Slashdot Mirror
How Much Does a Reputation For Security Matter Anymore?
dasButcher writes "We often hear that businesses risk their corporate reputations if they don't have adequate security. It's been a common refrain among those selling security technologies: protect your data or suffer the reputational consequences. But, as Larry Walsh points out, the evidence is against this notion. Even companies that have suffered major security breaches — TJX, Hannaford, etc. — have suffered little lasting damage to their reputation. So, does this mean that reputational concerns are simply bunk?"
Outside of geek circles, people might assume that if a firm has just suffered a security blunder, that they'll sure be addressing the issue seriously, and that they will make sure it doesn't happen again, as opposed to firms that haven't and presume that security is something other people need to worry about.
Don't know about repeat offenders though.
Once your identity is stolen, it doesn't matter what precautions the leaking company took or what their reputation is.
And if your identity hasn't been stolen yet, it might be better to go with a company that has suffered an attack because they likely won't make the same mistake twice.
Reputations are just rationalizations. Real security is not measurable by reputation.
Look, people make mistakes. It happens. Even when those people are gathered into large groups. People also tend to forget things that aren't presently being trumpeted on the news as a "Big Deal".
Also, most folks don't like to worry about Security, and aren't too quick to criticize when others don't like it either. It is a classic PITA for the general public, without any measurable return on investment, so they're even further inclined to forgive. Only fear keeps us all in line, and people don't generally seem to criticize when the fear isn't working.
Maybe because it's not a matter of "if" but "when"...
Essentially, no business properly secures their data. This means there are no alternatives, so there can be no repercussions from failure to enact proper security. People may moan and complain, but it isn't that they chose a company with poor security, it's that the industry just does business without security. For instance, no one will go without banking, and no bank is known for properly securing their data. Thus, clients can't create loss of profits for businesses with a poor security reputation.
Additionally, most consumers don't consider security as a main part of what they get from a service, thus not making it a major part of their decision. People don't look at banks (example) for how securely they store passwords, but instead for the interest rates provided. Again, until some start doing it right, none will be forced to.
From what I can see, size matters. The impact of a security breach on the business is inversely proportional to the size of the business. Small companies, big deal. Big companies, Eh - whataya gonna do?
I have no problem with your religion until you decide it's reason to deprive others of the truth.
I live very close to stores from both companies and only pay cash at them now.
Outside of the geek world, these data breaches either go unreported or just get a passing mention between breathless coverage of $CELEBRIDEATH and breathless coverage of $REALITY_SHOW_CONTESTANT. A lot of people simply don't realize that these things are going on.
Oh, no! You have walked into the slavering fangs of a lurking grue!
Where there's nothing to lose, there's nothing to lose.
People want to feel safe. To that end, most people wind up playing mental games with themselves. Rather than make themselves aware of the danger (so they can make educated decisions that further their own safety) they just tell themselves stories about how governmental regulation or economic self-interest will drive these companies to provide the desired level of safety.
It isn't too different from doublethink (from the book, "1984").
It is so common, in fact, that those who refuse to engage in this practice, and instead aspire to learn what the actual state of security is and to take actions that protect themselves from danger, are given the label "paranoid."
Reputational concerns? Unless it makes it into the news, (in which case, we apologize and are working for a solution) you didn't hear about it.
Unless the lawsuit causes multi-million dollar losses, the price to update antiquated systems and clean things up is greater, and nothing will change.
People are all too happy to continue buying products without a second glance. If there's no blacklash, no sales dip, why would TJMAX care?
It's the evil of convenience... much the same problem with the credit card itself.
So then their security breach had no effect on their bottom line as far as you as a customer are concerned. In fact it could be argued that now they are making more $$ off you than before as they don't have to pay credit card transaction processing fees for your purchases.
In 2000, I think the thing that killed an online store selling CD's wasn't a bad online rep.
Think back. What was all the rage in 2000? Napster.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Here is an interesting piece about corporations and their incentives to protect their reputations.
It is not about IT (it is about insurance companies in Nazi Germany), but provides a very good insight nonetheless.
If you're a relatively mundane manufacturing company and you leak customer data -- who cares?
If you're a Visual Effects studio and you leak shots from a major new film, "sonny, you ain't gonna work in this town again".
Remember, the company you see on the news regarding their first ever data breach had a sterling security reputation... until it didn't.
I expect companies I do business with to do everything possible (within reason) to prevent breaches, but I also accept the fact that breaches are inevitable.
Be upfront and honest with me about it. Make sure it doesn't happen again. Repair any damage that was done. Do those things, and you'll have my business.
-William Brendel
Banks, Hedge funds, Insurance companies and anyone dealing with money ... this is a real and valid concern because not only are stock holders and nvestors watching your every move but the Feds are as well and you get audited regularly to see that you are in compliance with a variety of guidelines.
Failure to meet, match or getting caught with your pants down on security can mean clients will not sign up with you due to your ranking or lack of credentials.
This is my sig. There are many like it but this one is mine.
The TJX breach didn't matter to the vast majority of TJX customers.
Most didn't hear of it, and those that did went "Oh, it was only X store and I wasn't affected"
Look at the TJ Maxx stores, they are a low end bargin retail chain, most of their business probably isn't even done with credit cards. Even those customers that were affected probably disputed the charges and moved on, without understand how crappy the security was. Most customers probably bought the "oh my, we're sorry this happened, we'll make sure it doesn't happen again" line, even though anyone with sense could point out how BAD the security hole was and that the shocking thing wasn't that it happened, but that it hadn't been going on for years (that we know of).
Let's be honest.. how many of us shopped there before? How many of us will not shop there again ever? How many will just not use a credit card at TJX stores?
Now if this were an online retailer where people think a bit more about "Hrm, where am I giving my credit card number?" A breach like this would mean more to the customers.
I put on my robe and wizard hat..
A credit card transaction processing company, Heartland Payment Systems, suffered a serious data breach in 2008. My credit card information was compromised. Unfortunately, there is nothing I can do about the situation, other than get a new card.
I called Heartland. They told me they were implementing end-to-end encryption (I don't understand how such a company could possibly not already be using extensive encryption). I asked them for a list of the companies that process transactions through Heartland so I could avoid those businesses. No such list is available -- precisely because it could damage the reputation of these businesses.
Heartland doesn't care, and there is no reason they ought to. This is why they didn't already encrypt my data. As far as I can tell, there is absolutely nothing I can do as an American consumer to discourage this type of corporate behavior from this industry in the future.
The people truly holding the reins in situations like these are the investors. What we need are investors who respond to ethical news as rapidly as they respond to financial news. But investors seem to like news of unethical behavior and corner-cutting, because it implies the firm will do anything to cut costs and maximize profits. The truly greedy people aren't the CEOs and the suits, it's the multi billion dollar pension funds and investors who want only to grow their money at the expense of everything good.
*slap* Reputation comes from good response. If I have bad response, I will probably end up with bad reputation. Reputation is a collective social standing brought about from overall performance.
"Sorrow is better than laughter, for by sadness of face the heart is made glad." [Ecclesiastes 7:3]
It's insanely hard to sell security with the reputation angle. Why? Because neither companies nor customers give a rat's fuzzy bottom about it. Did you hear of anyone who canceled their account with a bank after said bank lost customer data by the gigabyte? Nah. Why? After all, now they fired that idiot that lost their data and now they're safe again. They said it themselves!
(if people actually heard about it, that is)
You sell security with the liability angle. If, and only if, there are some sizable fines tacked to the loss of private customer data, companies will probably, maybe, eventually start to listen. But only if they can't find an insurance company that covers that problem more cheaply.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
In the long run, nobody cares. Initially everyone cares because there's a big negative blow-up in the press, the stock takes a beating, and everyone spins their heads off. Then the quarter ends, the media loses interest, the stock comes back, and it's business as usual. And the real potential losers, the customers, never cared at all, they just want their latest fashions. The six people who might care do their shopping elsewhere, but they're statistically irrelevant. Now if you'll excuse me, I'm off to see what's shiny and new at Fry's.
you should read everything on the internet as if it had "but I'm probably talking out of my ass" appended to it.
Having a reputation for being bad doesn't mean much anymore because so many people have screwed up. But a reputation for being good is worth it's weight in gold.
If I told you about how horrible my credit card company treated me, would you care? No, because you expect all credit card companies to suck. But if I told you they were fantastic, did a great job dealing with an Identify theft case, then you might want to know about it.
excitingthingstodo.blogspot.com
We've been trained all our lives that the Government will step in and save us. Is it any wonder that people no longer bother to research things before they put their money in them?
I research dang near everything I buy, right down to my toaster-oven. Because I do so much research, I know how to read the information out there, and it has been a -long- time since I bought something that was crap. (Except some toys I bought on impulse without researching!) Most people can't be bothered, so they pay the price eventually.
But between getting away with being lazy and thinking the government will protect them, what motive do they really have to make wise decisions in the first place?
"If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
It's because so far, there haven't been any large-scale consequences resulting from the widely-publicized breaches.
Sure, a bunch of people's info got released, and some of those people had serious identity-theft issues resulting from it, but most of the people affected got new credit card numbers and moved on.
When there's a data breach that results in a bank going belly-up, or major stock fraud, or large loss of life, then a reputation for security might start to matter.
Government agencies lose secure/private data all the time, and we respect still them.
"but money is the God of Algiers & Mahomet their prophet." - Rich. O'Bryen June 8th 1786
TFA links a company's security reputation to whether or not a breach occurred in the first place, not how the company responded to the breach.
There is a subtle difference between a reputation for having no security breaches and a reputation for responding well to security breaches.
I am claiming the former is not as important as the latter.
-William Brendel
They had a major problem a few years ago, where due to some poor sales policies they gave bad guys access to tons of SSNs. That led to pushes on Capitol Hill for major changes in how all personal data providers do business, and in particular how they handle SSNs.
That had a non-trivial impact on a bunch of companies, including one I worked for. It caused us to spend a lot of time and money checking to see if we had a similar vulnerability (because our business was very SSN driven).
Oh, well if you're taking that definition of security reputation, I fully agree; My mistake.
"Sorrow is better than laughter, for by sadness of face the heart is made glad." [Ecclesiastes 7:3]
The issue is that there is little incentive to take proper precautions in protecting personal data. Yes, reputation might affect customer decisions a little, but the problem is so broad what are you going to do.. change your bank? I had a former employer send me a letter once that my personal data may have been exposed as they moved office buildings, what option did I have then? The only real answer I can think of is to have some legislation that penalizes a company if such a breach of personal data occurs. Of course that may provide the incentive for companies to just not report when such a breach occurs, which would probably be worse for the consumer.
Many potential customers won't to business with you if you don't pass security audits. There's one major reason why having some security pays off.
The other reason, of course, is breach notification. It is very expensive to tell one million people you left their billing info on an anonymous FTP server.
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
We're talking fear of identity theft with these kinds of lapses/buffoonery, yeah? Are there identified spikes in identity theft over a period following these incidents? Are there any numbers?
Knowledge is valuable. Ignorance is dangerous. Censorship is unacceptable. http://slashdot.org/comments.pl?sid=10
A lot of the impact depends on how important that company is to your daily life. When Hannaford got breached, well, here in Maine there are basically three major food chains. Wally World sells truly awful produce but has decent prices. Shaws sells really good quality stuff but tends to charge a bit more. Hannaford is the "happy medium" for most folks. Then, of course, there are the mom-and-pops and smaller chains who have their loyal following, and that's great too. But a lot of folks went to Hannaford before the breach, and a lot of us do after the breach too. I even use my re-issued Discover card there (had to be reissued because it was on the "suspect" list, even though I fortunately never saw any suspicious activity on the card).
So if Hannaford got breached, so what? Their response was pretty good and they made amends to those affected. Family's still gotta eat. If they are the closest grocer, and/or the one you prefer, will you change your habits over that? A lot did at first, and I'm sure some still do, but the parking lot's still busy.
Now, if this was a high-end luxury item retailer, they'd probably be toast. If they sell something people don't actually need for their daily lives, a temporary boycott of a company like that can quickly turn into a "you know, I really never needed any of that stuff" permanent change. If you're holding on to your customers by anything but their basic needs (food, inexpensive clothing, shelter) then you never want to give your loyal customer base an excuse to try the competition.
"This post contains words, known to the State of California to cause thought. Wash brain thoroughly after reading."
TJX is not a company that any one expects much out of from the standpoint of security. While it would be nice if they were not idiots, but they were and it is unlikely that anyone who has done business with them would be surprised.
If a company where to have a solid reputation for security, and have a large chunk of their revenue based on security offerings and where then to be discovered to not only have been exploited, but to have been exploited because they failed to make even a reasonable effort to protect themselves then there would likely be a reputationional impact that could hurt/kill the company.
Tell Card Systems it doesn't matter...
http://www.consumeraffairs.com/news04/2005/cardsystems_sold.html
[disclaimer, I work in cyber security] Look at Matasano.com, John Bambanek, or Kevin Mitnick, they are all famous security researchers or companies. And all of them have been very publicly hacked in the past. None of them even speak about being publicly defaced and hacked, but all you have to do is read ZF0 and boom, evidence. Matasano's website still isn't even back up, and they charge inordinate amounts to profess to be security experts. I'm sure the big bucks are still rolling in for all of them, even though they can't even keep their own houses in order. Security reputation should matter, the same way reputation should matter. If you can't trust someones word, what can you trust from them? I'm speaking exclusively about the security industry in my comments. I personally still shop (using plastic) at TJX because their prices are very low. I wouldn't go to them for a PCI audit though, that's for sure.
The problem is there hasn't been the digital equivalent of a 9-11 yet. Once someone breaks into one of the major banks and zeroes the accounts of several million Americans, then you'll see a reaction. Too late. As usual.
Regards;
the stores are secured by security guards to keep . Just the credit card machines arent, which really isnt a retail store department. id say its more of a bank problem unless multiple incidents of cashier thievery occurs then its more of the credit card machines.
Have a bank do that with information, and more than likely I would switch banks.
Godwinned!
Common Sense
What it means is that the average person doesn't have any idea what "data security" is all about, not even when they read news stories about breaches in data security. The only time any of it gets through their heads is when their identity has been stolen and their lives are ruined because of it.
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
And if the bank is wrong, it is still right.
Banks have *very* little liability. Many of the breaches have had to due with credit cards issued by, guess who? Banks. So who cares. The onus is on the card holders. The only rights a card holder has is in the creditors rights laws which do not cover identity theft.
So the bank can walk away from any civil liability in the case of identity theft. And just dare to try to impose liability. The banks will scream "We're too important to the economy! We'll stop lending! We'll stop buying government bonds!" They'll put a gun to our heads.
Remind me again why I should be happy to bail them out.
putting the 'B' in LGBTQ+
Whether it's "goodwill", "reputation", "contacts" or whatever. Yo often see these so-called assets listed when a business is up for sale. However no-one has ever found a way to measure the amount of any of these things that a company claims to have - klet alone being able to place an objective value on it. All these attributes are pretty much meaningless - either to customers or shareholders. The only thing that matters is price. Take low-cost airlines as an example. They (mostly) have a terrible reputation for service, attitude, courtesy and any sort of customer satisfaction. However by being a penny cheaper than the competition, they can always fill their planes and make a profit.
politicians are like babies' nappies: they should both be changed regularly and for the same reasons
It's the general feeling, even among professionals, that security breaches are arbitrary. That, for every laptop with unencrypted harddrives and/or data left in the train, there is a remote root hole on the securest system that defies explanation because it was never thought of before.
Religion is what happens when nature strikes and groupthink goes wrong.
Companies care about reputations only when it affects the bottom line (even TjMax suffered little compared to their gross). And with consumers facing little liability when credit card leaks happen they are unlikely to change where they shop. For security to suddenly matter you'd need something like
- companies start caring before the breach (e.g. credit card companies start charging a lot much higher processing fees to insecure businesses) ... unemployed mother of 4 faces everything due to identity theft at store
- a few hard luck stories on the 10-clock news
It would be great if companies with sloppy security practices would be punished severely, go out of business, have all their executives waterboarded and sent to Guantanamo, etc. But the next best thing is if I, as an individual, have a meaningful opportunity for choice. I switched from Ameritrade to Scottrade because I, like many other people, was getting pump-and-dump spam sent to the email address that I used only with Ameritrade. (For years they claimed it was dictionary attacks, even though I and many others explained to them why that wasn't a plausible explanation of the data. They finally admitted to a security breach after years of such stonewalling.) Another good example is that I use Linux rather than Windows. You can also go to optoutprescreen.com and opt out of unsolicited credit card offers, and that's actually a win-win; you're happy because of the better security, and they're happy because they keep you as a customer and don't get the expense of sending you offers that you're not going to read. And of course, you can take the opportunity to let companies know why you're making these choices. E.g., when I closed my Ameritrade account, I told them why.
No, I'm not under the illusion that Ameritrade, Microsoft, or Mastercard are shaking in their boots. These companies all basically made economic decisions that some other benefit was more important to them than taking their customers' security seriously. But that doesn't change the fact that my choices improved my own security.
Find free books.
It seems that everyone is ignoring the 800lb gorilla in the room.
http://it.slashdot.org/article.pl?sid=05/02/19/1424201&tid=93&tid=172&tid=218
My theory is that security experts (and novices like myself) feel totally... betrayed, flummoxed, frustrated, whatever, that we are still using security algorithms that have been compromised. I know you need a supercomputer to crack SHA-1, however last I checked there are quite a few of those, and you can basically make a mini-supercomputer with a dozen or so quad core computers or even a few PS3's. Not to mention all the other various "in the wild" security vulnerabilities that people don't care to fix.
Here's another HUGE problem that's being glossed over: SPAM. All you need to do in some cases is turn on an email client to be compromised because some jerk didn't feel like fixing that buffer issue in their handling of GIF images, and you didn't even know it was an issue because the manufacture was keeping the vulnerability a secret, and what would you do about it anyway? "Sorry Dan, you can't turn on your email client until this vulnerability is patched". That shit is just not in the cards. What do you do? Ignore the problem? So many security issues read EXACTLY like this. Eventually you have to say "Sorry we can't fix it, and you can't stop working so let's just pretend there is no problem."
This huge unspoken problem is gnawing away at my subconscious when I try and tighten security. In the back of your head there's a little FreeBSD daemon saying "Hey, it really doesn't matter if you update that port, the Chinese can crack it anyway." Or "What's it matter? There is some vulnerability that you are not privy to that is going to take the whole system down, so why mess with patching?" Of course you try and ignore the voice and patch anyway. However, that does not make the voice go away.
And maybe that time I did update it, but maybe next time I'll say "what's it matter, it's been compromised and nobody is interested in fixing it, I certainly can't fix it. So why should I care?". I think the attitude trickles down from the IT Sec. guys into the regular IT guys and then into the non IT guys until everyone has this cavalier attitude about security: "No matter how hard I try someone will always be able to break in, so fuck it. "
I, myself, have stopped shopping at TJX stores since the breach and I will not shop there again.
It's not that clear-cut, actually. Cash handling is expensive, although it has more of a fixed cost element than CC fees.
[FUCK BETA]
There was a story quite awhile back comparing two companies who suffered judgments in court. One company had followed all the rules and provided the archived emails/documents the prosecution wanted. They were found guilty and fined $200 million. The other company had no document retention policy, no archived emails and could not produce anything the prosecution wanted. They were scolded and fined $20 million. Which was the best business decision with regard to document retention policies? Not a perfect example nor applicable in all situations but it illustrates the business decision. This is a similar business issue. Do you spend a lot of money and man power on security? Or since the public memory is so short and the leading edge of the wave is well past it becomes just another page 5 story for most occurences. Just the few biggies make the front page and that is soon forgotten as well. When the business says the amount of attention and impact a breach would receive is small compared to the cost to protect against it, the game is pretty much over, move along. If it doesn't contribute to or protect the bottom line in a fairly direct fashion 99% of the time it won't get done. The other 1% of the time it's a law or regulation of some sort that forces action.
TJX and Hannaford are virtually unknown among normal people. If you don't have a reputation, it's pretty damn hard to destroy it.
Looking at the frequency of data breaches in the recent times, I do not trust anyone to be competent in that area anymore. To me, all the big companies have no idea of how they are actually handling all the data and therefore have lost their reputation already!