How Much Does a Reputation For Security Matter Anymore?

dasButcher writes "We often hear that businesses risk their corporate reputations if they don't have adequate security. It's been a common refrain among those selling security technologies: protect your data or suffer the reputational consequences. But, as Larry Walsh points out, the evidence is against this notion. Even companies that have suffered major security breaches — TJX, Hannaford, etc. — have suffered little lasting damage to their reputation. So, does this mean that reputational concerns are simply bunk?"

bad news is good news?

[An+anonymous+Frank]

Outside of geek circles, people might assume that if a firm has just suffered a security blunder, that they'll sure be addressing the issue seriously, and that they will make sure it doesn't happen again, as opposed to firms that haven't and presume that security is something other people need to worry about.

Don't know about repeat offenders though.

It only matters if you're affected

[BadAnalogyGuy]

Once your identity is stolen, it doesn't matter what precautions the leaking company took or what their reputation is.

And if your identity hasn't been stolen yet, it might be better to go with a company that has suffered an attack because they likely won't make the same mistake twice.

Reputations are just rationalizations. Real security is not measurable by reputation.

Duh

[BobMcD]

Look, people make mistakes. It happens. Even when those people are gathered into large groups. People also tend to forget things that aren't presently being trumpeted on the news as a "Big Deal".

Also, most folks don't like to worry about Security, and aren't too quick to criticize when others don't like it either. It is a classic PITA for the general public, without any measurable return on investment, so they're even further inclined to forgive. Only fear keeps us all in line, and people don't generally seem to criticize when the fear isn't working.

Re:Duh

[hey!]

It's not so much forgiveness, I think, as resignation.

For the public, worrying about computer security is like worrying about an invisible, odorless poison gas that appears in completely random places. If they knew where the gas would strike, they'd fear those places. If the gas had an odor, they'd learn to fear it. If they knew who was responsible for creating the gas, they'd demand that outfit be shut down.

But if there's nothing they can do to protect themselves, they'll just ignore it and hope for the best.

That's what computer security is like for most people. They don't understand it, and they have good reason to suspect that the people who run the companies they deal with don't understand it. If a company gets hit with an embarrassing breach, they might reasonably conclude that its claim to have learned its lesson is just as credible as a different company's claim it hasn't been hit because it already knows better.

If you want to fix this, there are two ways, neither of them popular. The first is ore regulation of record keeping practices. The second is to establish liability of companies when information it is holding is misused.

No security available anywhere

Essentially, no business properly secures their data. This means there are no alternatives, so there can be no repercussions from failure to enact proper security. People may moan and complain, but it isn't that they chose a company with poor security, it's that the industry just does business without security. For instance, no one will go without banking, and no bank is known for properly securing their data. Thus, clients can't create loss of profits for businesses with a poor security reputation.

Additionally, most consumers don't consider security as a main part of what they get from a service, thus not making it a major part of their decision. People don't look at banks (example) for how securely they store passwords, but instead for the interest rates provided. Again, until some start doing it right, none will be forced to.

Size matters

[mcrbids]

From what I can see, size matters. The impact of a security breach on the business is inversely proportional to the size of the business. Small companies, big deal. Big companies, Eh - whataya gonna do?

Re:For me they did (no they didn't)

[cblack]

So then their security breach had no effect on their bottom line as far as you as a customer are concerned. In fact it could be argued that now they are making more $$ off you than before as they don't have to pay credit card transaction processing fees for your purchases.

No 9-11. Yet.

[Hasai]

The problem is there hasn't been the digital equivalent of a 9-11 yet. Once someone breaks into one of the major banks and zeroes the accounts of several million Americans, then you'll see a reaction. Too late. As usual.

Re:No 9-11. Yet.

[AdmiralXyz]

Your statement actually has rather terrifying implications, since after 9/11 we saw a rush of hysterics that created a) illusory security practices like the nonsense we have to put up with at airports and b) several wars in the Middle East that have done anything but make us more safe. I can't help but think that when (not if) there is a break-in like you describe, the government is going to start keeping track of everyone who downloads nmap, etc.