Slashdot Mirror
How Much Does a Reputation For Security Matter Anymore?
dasButcher writes "We often hear that businesses risk their corporate reputations if they don't have adequate security. It's been a common refrain among those selling security technologies: protect your data or suffer the reputational consequences. But, as Larry Walsh points out, the evidence is against this notion. Even companies that have suffered major security breaches — TJX, Hannaford, etc. — have suffered little lasting damage to their reputation. So, does this mean that reputational concerns are simply bunk?"
Outside of geek circles, people might assume that if a firm has just suffered a security blunder, that they'll sure be addressing the issue seriously, and that they will make sure it doesn't happen again, as opposed to firms that haven't and presume that security is something other people need to worry about.
Don't know about repeat offenders though.
Once your identity is stolen, it doesn't matter what precautions the leaking company took or what their reputation is.
And if your identity hasn't been stolen yet, it might be better to go with a company that has suffered an attack because they likely won't make the same mistake twice.
Reputations are just rationalizations. Real security is not measurable by reputation.
Look, people make mistakes. It happens. Even when those people are gathered into large groups. People also tend to forget things that aren't presently being trumpeted on the news as a "Big Deal".
Also, most folks don't like to worry about Security, and aren't too quick to criticize when others don't like it either. It is a classic PITA for the general public, without any measurable return on investment, so they're even further inclined to forgive. Only fear keeps us all in line, and people don't generally seem to criticize when the fear isn't working.
Essentially, no business properly secures their data. This means there are no alternatives, so there can be no repercussions from failure to enact proper security. People may moan and complain, but it isn't that they chose a company with poor security, it's that the industry just does business without security. For instance, no one will go without banking, and no bank is known for properly securing their data. Thus, clients can't create loss of profits for businesses with a poor security reputation.
Additionally, most consumers don't consider security as a main part of what they get from a service, thus not making it a major part of their decision. People don't look at banks (example) for how securely they store passwords, but instead for the interest rates provided. Again, until some start doing it right, none will be forced to.
From what I can see, size matters. The impact of a security breach on the business is inversely proportional to the size of the business. Small companies, big deal. Big companies, Eh - whataya gonna do?
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Outside of the geek world, these data breaches either go unreported or just get a passing mention between breathless coverage of $CELEBRIDEATH and breathless coverage of $REALITY_SHOW_CONTESTANT. A lot of people simply don't realize that these things are going on.
Oh, no! You have walked into the slavering fangs of a lurking grue!
So then their security breach had no effect on their bottom line as far as you as a customer are concerned. In fact it could be argued that now they are making more $$ off you than before as they don't have to pay credit card transaction processing fees for your purchases.
Here is an interesting piece about corporations and their incentives to protect their reputations.
It is not about IT (it is about insurance companies in Nazi Germany), but provides a very good insight nonetheless.
If you're a relatively mundane manufacturing company and you leak customer data -- who cares?
If you're a Visual Effects studio and you leak shots from a major new film, "sonny, you ain't gonna work in this town again".
The TJX breach didn't matter to the vast majority of TJX customers.
Most didn't hear of it, and those that did went "Oh, it was only X store and I wasn't affected"
Look at the TJ Maxx stores, they are a low end bargin retail chain, most of their business probably isn't even done with credit cards. Even those customers that were affected probably disputed the charges and moved on, without understand how crappy the security was. Most customers probably bought the "oh my, we're sorry this happened, we'll make sure it doesn't happen again" line, even though anyone with sense could point out how BAD the security hole was and that the shocking thing wasn't that it happened, but that it hadn't been going on for years (that we know of).
Let's be honest.. how many of us shopped there before? How many of us will not shop there again ever? How many will just not use a credit card at TJX stores?
Now if this were an online retailer where people think a bit more about "Hrm, where am I giving my credit card number?" A breach like this would mean more to the customers.
I put on my robe and wizard hat..
A credit card transaction processing company, Heartland Payment Systems, suffered a serious data breach in 2008. My credit card information was compromised. Unfortunately, there is nothing I can do about the situation, other than get a new card.
I called Heartland. They told me they were implementing end-to-end encryption (I don't understand how such a company could possibly not already be using extensive encryption). I asked them for a list of the companies that process transactions through Heartland so I could avoid those businesses. No such list is available -- precisely because it could damage the reputation of these businesses.
Heartland doesn't care, and there is no reason they ought to. This is why they didn't already encrypt my data. As far as I can tell, there is absolutely nothing I can do as an American consumer to discourage this type of corporate behavior from this industry in the future.
The people truly holding the reins in situations like these are the investors. What we need are investors who respond to ethical news as rapidly as they respond to financial news. But investors seem to like news of unethical behavior and corner-cutting, because it implies the firm will do anything to cut costs and maximize profits. The truly greedy people aren't the CEOs and the suits, it's the multi billion dollar pension funds and investors who want only to grow their money at the expense of everything good.
It's because so far, there haven't been any large-scale consequences resulting from the widely-publicized breaches.
Sure, a bunch of people's info got released, and some of those people had serious identity-theft issues resulting from it, but most of the people affected got new credit card numbers and moved on.
When there's a data breach that results in a bank going belly-up, or major stock fraud, or large loss of life, then a reputation for security might start to matter.
The problem is there hasn't been the digital equivalent of a 9-11 yet. Once someone breaks into one of the major banks and zeroes the accounts of several million Americans, then you'll see a reaction. Too late. As usual.
Regards;