Slashdot Mirror
Sad Reality: It's Cheaper To Get Hacked Than Build Strong IT Defenses (theregister.co.uk)
It's no secret that more companies are getting hacked now than ever. The government is getting hacked, major corporate companies are getting hacked, and even news outlets are getting hacked. This raises the obvious question: why aren't people investing more in bolstering their security? The answer is, as a report on The Register points out, money. Despite losing a significant sum of money on a data breach, it is still in a company's best interest to not spend on upgrading their security infrastructure. From the report: A study by the RAND Corporation, published in the Journal of Cybersecurity, looked at the frequency and cost of IT security failures in US businesses and found that the cost of a break-in is much lower than thought -- typically around $200,000 per case. With top-shelf security systems costing a lot more than that, not beefing up security looks in some ways like a smart business decision. "I've spent my life in security and everyone expects firms to invest more and more," the report's author Sasha Romanosky told The Reg. "But maybe firms are making rational investments and we shouldn't begrudge firms for taking these actions. We all do the same thing, we minimize our costs." Romanosky analyzed 12,000 incident reports and found that typically they only account for 0.4 per cent of a company's annual revenues. That compares to billing fraud, which averages at 5 per cent, or retail shrinkage (ie, shoplifting and insider theft), which accounts for 1.3 per cent of revenues. As for reputational damage, Romanosky found that it was almost impossible to quantify. He spoke to many executives and none of them could give a reliable metric for how to measure the PR cost of a public failure of IT security systems.
People have no options in the market for strong security, otherwise they'd punish these companies in sales.
Your info is already scattered all over the Internet from previous data breaches. It's cheaper to do nothing than build infrastructure that won't add to the CEO's annual bonus.
And you can bill the hacker the costs to fix stuff even when the system had no security at all.
Like our doors had no locks on them at all and some one broke in and now we have costs of $ to install locks on the doors.
or would
This report looks at a lot of data, but (as noted in the Limitations section) it's only what was publicly available. Lots of breaches, especially w.r.t. ransomware, go unreported. Lots of breaches go undetected and/or aren't as easily measured as money (e.g. a rival company steals your un-patented trade secrets).
However, my biggest issue with this analysis is that its conclusion makes no sense. It says that the cost of cyber breaches is roughly equal to the cost of maintaining a defense. This paper fails to account for how money spent on cyber-defense reduces the money lost to cyber-attacks. If you're advocating for a radical reduction in InfoSec, this is the (only!) figure that matters.
Information Security is important, and there is good work being done here and more work needed. Cutting the InfoSec teams down will correlate to an increase in attacks that get through. This paper seems to be suggesting that reduced InfoSec budgets will somehow also limit the damage they combat. That makes no sense.
Use my userscript to add story images to Slashdot. There's no going back.
Then the spending on security will go up.
Don't use the internet for anything business related until business gets serious about fixing the problem. These people just want their profits and, like they learned getting that MBA, the easiest way to do profits is to re-direct costs. In this case, put the costs of doing business online onto the customers. Seriously, who pays the real price when a business gets hacked and all the customer data goes walking out the door/server? The customers suffer from having their data abused, that is who suffers.
Do you trust your ISP with your bank account number, address, phone number, etc? How about your bank? Your employer? Your local utilities? How many of these types of businesses have you seen hacking reports on these past years? All of them, repeatedly, every year.
Do you remember in 1995 when the business and banking communities were warned that the internet was not designed with security in mind, but the complete opposite? Do you remember that they all just said the business opportunities were just too great to ignore and that security would naturally follow usage?
The internet is not for business; the internet is for porn!
Everything in the Universe sucks: It's the law!
It's the cloud. Did any serious security tech ever think that was a good idea.
Sure it's cheaper for the company if you are a greedy CEO type that only worries about himself and what affects his bottom line.
If you added up all the time and effort the poor customer has to deal with, when dealing with changing accounts, re-setting up billpay, fixing credit scores because of a companies breach.
The cost is way more than that measily 200k.
The end is near.
I'm hearing about cases where companies got hit with cryptolocker type viruses. And it wasn't something just just happened in a 30 minute period. It was a sleeper virus that waited 72 hours before activating, which invalidates all of your recent backups. All it would take is a sleeper to take 1 month, 6 months, etc to activate and then bam - you're done. No good backups. No data = no company. It would be a nightmare.
"A plan fiendishly clever in its intricacies"- Homer Simpson
If you find a vulnerability, companies must be exposed loudly and embarrassingly as possible. That (or legal threats) are the only things that can stop them.
Remember, there are companies out there that still don't hash passwords.
Irresponsible disclosure is responsible
It is also cheaper (and usually more pleasant) to live in houses with breakable glass windows and pickable locks, and just prosecute the burglars who flaunt the niceties and come in anyway.
In an optimal world, the costs would balance. If you spend zero on defense, then the breaches will increase due to the lack of defense. So, spend some on defense, make it harder to breach, breaches will always be possible, so where's the sense in spending more on defense than the breaches are costing?
Now, in military systems, the potential cost of a breach is rather high...
Information Security is important, and there is good work being done here and more work needed. Cutting the InfoSec teams down will correlate to an increase in attacks that get through. This paper seems to be suggesting that reduced InfoSec budgets will somehow also limit the damage they combat. That makes no sense.
I think the reality that is being recognized is that no amount of money spent on InfoSec is sufficient.
What needs to change is not reducing InfoSec budget as some kind of attempt to balance costs. What needs to change is the foolish belief that any amount of "good work being done" will eventually fix the problem.
The problem here is that dollar-signs are batted around to get people's attention. Of course it is dumb to say "well the cost of protecting the data is the same as losing it, so its just a toss-up". But the bottom line is the same, InfoSec will always fail.That is because it is like any security -- ultimately useless against a sufficiently determined attacker.
From the article, it looks like they may be looking at cost deducted from revenue. But how about the market impact? Wouldn't their overall net worth suffer an immediate blow too? Optimistically, it would recover over some time, but still leaves a stain in the company's image that may drive some investors away. But I'm sure they've accounted for this.
You do need to factor in the cost to the customers, which can be quite high when you "out" 50,000 customer credit card numbers... personally, I feel that the customers should be compensated actual cost of loss plus $100 for the hassle of having to jump all the security hoops associated with a CC# change. CC companies pay more than that in advertising to get a customer to switch to their CC.
If it's truly the case that it's cheaper to let data breaches happen than to protect against them, then some sort of incentive (or, punishment) needs to be put into place to change that situation. This is one of the few areas where government intervention is actually warranted: When something is not in the best interest of corporations but is very much in the best interest of citizens.
It's probably cheaper to let factory workers die on the job than it is to put all the safety measures in place to ensure they don't. Yet corporations put those safety measures in place anyway. They don't do it out of fondness of the workers, they do it because the government will shut them down if they don't.
A persistent threat that can't be effectively eliminated in a cost effective manner and the easiest way to deal with it is to just make it sort of hard and pass the remaining costs onto consumers?
It means hackers aren't able to make damage which is too valuable, isn't it?
Except that the best defense against hacking is user training, policies, network segmentation and other low-tech solutions combined together into an intelligent overall strategy...
If you think you can just go out and buy security, you are most likely getting fleeced.
My eyes reflect the stars and a smile lights up my face.
113 million dollars to fix.
49 million dollars for the death and destruction costs.
Ford chose death and destruction over the lives of customers.
To this day I won't own Ford.
http://www.popularmechanics.co...
Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves.
If your idea of defense is buying hyper expensive checkboxes, then yes. If you do the little things like actually doing updates, actually configuring your servers properly, etc than perhaps not.
He also noted that the effects of a data incident typically don't have many ramifications on the stock price of a company in the long term. Under the circumstances, it doesn't make a lot of sense to invest too much in cyber security.
And that's the bottom line. And this should worry people that put so much personal data on social media, but it won't. Honestly, there's no news here, considering that not many care about their own personal data's security.
Politics; n. : A religion whereby man is god.
Having tried the preventive approach on computer security for years, I came to the reluctant conclusion that it's a losing game. In every business scenario I've dealt with, it is simply impossible to protect against every threat and every zero-day exploit that comes down the pipe. Software patching, firewalls, antivirus, specialized appliances, you name it - they all have their limitations. You can protect against any number of possible exploits, but if only one gets through, you lose. So businesses must weight the costs spending more and more on preventive security solutions versus the cost of a security breach.
Obviously the implications of a breach are more severe for some businesses than others, but in many cases I deal with it makes more sense to focus on a good recovery solution rather than focussing mainly on prevention.
It's also cheaper for your bank to use standard residential doors instead of massive several feet thick steel doors to protect their vault. The difference though, is that vault is protecting a metric shit ton more than your house.
Corporate servers are less like your house and more like a bank vault.
The $200k figure is internalized costs; the cost of providing free credit protection to those affected (which almost noone takes them up on), and investigators to figure out what was breached, how, by whom, and to maybe patch the hole they got in through. The externalized amount, the burden on those whose data was stolen, is far greater. Also, one has to keep in mind that most breaches are minor incidents involving insiders; they cost very little to fix (change password: done) and no further spending is necessary or effective; the ones we hear about are mostly the "millions of user account details stolen" incidents caused by external crackers.
Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
Yea, I'd also like a bit clearer accounting of what type of "security solutions" average more than $200,000... I think maybe these guys need a second opinion on what constitutes security.
I was just going to post when your comment made me rethink the whole thing and write this reply instead.
Having worked in I.T. for 25 years or so now, I'm pretty familiar with the "computer security" marketplace. Most of the time, you've got a combination of "former hackers who decided they could make a living out of selling comp-sec stuff" and big companies seeing $$$$'s by getting behind these initiatives to sell solutions.
Meanwhile, in the rest of corporate America, I.T. expenditures are increasingly under a microscope, because companies have long since been burned by and learned from the old idea that I.T. was an investment in the company's future. These days, I.T. is viewed more like a line item expense on budget spreadsheets. Sure, it's necessary .... but it's necessary like hiring a janitor is necessary, or like buying office supplies is necessary. When your I.T. staff recommends the latest gizmo that promises to do X and Y to stop outside system attacks or to analyze traffic? They start asking a lot of questions. What would it really cost us if we didn't buy this and we got hacked? What kind of disaster recovery stuff do we have in place to put things back to the way they were before the hack? What else can I.T. do to improve our security before we go buying all of this new stuff?
And guess what? In the majority of situations, the reasonable answer is to say "no" to the expensive new security appliances or software. A lot of that stuff is going to quickly become obsolete anyway. (Quite a bit of it is subscription-based where it receives regular updates from the manufacturer as long as you stay current on your payments. Guess what? When the (often small startup) security company making it gets bought out by someone else or goes belly up, you're often left with a costly paperweight that someone wants MORE $'s to replace with the "new, supported alternative/improvement" to it.)
If your I.T. people are competent enough, they should be keeping up with all the OS and software updates/patches, and that alone seals up quite a few of the security holes at NO extra cost. Other times, the smarter choice may be outsourcing one or more of the services you used to host in-house. Let the "big guys" host it for you and let THEM pay all that money for the fancy security appliances to protect your data AND the data of thousands of other customers of theirs. At scale, those security tools/software purchases make a lot more sense.
Following this logic, corps should just fake the breach, and sell their user data on the "Dark Web" themselves. It has value, and if that value exceeds the cost of lossing it...profit!!!
... is that its far cheaper and more effective to pay someone to float lies and falsified data like this "research" to convince their competition not to bother securing their networks than it is to just pay market prices for the customer data they want.
If someone was going to die as a result of a malfunction or breach of a system, we'd demand it be air-gapped and have robust CM. There would be hell to pay as a result of failure - think hospital systems. Or military systems.
The thing is, most of the systems businesses use aren't all that important in the grand scheme of things. No one is going to die if Twitter or Walgreens has a breach. Sure, for the individual, this is bad, but you're probably going to get your prescription anyway and having someone impersonate you on your Twitter account is irrelevant.
Cue "assumed breach"...we must assume that systems like Twitter and Walgreens are breached and are leaking data. Therefore, conduct any business with them while insulating yourself from the consequences of said breach.
HBI's Law: Frequency of calling others Nazis is directly correlated with the likelihood of the accuser being Communist.
Right now, I'd say a substantial part of the problem is insurance protection against cyber attacks.
If a company can go to a bog-standard insurance company like Travelers or AIG and spend a small fraction of both the real breach cost and the cost of actually securing things, they will - the profit motive demands it.
What the profit motive DOESN'T demand is the insurance company look at their costs with a blind eye. Right now, I'm sure a large number of those policies are untriggered, so in aggregate, they are still profitable. But when those costs become comparable, and a company factors in the lost productivity and PR issues (both of which are hard to quantify), they will actually secure things. Partially to save money on or qualify for their cyber insurance.
That's part of why news coverage of breaches and forced disclosure laws are so important - right now, to both businesses and insurers, the productivity and PR costs are too easy to ignore, and the insurer has little motive to force compliance. (In fact, it's theoretically more profitable to 'prove' to their customers that attacks happen and no tightening will prevent all attacks - both of which are absolutely true no matter what happens.)
And got Congress to pass a law making arbitration legally binding. SCOTUS just recently upheld it. You'll find a clause in the EULA of every service you use. You done got sold out again.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Yes, sage advice indeed. Don't bother securing your servers, everything will be fine, we promise! What was your router IP again?
Factory workers got protection because there were a lot of them and they formed Unions. Security breaches only hurt a few people and they're completely unorganized. Hell, when the mega corps got tired of safety they just moved the factories. If we let then weasel out of that we'll let then weasel out of this. Besides, Americans pride themselves on luck. The lucky ones will be fine.
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Clueless CEO/CIO spends buttloads of money on security systems that are little more than digital snake oil and when they get hacked, their conclusion is that spending money on security is a waste.
you're kidding, right?
$200K is a drop in the bucket of possible spend on security.
Stateful firewalls can cost more than that if you need to support a decent number of users at wire rate.
Add mail filters and the need for beefier servers to handle the crypto overhead compared to what you could have used without crypto...
My previous employer spent *at least* $200k/mo on security in IT.
Of course they were protecting IP that led to $34Bn profit on $55Bn gross...
-nB
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
I didn't see any mention of the productivity losses incurred by heightened security either. Our VPN is so locked down it's almost impossible to get things done remotely unless you happen to work in a business unit that is permitted to use terminal servers. To this day we aren't allowed to have video conferencing with parties outside the corporate firewall. I'd estimate the productivity loss to be around 5-10% of overall effectiveness.
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
127.0.0.1, or if you prefer, ::1
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
So I could make my life cheaper and not need to constantly monitor my credit and other issues from fraud and identity theft by not making purchases with these companies.
You can spend glorious tons of money on security and still get hacked. The problem lies is the internet has no boundaries built in and folks are trying to hide information. If it's networked to the internet, directly or indirectly, that information can get shared. Period.
How to fix? Only information you're willing to share with the whole world should be on a system that is networked.
I disagree. There are plenty of people who can use money well. The problem is that the system rewards people who make money for the purpose of making more money. The problem here is that security is not profitable, and the downside seems to be less expensive than not covering that overhead cost.
We need to find a way to properly incentivize security as its own end, because as I have noticed in my career, getting security resources is like pulling teeth, until someone threatens a suit or seriously damages the reputation of the company. Even then, it is usually more for window dressing.
I don't think his advice is particularly bad, it's more of an admission of reality. Spend the money to make a good solid security program, but let's face it, with all the 0-days out there and the threat sources, it is probably best to understand that successful attacks are inevitable. At least then, you also set aside time, money, and resources to deal with the impacts, and do planning that assumes that since breaches are possible, they need to be taken seriously when they happen.
I'm less concerned that someone stole my password than I am that a password might have been stolen, but I didn't know about it for weeks or months or years. If I at least know about it, I can take action.
Just realize half of all penetrations are as a result of social engineering or tokens that get passed out beyond your control.
Patch: keep your servers and workstations and laptops and mobile devices patched to the latest fix. Realize the latter two have a high chance of not being, due to their nature.
Backup: keep both daily and periodic backups. Have periodic full backups offsite. Always assume people will corrupt and mess with your key files. Keep offline offsite versions of those.
Rotate: don't always do the exact same thing. If someone hacks one machine in one place, you may notice differences if you switch it up a bit.
trust: never ever ever trust senior execs.
validate: never ever ever trust senior execs. they will give away access always.
confirm: never ever ever ever trust senior execs. they will order people to let the bad guys get access to your key data always.
(i'm starting to sense a pattern here)
-- Tigger warning: This post may contain tiggers! --
More important to me than the cost of keeping out a professional thief (after all, it's only money), is the inconvenience of a bulletproof security system - that's impacting quality of life at home, and similarly impacts the efficiency of businesses that over secure their assets.
Security solutions and spending also often includes the security people operating the solutions. And just one of them can easily be almost $200,000 a pop, not necessarily in salary, but in benefits, salary, and even getting a headhunter to find one.
As far as security software, that's pretty expensive too, but varies based on your level of security. I've seen packages that keep the records of every keystroke made on every server that you connect to it. Real Big Brother types of packages. That easily costs more than $200,000 a pop.
Also note that if you work at a smaller company that uses a certain piece of software that isn't very expensive for you because you have few heads and few computers to secure, that same package becomes much, much more expensive for big companies due to their scale, and even with deep discounting. I have to work with Fortune 100 companies in integrating with their security, and while it is not always inspiring to see their level of competence, it is very easy to see that they spend a shitload of money on what they have because they have high visibility and complex environments.
Will we? I seem to recall some rich people who had their nudes posted all over the internet in recent memory. Perhaps you mean the 0.1%?
Security is security. The rich people are just as vulnerable as we are to it, and if you think about it, those are the people who are more likely to ignore their own security because they don't spend any money on it in their professional lives either.
Sometimes I wonder if the real solution to this is a requirement that board members actually have to use the service their company is providing for their own personal use.
If Gov't is going to read our data anyway, at least they could provide the service of shielding it from everyone else? :-)
add in the lost business from people who don't shop or use their services anymore? I haven't shopped at Target or Home Depot since they lost my data.
if only we had these things like diff or record comparisons, that would allow us to write back transactions over multiple file generations, and if only these had been created in the 1970s ....
oh
wait
-- Tigger warning: This post may contain tiggers! --
Your house is protecting YOU first and foremost. Personal security is a great comparison with corporate security. We all do reasonable measures to protect ourselves but are hardly spending a large portion of our income to do so. We all know anyone that violates our property will be dealt with by authorities. We can only ask for reasonable security and a justice system that punishes those that go beyond that. Our justice system is AWOL on hacking.
Investors are the people who DON'T already have their money out of the company. The article claims they DO lose money -- just not as much as spending on security would cost them.
x86 and systems based on it are hopeless from a security perspective, and that is even before considering the ticking time bomb that is Intel's Management Engine. It will be exploited eventually, and it would be surprising if the NSA wasn't already compelling Intel to backdoor it.
See the Mill security architecture, for an example of how a clever architecture can eliminate the bulk of common exploit vectors, and require little more than a recompile. It isn't the only option, but I highlight the Mill because it is a fascinating and novel architecture which also addresses many other long-standing issues with conventional systems. The security mechanisms also enable performant microkernels to be built, and protection between applications and libraries.
Operating systems will require work to take advantage of the protection features, but that will benefit everyone and be well worth the investment. This is the kind of "cyber" initiative I would like to see, rather than the focus on offensive capabilities. The latter poses a direct conflict of interest with securing systems, and ensures that adversaries will stock vulnerabilities rather than share and fix them.
Dear Penthouse -
Whoops, wrong place.
Anyhow...About 22 or so years ago I was sitting in the hot tub with my girlfriend at her apartment complex in Mountain View when two dorky young guys come and jump in with us. I'm thinking "swell, we're usually alone out here all evening and there go my immediate plans for a little semi public nooky".
One starts talking about how he and the other guy are going to start up this search company named Yahoo and went on and on about it. Eventually they left and I turned to my girlfriend and said "That's the stupidest name I've ever heard of for a company".
And I think that sums up Yahoo. Disrupting others for a bit to no purpose, much rambling and meandering, and a silly name.
Not that "Google" is much better, or Microdick...err...Microsoft. It sounds so...little.
BOTTOM LINE - - - and THIS is the real Issue - is that the 'bean counters' are winning (have won)! As long as the profit margins are maintained - then the cost of the lawsuits and penalties are, basically, just a 'cost of doing business', and nothing will change until this fundamental issue is resolved. The cost of non-proactive performance / systemic issues MUST be made more expensive than non-compliance. When the cost accountants (and lawyers) can show that it is cheaper to pay the lawsuit losses and fines than it is to actually fix the problem, then American (and global) business will continue to follow the same old tried-and-true 'pot at the end of the rainbow' - - - the God almighty bottom-line ensconced in the corporate structure that places PROFIT ahead of any other issue - because the board-of-directors MUST be accountable to the shareholders and the fiduciary responsibility of the board is the PRIME DIRECTIVE , or they will be voted out of office. The 'PINTO' example mentioned in this thread is a prime example of this corporate mind-set. AND, a more current example is the 'Do No Evil' motto that has slowly, but surely, evaporated from the GOOGLE empire. SUCKS, but that's life, folks. My only remaining desire is to live long enough to remember - 'the year they killed all the lawyers' - - - NOT a threat, just a fervent, heart-felt wish.
redneck geek
Your house is protecting YOU first and foremost.
It's only really protecting me from the weather. Any theft protection is purely notional — that is, it's based on the notion that breaking and entering is prosecuted more severely than if I just had my stuff lying around outside in boxes. It's trivial to get into almost any house.
We all do reasonable measures to protect ourselves but are hardly spending a large portion of our income to do so.
If I were expected to protect other people's stuff, then I'd also be expected to spend a reasonable amount of money to do that. A gun dealer who didn't put extremely valuable guns in a secure safe would not be trusted by customers.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Get ready to change your mind! Hear from the engineer who caused the pinto not to be recalled:
and
I cant possibly quote the whole article but its really quite good: You can believe your simplistic version of events, or you can read the truth as illustrated in a way only malcom gladwell could do.
http://www.newyorker.com/magaz...
-
We've known this for ages....and I learnt about it the hard way years ago as a webmaster.
I was tasked with managing a web server, and it turned out that PHP needed an immediate update.
Without further ado, to avoid the risk of getting hacked, I went and updated PHP to the next version up.
Turns out that doing so broke a number of customer webpages - who were reliant on some old broken and unmaintained code, who then complained and whined to our company that we threatened their businesses.
Lesson was simple: it is much easier to maintain old versions that keep things working AND DO NOTHING than to do any proactive security maintenance. This works in a number of ways.
Firstly, when you eventually get hacked IT IS NOT YOUR FAULT. It is the fault of some hacker and things will be seen that way. Blame gets shifted away from the admins anyhow.
Secondly, doing nothing is CHEAPER. It involves less risk, less change, and less responsibility. In a world where shareholders, finance and management dictate the aims of IT - you may as well fire the sysadmins because it's risky if they do any maintenance, meaning that since they're not going to do anything you may as well fire them. Just get contractors to build things to work once, then leave the systems on the internet indefinitely until they either end up getting hacked to the point of failure, or the hardware breaks down. Then rebuild the system from scratch with more contractors when that time eventuates.
That's how security patching works in the real world. In other words, it doesn't.
The thing is, it's ALL ABOUT SHIFTING BLAME in the world of IT, and IT is a risk, and it is expensive. That's why there is so much outsourcing combined with support contracts so company managers can point the finger at vendors when things go to hell and then walk away with legal indemnification and still keep their job when things eventually go to pot.
READY.
PRINT ""+-0
We need to find a way to properly incentivize security as its own end, because as I have noticed in my career, getting security resources is like pulling teeth, until someone threatens a suit or seriously damages the reputation of the company. Even then, it is usually more for window dressing.
I put in bold what might be the right way to go about it--though I'd suggest having it be criminal charges, so nobody actually has to prove they specifically got harmed, merely that the data breech happened and neglect either made it possible or made it worse. You might also make the degree of liability in civil court reflect the degree of effort put into practical security measures--a company that kept the sensitive data it had to the bare minimum & well-secured would be held less liable on the basis that they did try, while one that was a hoarder of sensitive data stored in plaintext out in the open would get slammed...regardless of the verifiable damage cause to those whose data got exposed.
The big problem is that data loss is an externality that it is not being priced by the market. So let's have government put a price on it. Pick a number. Five dollars? Ten dollars? Fifty cents? For every person's personal information the company loses, they pay a fine of the mandated amount. Make it treble for social security numbers. Problem solved. Yahoo pays out a cool $250 million, even at 50 cents a pop.
I remember back in the mid to late 90's, many companies viewed I.T. as much more than "overhead". In some cases, it was pretty understandable. They literally brought businesses to whole new levels of efficiency by eliminating paper and pencil methods of handling customer orders, inventory and more.
When you first started giving everyone personal computers as business tools just as essential as the telephones on their desks, you created a massive shift in the way business was conducted. Nobody but internal I.T. (or paid I.T. workers coming in on an hourly basis) were responsible for implementing that.
The problem is, there was an expectation that somehow, I.T. staff would keep coming up with more amazing ways to re-imagine or refine the business to make it more profitable and efficient. And increasingly, that STOPPED happening as the people employed in I.T. found themselves bogged down in just keeping the existing infrastructure functioning and keeping employees trained to use it.