Sad Reality: It's Cheaper To Get Hacked Than Build Strong IT Defenses

It's no secret that more companies are getting hacked now than ever. The government is getting hacked, major corporate companies are getting hacked, and even news outlets are getting hacked. This raises the obvious question: why aren't people investing more in bolstering their security? The answer is, as a report on The Register points out, money. Despite losing a significant sum of money on a data breach, it is still in a company's best interest to not spend on upgrading their security infrastructure. From the report: A study by the RAND Corporation, published in the Journal of Cybersecurity, looked at the frequency and cost of IT security failures in US businesses and found that the cost of a break-in is much lower than thought -- typically around $200,000 per case. With top-shelf security systems costing a lot more than that, not beefing up security looks in some ways like a smart business decision. "I've spent my life in security and everyone expects firms to invest more and more," the report's author Sasha Romanosky told The Reg. "But maybe firms are making rational investments and we shouldn't begrudge firms for taking these actions. We all do the same thing, we minimize our costs." Romanosky analyzed 12,000 incident reports and found that typically they only account for 0.4 per cent of a company's annual revenues. That compares to billing fraud, which averages at 5 per cent, or retail shrinkage (ie, shoplifting and insider theft), which accounts for 1.3 per cent of revenues. As for reputational damage, Romanosky found that it was almost impossible to quantify. He spoke to many executives and none of them could give a reliable metric for how to measure the PR cost of a public failure of IT security systems.

Cheaper Until Lawsuit Damages Occur

[BoRegardless]

Then the spending on security will go up.

Best defense

[eyepeepackets]

Don't use the internet for anything business related until business gets serious about fixing the problem. These people just want their profits and, like they learned getting that MBA, the easiest way to do profits is to re-direct costs. In this case, put the costs of doing business online onto the customers. Seriously, who pays the real price when a business gets hacked and all the customer data goes walking out the door/server? The customers suffer from having their data abused, that is who suffers.

Do you trust your ISP with your bank account number, address, phone number, etc? How about your bank? Your employer? Your local utilities? How many of these types of businesses have you seen hacking reports on these past years? All of them, repeatedly, every year.

Do you remember in 1995 when the business and banking communities were warned that the internet was not designed with security in mind, but the complete opposite? Do you remember that they all just said the business opportunities were just too great to ignore and that security would naturally follow usage?

The internet is not for business; the internet is for porn!

It depends

[acoustix]

I'm hearing about cases where companies got hit with cryptolocker type viruses. And it wasn't something just just happened in a 30 minute period. It was a sleeper virus that waited 72 hours before activating, which invalidates all of your recent backups. All it would take is a sleeper to take 1 month, 6 months, etc to activate and then bam - you're done. No good backups. No data = no company. It would be a nightmare.

Re:What?

[JoeMerchant]

You do need to factor in the cost to the customers, which can be quite high when you "out" 50,000 customer credit card numbers... personally, I feel that the customers should be compensated actual cost of loss plus $100 for the hassle of having to jump all the security hoops associated with a CC# change. CC companies pay more than that in advertising to get a customer to switch to their CC.