Slashdot Mirror

← Back to Stories (view on slashdot.org)

Sad Reality: It's Cheaper To Get Hacked Than Build Strong IT Defenses (theregister.co.uk)

Posted by msmash on from the sad-reality dept.

It's no secret that more companies are getting hacked now than ever. The government is getting hacked, major corporate companies are getting hacked, and even news outlets are getting hacked. This raises the obvious question: why aren't people investing more in bolstering their security? The answer is, as a report on The Register points out, money. Despite losing a significant sum of money on a data breach, it is still in a company's best interest to not spend on upgrading their security infrastructure. From the report: A study by the RAND Corporation, published in the Journal of Cybersecurity, looked at the frequency and cost of IT security failures in US businesses and found that the cost of a break-in is much lower than thought -- typically around $200,000 per case. With top-shelf security systems costing a lot more than that, not beefing up security looks in some ways like a smart business decision. "I've spent my life in security and everyone expects firms to invest more and more," the report's author Sasha Romanosky told The Reg. "But maybe firms are making rational investments and we shouldn't begrudge firms for taking these actions. We all do the same thing, we minimize our costs." Romanosky analyzed 12,000 incident reports and found that typically they only account for 0.4 per cent of a company's annual revenues. That compares to billing fraud, which averages at 5 per cent, or retail shrinkage (ie, shoplifting and insider theft), which accounts for 1.3 per cent of revenues. As for reputational damage, Romanosky found that it was almost impossible to quantify. He spoke to many executives and none of them could give a reliable metric for how to measure the PR cost of a public failure of IT security systems.

12 of 184 comments (clear)

  1. The power of a concentrated marketplace by Anonymous Coward · · Score: 4, Insightful

    People have no options in the market for strong security, otherwise they'd punish these companies in sales.

    1. Re: The power of a concentrated marketplace by vux984 · · Score: 4, Insightful

      The loss of reputation has a direct impact on revenue.

      And how much were you paying them before?

      Even the summary mentions the companies are having a hard time quantifying the costs of lost PR.

      Just ask yahoo. I trust them even less now.

      And how much is your trust worth to yahoo? How much money were they getting from you before? How much now?

      Most people don't really seem that affected by breaches. Hell, I would have thought the breach at Ashley Madison would have done them completely in on reputation loss alone...

  2. Bottom line... by __aaclcg7560 · · Score: 2, Insightful

    Your info is already scattered all over the Internet from previous data breaches. It's cheaper to do nothing than build infrastructure that won't add to the CEO's annual bonus.

    1. Re:Bottom line... by alvinrod · · Score: 4, Insightful

      If valuable information wasn't being stored in plain-text or otherwise easily accessible it wouldn't matter. The ideal solution is to avoid storing sensitive user information that isn't needed whenever possible and encrypt if you absolutely must store something sensitive (medical records, etc.) because the reality is that no matter how much you spend on defense, it only takes one successful attack to render it all pointless. Further, even with exceptionally secure software, it's often a weakness in the humans maintaining it or overseeing it that leads to a successful attack.

      It's safest to assume that no matter how good your security, someone will eventually break through. As such, any sensitive user data should be encrypted so that it's not feasible for it to be exploited or used nefariously by the hackers who broke in. Everything else is just mitigating risk or delaying attackers. A locked door or alarm system won't stop a truly dedicated burglar, but it will make most look for another target or make it easier for them to slip up during the process in some way that leads to finding them.

    2. Re:Bottom line... by sdinfoserv · · Score: 3, Insightful

      Thinking just about personal information is way too simplistic. Think about corporations throwing IoT everywhere without a second inclination towards security. Step forward into a cyberattack where all those devices have cooling disabled and increase power consumption to break the device or start fires. We’re looking at a catastrophic loss of infrastructure not just the North Koreans knowing John Smith takes Viagra.

    3. Re:Bottom line... by whoever57 · · Score: 3, Insightful

      Those who are untrustworthy will fail in a free market. Security is a non-issue if you believe failing at it can be so easily manipulated away. The argument defeats itself.

      History (numerous recent examples) proves you wrong.

      But what is wrong with your argument is that, in order to fail, you have to be worse than your competitors. When everyone is untrustworthy, there is no downside to it.

      Also, there is the very real problem posed by the concept of a limited liability company. We know that the absence of limited liability prevents investment, but the very real effect of limited liability is that, without regulation, people will take actions that externalize their real costs.

      Or, to summarize: to have a healthy economy, you need limited liability companies. If you have limited liability companies, then you need regulation.

      --
      The real "Libtards" are the Libertarians!
  3. lower infosec budgets will INCREASE hacking damage by Khopesh · · Score: 3, Insightful

    This report looks at a lot of data, but (as noted in the Limitations section) it's only what was publicly available. Lots of breaches, especially w.r.t. ransomware, go unreported. Lots of breaches go undetected and/or aren't as easily measured as money (e.g. a rival company steals your un-patented trade secrets).

    However, my biggest issue with this analysis is that its conclusion makes no sense. It says that the cost of cyber breaches is roughly equal to the cost of maintaining a defense. This paper fails to account for how money spent on cyber-defense reduces the money lost to cyber-attacks. If you're advocating for a radical reduction in InfoSec, this is the (only!) figure that matters.

    Information Security is important, and there is good work being done here and more work needed. Cutting the InfoSec teams down will correlate to an increase in attacks that get through. This paper seems to be suggesting that reduced InfoSec budgets will somehow also limit the damage they combat. That makes no sense.

    --
    Use my userscript to add story images to Slashdot. There's no going back.
  4. Re:And you can bill the hacker the costs to fix st by JoeMerchant · · Score: 5, Insightful

    It is also cheaper (and usually more pleasant) to live in houses with breakable glass windows and pickable locks, and just prosecute the burglars who flaunt the niceties and come in anyway.

  5. Then they need an incentive by somenickname · · Score: 5, Insightful

    If it's truly the case that it's cheaper to let data breaches happen than to protect against them, then some sort of incentive (or, punishment) needs to be put into place to change that situation. This is one of the few areas where government intervention is actually warranted: When something is not in the best interest of corporations but is very much in the best interest of citizens.

    It's probably cheaper to let factory workers die on the job than it is to put all the safety measures in place to ensure they don't. Yet corporations put those safety measures in place anyway. They don't do it out of fondness of the workers, they do it because the government will shut them down if they don't.

  6. Two words: "Ford Pinto" by buss_error · · Score: 4, Insightful

    113 million dollars to fix.
    49 million dollars for the death and destruction costs.
    Ford chose death and destruction over the lives of customers.

    To this day I won't own Ford.

    http://www.popularmechanics.co...

    --
    Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
  7. It's not just a cost issue. by nuckfuts · · Score: 4, Insightful

    Having tried the preventive approach on computer security for years, I came to the reluctant conclusion that it's a losing game. In every business scenario I've dealt with, it is simply impossible to protect against every threat and every zero-day exploit that comes down the pipe. Software patching, firewalls, antivirus, specialized appliances, you name it - they all have their limitations. You can protect against any number of possible exploits, but if only one gets through, you lose. So businesses must weight the costs spending more and more on preventive security solutions versus the cost of a security breach.

    Obviously the implications of a breach are more severe for some businesses than others, but in many cases I deal with it makes more sense to focus on a good recovery solution rather than focussing mainly on prevention.

  8. Patching is less risky than getting hacked by Neo-Rio-101 · · Score: 3, Insightful

    We've known this for ages....and I learnt about it the hard way years ago as a webmaster.

    I was tasked with managing a web server, and it turned out that PHP needed an immediate update.
    Without further ado, to avoid the risk of getting hacked, I went and updated PHP to the next version up.
    Turns out that doing so broke a number of customer webpages - who were reliant on some old broken and unmaintained code, who then complained and whined to our company that we threatened their businesses.

    Lesson was simple: it is much easier to maintain old versions that keep things working AND DO NOTHING than to do any proactive security maintenance. This works in a number of ways.

    Firstly, when you eventually get hacked IT IS NOT YOUR FAULT. It is the fault of some hacker and things will be seen that way. Blame gets shifted away from the admins anyhow.

    Secondly, doing nothing is CHEAPER. It involves less risk, less change, and less responsibility. In a world where shareholders, finance and management dictate the aims of IT - you may as well fire the sysadmins because it's risky if they do any maintenance, meaning that since they're not going to do anything you may as well fire them. Just get contractors to build things to work once, then leave the systems on the internet indefinitely until they either end up getting hacked to the point of failure, or the hardware breaks down. Then rebuild the system from scratch with more contractors when that time eventuates.

    That's how security patching works in the real world. In other words, it doesn't.

    The thing is, it's ALL ABOUT SHIFTING BLAME in the world of IT, and IT is a risk, and it is expensive. That's why there is so much outsourcing combined with support contracts so company managers can point the finger at vendors when things go to hell and then walk away with legal indemnification and still keep their job when things eventually go to pot.

    --
    READY.
    PRINT ""+-0