Why should be mount a very expensive all-out defense against a lot of perceived threats? It's similar to "every child (programmer, etc.) MUST know this!". Making demands is easy. If people don't care there probably is a deeper reason. Yes, the heuristic gets it wrong, that's why it's a heuristic, but that it is one in the first place also has similar reasons.
It sure is possible to criticize a concrete company for concrete problems, but the blanket statement of the headline is not useful.
Right now, companies that lose data don't pay any costs at all until afterwards, and those costs are usually minimal. The reputational damage is reduced because no one knows until (well) after the breach, and any financial info lost is consumer credit cards rather than corporate accounts. Yes, users sometimes get free identity theft monitoring, but those services are quite cheap to account for the fact that they don't actually work.
More specifically, this is asymmetric information and therefore the market can't adjust for it. When Yahoo loses my data, will my passwords be salted and well-hashed? How could I possibly know in advance? Consumers aren't making privacy and risk choices, they're using the internet as best they can and getting repeatedly burned for it.
If you want a clear contrast, companies are enormously concerned about "whaling" attacks, and are working hard to prevent them. Those attacks take corporate money in real time, so the costs are properly factored in. Moral hazard is inherently about broken cost-benefit measurement.
Same with social security numbers and identity in general.
To solve the root cause in this case although was decided to not be good by the infrastructural organizations. Eating the fraud is cheaper than putting up barriers to payments.
If fraud liability was moved %100 to banks, payment providers and governments, we would see the problem fixed pretty quickly.
It hasn't been shown to be otherwise either though.
> companies that lose data don't pay any costs at all until afterwards
Because we don't know what they should pay. We need reliable research that nails down how much a security breach costs society, and until have it, it's impossible to provide companies with the right incentives.
Note that the cost should depend on the circumstances. For example, if Google or Facebook has a major breach, it would probably have a bigger impact (on a per-user basis) than a small service.
If you just impose a uniform per-user cost for data breaches, then you're essentially giving larger services an unfair competitive advantage.
That's IMO a clear example of mis-aligned incentives.
See, no customer is entitled to a 100% guarantee that their private data will never leak. Why? Because it is not possible to guarantee such a thing.
The only thing you are entitled to is that the corporation handles your data following industry standards which usually is at least identical but most often even better than what the law requires.
If a 100% guarantee was somehow a legal requirement then the IT industry would cease to exist the following morning.
Examples of this would be food safety legislation, fire safety legislation, building regulations etc. In all those cases it was considered a good thing (by society) to implement laws to make companies take these things into account.
IT in general, lack this kind of legislation, and as a result companies unsurprisingly make commercial decisions not to improve security where they feel it would cost a lot of money to do so.
The problem comes in the negative externality, the company with bad security isn't the company that takes the loss, similar to the negative externality that the person who made a weak bridge likely doesn't die when it collapses.
So a logical argument might be to use legislation to fix this externality and make it a better decision for companies to improve their security...
Places like Yahoo have no such excuse.
FTFY: Don't want to consider having the resources to dedicate to properly hardening themselves against attack
While it's true that nature has taken the same path for the same reasons, I don't think I'd have to look very hard for people to agree that the fact that people fall ill, sometimes seriously so, is "sad".
It may be sad for security researchers.
Or for end-users who got their data breached, and aren't compensated fairly.
But lost revenue opportunities don't show up in the bottom line, so cost-focused managers don't think about them. And they conclude it's "cheaper" to not invest in this or that thing that their smarter competitors are doing.
"What gets measure gets managed." People think this (apocryphal) Drucker quote is advice. It is not advice. It's a warning.
The point is only looking at actual cost, not opportunity cost.
if I don't put 3m electric fence with automatic sentry guns around my whole hypothetical house and land, does it mean everybody is automatically invited to freely try to break in, do damage, steal my stuff or post my private and legal data online for others?
state should have better use for these guys, but there should definitely be punishment, not reward in any way. that's how all countries run these days
If you did, there is a name for what you have built: a bank. And you can be pretty sure people then will not have any issues with whatever security measures you take. Most of all, your cost of security installation is now covered by other people's money, which effectively gives you very precise calculations on what exactly you can and cannot spend. You are more than free to return the money and shut down shop if you feel you are in a completely unsafe neighborhood which makes your bank impossible to run at a profit.
To stretch this point a little further, imagine you did have a bank, and your customer comes and demands to take their money out, and you say "Oops. I had just left it out here on this desk, and when I went to pee, a kid just came in and ran out with all your money. I feel bad for you, but the cost of moving the stuff back and forth between front desk and the vault would make the service unprofitable. Its not my fault, its all these children in the neighborhood who keep pranking me".
The lowered barriers to hacking, combined with an ever moving target for what constitutes good security, are genuine concerns. But as a company, you are expected to shoulder the burden of security as a precondition of making the claim that you provide a good service. One way or another, people actually pay you to take care of their data as part of the service.
"Attractive Nuisance"
Yes, if the IT defenses are poor and they get in fair enough, another one is if they get the password list and shop around
You're saying like it's ok to rob the house with only one lock as opposed to the one with several locks and security cameras
Sure, the hacker broke the law by hacking in, but I wouldn't have had my PII stolen if the thing had been secured.
Locks, physical and mathematical, are for the deterrence and convenience of the generally honest. Law enforcement, as an active defense, is for the deterrence of the actively attacking. At some point you're always going to have to stop turtling and build an army.
What if it's "cheaper" for the car companies to let the cars crash than adopt stronger security? You may think that there's no way a recall would be worth it, but we're already seeing companies such as Tesla "fix" the issue over the air, and chances are most of the new self-driving cars will be fixed the same way, if not all.
The only thing that would be left is the "bad PR", which may be much smaller in the future, because there won't be any recalls. If only 2 people die, and then all cars are fixed, the outrage just won't be as big as when 100 people die due to a brake malfunction, and then 5 million cars have to be recalled, impacting 5 million people (as opposed to only the families of those two in the former example) that would then personally spread the bad news.
Also the "bad PR" doesn't seem to affect tech companies, or even retailers, or banks, all that much, so I doubt it would affect car companies that much more in the future (for the reasons I mentioned above).
Just because there isn't a fense around an area that says no trespassing doesn't make it legal to walk through.
"But they didn't have a fense and it was easy to walk into the area."
It also helps to look at the other end: minimum cost to stop most problems. Australia's DSD said that just patching stuff and using whitelisting would've prevented 75% of so-called APT's in their country. Throw in MAC-enabled Linux, OpenBSD, sandboxed (even physically) browsers w/ NoScript, custom apps in safe languages, VPN's by default, sanest configuration by default, and so on. Residual risk gets tiny. What I just listed barely cost anything. Apathy, which the article acknowledges, is only explanation.
A nice example was Playstation Network hack. I didn't expect them to spend much on security. I also didn't expect it to come down to having no firewall (they're free) in front of an Apache server that was unpatched for six months (patches are free). That this level of negligence is even legal is the main problem.
What I see all the time in IT security that for many people doing security means spending lots of money on products with highly questionable promises. It's very doubtful that many of the security appliances you can see at RSA or Black Hat do any good, in many cases they add additional risks. But the industry is selling a story that the more boxes you buy and put in front of your network the better.
For a lot of companies there are very cheap things they could do to improve their security. This starts with such simple things as documenting on the webpage who outside security researchers should contact if they think they found an issue in the companies infrastructure.
So I have quite some doubts that the formula "spending more on security == better security" holds.
This directive will drastically increase fines for data leaks in the EU.
I mean, if the company's website gets hacked and your credit card data is stolen, then your card is charged $1,000, it's not the company that pays for it, right? You either talk to your bank to mark the purchase as fraudulent and get the charges reversed, or pay for it yourself (e.g. if it's a debit card).
Perhaps that's the solution though: a way to directly associate fraudulent purchases with security breaches where credit card data has been stolen, and a law that requires the breached party to pay all expenses related to that fraud. That would get all major retailers scramble to get their shit secured.
I guess I'm just sour that articles like this tend to gloss over what is often the most important impact of a security breach--the end-users' data and privacy--and instead focus on easy-to-report numbers.
The counterpoint of what will the costs be if we carry on with the current level of security and drive IT systems more into everyone's lives has to be considered too.
Bitcoin services aren't a good example here - they're very different than data breaches. If anything, they're a rare example of a case where hacks usually do lead to the destruction of the company; that Bitfinex wasn't killed immediately is an exception, not the norm.
You have to use good building materials to start. After the house is built, you get into the decision cycle of maintaining, repairing or replacing the home.
At least companies have somebody (with $$) to sue when security breach happens.
I'm really confused with following: 1) people want free services and 2) people want extra security
The above is like getting free home security system and then complaining how alarm do not work consistently.
The hardened security infrastructure is still extremely expensive to implement and maintain. You can't just deal with breaches because the fines (straight from Uncle Sam) can be huge relative to your profits. Even if the fines weren't bad enough at face value, you aren't a huge corporate giant, so customer churn after a bad enough breach is going to be worse than it would be for a bigger/older company. You are also paying large insurance premiums that don't even fully cover the fallout of a potential breach.
I don't monitor the Apple forums nowadays, but it was common in the early switcher days to have people asking how to disable UNIX security and make it work just like Windows 9x.
The costs of intrusions against financial institutions are seldom fully understood by people outside the industry but represent a lot of ongoing costs.
A mountain of bureaucracy that slows down everything as much as if you had strong defenses, but is effectively as weak as bad security.
