externalities (Score:2)
The $200k figure is internalized costs; the cost of providing free credit protection to those affected (which almost noone takes them up on), and investigators to figure out what was breached, how, by whom, and to maybe patch the hole they got in through. The externalized amount, the burden on those whose data was stolen, is far greater. Also, one has to keep in mind that most breaches are minor incidents involving insiders; they cost very little to fix (change password: done) and no further spending is nec
Re: (Score:2)
The $200k figure is internalized costs; the cost of providing free credit protection to those affected (which almost noone takes them up on), and investigators to figure out what was breached, how, by whom, and to maybe patch the hole they got in through.
This is a good point about the PR stunt of credit protection. What a joke.
The externalized amount, the burden on those whose data was stolen, is far greater.
Also a really good point. Until someone class actions up on a few of these companies we're going to see IT security continue to race to the bottom just like everything else in this industry.
Part of the problem will self-correct... (Score:2)
If a company can go to a bog-standard insurance company like Travelers or AIG and spend a small fraction of both the real breach cost and the cost of actually securing things, they will - the profit motive demands it.
What the profit motive DOESN'T demand is the insurance company look at their costs with a blind eye. Right now, I'm sure a large number of those policies are untriggered, so in aggregate, th
Productivity losses (Score:3)
Re: (Score:2)
Spend and still lose (Score:3)
You can spend glorious tons of money on security and still get hacked. The problem lies is the internet has no boundaries built in and folks are trying to hide information. If it's networked to the internet, directly or indirectly, that information can get shared. Period.
How to fix? Only information you're willing to share with the whole world should be on a system that is networked.
Patch, Backup, Rotate (Score:2)
Just realize half of all penetrations are as a result of social engineering or tokens that get passed out beyond your control.
Patch: keep your servers and workstations and laptops and mobile devices patched to the latest fix. Realize the latter two have a high chance of not being, due to their nature.
Backup: keep both daily and periodic backups. Have periodic full backups offsite. Always assume people will corrupt and mess with your key files. Keep offline offsite versions of those.
Rotate: don't always do t
Did they.... (Score:2)
add in the lost business from people who don't shop or use their services anymore? I haven't shopped at Target or Home Depot since they lost my data.
A secure architecture&OS would be more economi (Score:3)
x86 and systems based on it are hopeless from a security perspective, and that is even before considering the ticking time bomb that is Intel's Management Engine. It will be exploited eventually, and it would be surprising if the NSA wasn't already compelling Intel to backdoor it.
See the Mill security architecture [millcomputing.com], for an example of how a clever architecture can eliminate the bulk of common exploit vectors, and require little more than a recompile. It isn't the only option, but I highlight the Mill because it is a fascinating and novel architecture which also addresses many other long-standing issues with conventional systems. The security mechanisms also enable performant microkernels to be built, and protection between applications and libraries.
Operating systems will require work to take advantage of the protection features, but that will benefit everyone and be well worth the investment. This is the kind of "cyber" initiative I would like to see, rather than the focus on offensive capabilities. The latter poses a direct conflict of interest with securing systems, and ensures that adversaries will stock vulnerabilities rather than share and fix them.
True Story (Score:2)
Dear Penthouse -
Whoops, wrong place.
Anyhow...About 22 or so years ago I was sitting in the hot tub with my girlfriend at her apartment complex in Mountain View when two dorky young guys come and jump in with us. I'm thinking "swell, we're usually alone out here all evening and there go my immediate plans for a little semi public nooky".
One starts talking about how he and the other guy are going to start up this search company named Yahoo and went on and on about it. Eventually they left and I turned to my
Comment removed (Score:4, Insightful)
Re:What? (Score:4, Interesting)
You do need to factor in the cost to the customers, which can be quite high when you "out" 50,000 customer credit card numbers... personally, I feel that the customers should be compensated actual cost of loss plus $100 for the hassle of having to jump all the security hoops associated with a CC# change. CC companies pay more than that in advertising to get a customer to switch to their CC.
Re: (Score:2)
Clueless CEO/CIO spends buttloads of money on security systems that are little more than digital snake oil and when they get hacked, their conclusion is that spending money on security is a waste.
Re: (Score:3)
I disagree. There are plenty of people who can use money well. The problem is that the system rewards people who make money for the purpose of making more money. The problem here is that security is not profitable, and the downside seems to be less expensive than not covering that overhead cost.
We need to find a way to properly incentivize security as its own end, because as I have noticed in my career, getting security resources is like pulling teeth, until someone threatens a suit or seriously damages
Re: (Score:2)
Will we? I seem to recall some rich people who had their nudes posted all over the internet in recent memory. Perhaps you mean the 0.1%?
Security is security. The rich people are just as vulnerable as we are to it, and if you think about it, those are the people who are more likely to ignore their own security because they don't spend any money on it in their professional lives either.
Re: (Score:2)
Sometimes I wonder if the real solution to this is a requirement that board members actually have to use the service their company is providing for their own personal use.
Re: Not in their best interest... (Score:2)