Sad Reality: It's Cheaper To Get Hacked Than Build Strong IT Defenses

It's no secret that more companies are getting hacked now than ever. The government is getting hacked, major corporate companies are getting hacked, and even news outlets are getting hacked. This raises the obvious question: why aren't people investing more in bolstering their security? The answer is, as a report on The Register points out, money. Despite losing a significant sum of money on a data breach, it is still in a company's best interest to not spend on upgrading their security infrastructure. From the report: A study by the RAND Corporation, published in the Journal of Cybersecurity, looked at the frequency and cost of IT security failures in US businesses and found that the cost of a break-in is much lower than thought -- typically around $200,000 per case. With top-shelf security systems costing a lot more than that, not beefing up security looks in some ways like a smart business decision. "I've spent my life in security and everyone expects firms to invest more and more," the report's author Sasha Romanosky told The Reg. "But maybe firms are making rational investments and we shouldn't begrudge firms for taking these actions. We all do the same thing, we minimize our costs." Romanosky analyzed 12,000 incident reports and found that typically they only account for 0.4 per cent of a company's annual revenues. That compares to billing fraud, which averages at 5 per cent, or retail shrinkage (ie, shoplifting and insider theft), which accounts for 1.3 per cent of revenues. As for reputational damage, Romanosky found that it was almost impossible to quantify. He spoke to many executives and none of them could give a reliable metric for how to measure the PR cost of a public failure of IT security systems.

The power of a concentrated marketplace

People have no options in the market for strong security, otherwise they'd punish these companies in sales.

Re: The power of a concentrated marketplace

[vux984]

The loss of reputation has a direct impact on revenue.

And how much were you paying them before?

Even the summary mentions the companies are having a hard time quantifying the costs of lost PR.

Just ask yahoo. I trust them even less now.

And how much is your trust worth to yahoo? How much money were they getting from you before? How much now?

Most people don't really seem that affected by breaches. Hell, I would have thought the breach at Ashley Madison would have done them completely in on reputation loss alone...

Re: The power of a concentrated marketplace

[dnaumov]

Analyzing the cost of security breaches is the wrong model because it's not the cost of cleaning up the mess than affects your profits. The loss of reputation has a direct impact on revenue. Just ask yahoo. I trust them even less now.

Yahoo is probably very thankful right now, they probably got quite a few ad impressions from 500 millions of accounts logging in just to change the password ;)

Bottom line...

[__aaclcg7560]

Your info is already scattered all over the Internet from previous data breaches. It's cheaper to do nothing than build infrastructure that won't add to the CEO's annual bonus.

Re:Bottom line...

[alvinrod]

If valuable information wasn't being stored in plain-text or otherwise easily accessible it wouldn't matter. The ideal solution is to avoid storing sensitive user information that isn't needed whenever possible and encrypt if you absolutely must store something sensitive (medical records, etc.) because the reality is that no matter how much you spend on defense, it only takes one successful attack to render it all pointless. Further, even with exceptionally secure software, it's often a weakness in the humans maintaining it or overseeing it that leads to a successful attack.

It's safest to assume that no matter how good your security, someone will eventually break through. As such, any sensitive user data should be encrypted so that it's not feasible for it to be exploited or used nefariously by the hackers who broke in. Everything else is just mitigating risk or delaying attackers. A locked door or alarm system won't stop a truly dedicated burglar, but it will make most look for another target or make it easier for them to slip up during the process in some way that leads to finding them.

Re:Bottom line...

[JustAnotherOldGuy]

In the Libertarian fantasy world, all of these companies with poor security would be punished by the Invisible Hand of the Market. People would boycott them and they'd go out of business.

But we know for a fact that never actually happens, which is why people laugh at Libertarians and their childish, magical ideas about how the world works.

Re:Bottom line...

[sdinfoserv]

Thinking just about personal information is way too simplistic. Think about corporations throwing IoT everywhere without a second inclination towards security. Step forward into a cyberattack where all those devices have cooling disabled and increase power consumption to break the device or start fires. We’re looking at a catastrophic loss of infrastructure not just the North Koreans knowing John Smith takes Viagra.

Re:Bottom line...

[Bert64]

In order for encrypted data to be used the decryption key must be somewhere, failure to protect the keys can occur just as easily as any other form of security failure.
Also as users we have no idea how companies are storing our data anyway, so the only option available is for us to not hand it over in the first place.

Re:Bottom line...

[whoever57]

Those who are untrustworthy will fail in a free market. Security is a non-issue if you believe failing at it can be so easily manipulated away. The argument defeats itself.

History (numerous recent examples) proves you wrong.

But what is wrong with your argument is that, in order to fail, you have to be worse than your competitors. When everyone is untrustworthy, there is no downside to it.

Also, there is the very real problem posed by the concept of a limited liability company. We know that the absence of limited liability prevents investment, but the very real effect of limited liability is that, without regulation, people will take actions that externalize their real costs.

Or, to summarize: to have a healthy economy, you need limited liability companies. If you have limited liability companies, then you need regulation.

And you can bill the hacker the costs to fix stuff

[Joe_Dragon]

And you can bill the hacker the costs to fix stuff even when the system had no security at all.
Like our doors had no locks on them at all and some one broke in and now we have costs of $ to install locks on the doors.

lower infosec budgets will INCREASE hacking damage

[Khopesh]

This report looks at a lot of data, but (as noted in the Limitations section) it's only what was publicly available. Lots of breaches, especially w.r.t. ransomware, go unreported. Lots of breaches go undetected and/or aren't as easily measured as money (e.g. a rival company steals your un-patented trade secrets).

However, my biggest issue with this analysis is that its conclusion makes no sense. It says that the cost of cyber breaches is roughly equal to the cost of maintaining a defense. This paper fails to account for how money spent on cyber-defense reduces the money lost to cyber-attacks. If you're advocating for a radical reduction in InfoSec, this is the (only!) figure that matters.

Information Security is important, and there is good work being done here and more work needed. Cutting the InfoSec teams down will correlate to an increase in attacks that get through. This paper seems to be suggesting that reduced InfoSec budgets will somehow also limit the damage they combat. That makes no sense.

Cheaper Until Lawsuit Damages Occur

[BoRegardless]

Then the spending on security will go up.

Re:Cheaper Until Lawsuit Damages Occur

[JoeMerchant]

When are we going to start spending effort on "Lawyer control"?

Re:Cheaper Until Lawsuit Damages Occur

[tnk1]

Although lawsuit comes far too late to protect the people who needed to protect their data more than they needed a $30 rebate from a class action suit.

Make no mistake, the article makes this very clear. Most of the downside of not spending on security is on the customers, not on the business that got hacked.

Best defense

[eyepeepackets]

Don't use the internet for anything business related until business gets serious about fixing the problem. These people just want their profits and, like they learned getting that MBA, the easiest way to do profits is to re-direct costs. In this case, put the costs of doing business online onto the customers. Seriously, who pays the real price when a business gets hacked and all the customer data goes walking out the door/server? The customers suffer from having their data abused, that is who suffers.

Do you trust your ISP with your bank account number, address, phone number, etc? How about your bank? Your employer? Your local utilities? How many of these types of businesses have you seen hacking reports on these past years? All of them, repeatedly, every year.

Do you remember in 1995 when the business and banking communities were warned that the internet was not designed with security in mind, but the complete opposite? Do you remember that they all just said the business opportunities were just too great to ignore and that security would naturally follow usage?

The internet is not for business; the internet is for porn!

Clouds

It's the cloud. Did any serious security tech ever think that was a good idea.

It depends

[acoustix]

I'm hearing about cases where companies got hit with cryptolocker type viruses. And it wasn't something just just happened in a 30 minute period. It was a sleeper virus that waited 72 hours before activating, which invalidates all of your recent backups. All it would take is a sleeper to take 1 month, 6 months, etc to activate and then bam - you're done. No good backups. No data = no company. It would be a nightmare.

Companies must be embarassed

[XparXnoiaX]

If you find a vulnerability, companies must be exposed loudly and embarrassingly as possible. That (or legal threats) are the only things that can stop them.

Remember, there are companies out there that still don't hash passwords.

Re:And you can bill the hacker the costs to fix st

[JoeMerchant]

It is also cheaper (and usually more pleasant) to live in houses with breakable glass windows and pickable locks, and just prosecute the burglars who flaunt the niceties and come in anyway.

Re:lower infosec budgets will INCREASE hacking dam

[JoeMerchant]

In an optimal world, the costs would balance. If you spend zero on defense, then the breaches will increase due to the lack of defense. So, spend some on defense, make it harder to breach, breaches will always be possible, so where's the sense in spending more on defense than the breaches are costing?

Now, in military systems, the potential cost of a breach is rather high...

Re:What?

[JoeMerchant]

You do need to factor in the cost to the customers, which can be quite high when you "out" 50,000 customer credit card numbers... personally, I feel that the customers should be compensated actual cost of loss plus $100 for the hassle of having to jump all the security hoops associated with a CC# change. CC companies pay more than that in advertising to get a customer to switch to their CC.

Then they need an incentive

[somenickname]

If it's truly the case that it's cheaper to let data breaches happen than to protect against them, then some sort of incentive (or, punishment) needs to be put into place to change that situation. This is one of the few areas where government intervention is actually warranted: When something is not in the best interest of corporations but is very much in the best interest of citizens.

It's probably cheaper to let factory workers die on the job than it is to put all the safety measures in place to ensure they don't. Yet corporations put those safety measures in place anyway. They don't do it out of fondness of the workers, they do it because the government will shut them down if they don't.

Two words: "Ford Pinto"

[buss_error]

113 million dollars to fix.
49 million dollars for the death and destruction costs.
Ford chose death and destruction over the lives of customers.

To this day I won't own Ford.

http://www.popularmechanics.co...

It's not just a cost issue.

[nuckfuts]

Having tried the preventive approach on computer security for years, I came to the reluctant conclusion that it's a losing game. In every business scenario I've dealt with, it is simply impossible to protect against every threat and every zero-day exploit that comes down the pipe. Software patching, firewalls, antivirus, specialized appliances, you name it - they all have their limitations. You can protect against any number of possible exploits, but if only one gets through, you lose. So businesses must weight the costs spending more and more on preventive security solutions versus the cost of a security breach.

Obviously the implications of a breach are more severe for some businesses than others, but in many cases I deal with it makes more sense to focus on a good recovery solution rather than focussing mainly on prevention.

Companies already thought of that

[rsilvergun]

And got Congress to pass a law making arbitration legally binding. SCOTUS just recently upheld it. You'll find a clause in the EULA of every service you use. You done got sold out again.

Productivity losses

[ArhcAngel]

I didn't see any mention of the productivity losses incurred by heightened security either. Our VPN is so locked down it's almost impossible to get things done remotely unless you happen to work in a business unit that is permitted to use terminal servers. To this day we aren't allowed to have video conferencing with parties outside the corporate firewall. I'd estimate the productivity loss to be around 5-10% of overall effectiveness.

Spend and still lose

[whitelabrat]

You can spend glorious tons of money on security and still get hacked. The problem lies is the internet has no boundaries built in and folks are trying to hide information. If it's networked to the internet, directly or indirectly, that information can get shared. Period.

How to fix? Only information you're willing to share with the whole world should be on a system that is networked.

Re:Not only that

[tnk1]

I disagree. There are plenty of people who can use money well. The problem is that the system rewards people who make money for the purpose of making more money. The problem here is that security is not profitable, and the downside seems to be less expensive than not covering that overhead cost.

We need to find a way to properly incentivize security as its own end, because as I have noticed in my career, getting security resources is like pulling teeth, until someone threatens a suit or seriously damages the reputation of the company. Even then, it is usually more for window dressing.

Patch, Backup, Rotate

[WillAffleckUW]

Just realize half of all penetrations are as a result of social engineering or tokens that get passed out beyond your control.

Patch: keep your servers and workstations and laptops and mobile devices patched to the latest fix. Realize the latter two have a high chance of not being, due to their nature.

Backup: keep both daily and periodic backups. Have periodic full backups offsite. Always assume people will corrupt and mess with your key files. Keep offline offsite versions of those.

Rotate: don't always do the exact same thing. If someone hacks one machine in one place, you may notice differences if you switch it up a bit.

trust: never ever ever trust senior execs.

validate: never ever ever trust senior execs. they will give away access always.

confirm: never ever ever ever trust senior execs. they will order people to let the bad guys get access to your key data always.

(i'm starting to sense a pattern here)

Re:lower infosec budgets will INCREASE hacking dam

[JoeMerchant]

More important to me than the cost of keeping out a professional thief (after all, it's only money), is the inconvenience of a bulletproof security system - that's impacting quality of life at home, and similarly impacts the efficiency of businesses that over secure their assets.

Re:And you can bill the hacker the costs to fix st

[gcswt]

Your house is protecting YOU first and foremost. Personal security is a great comparison with corporate security. We all do reasonable measures to protect ourselves but are hardly spending a large portion of our income to do so. We all know anyone that violates our property will be dealt with by authorities. We can only ask for reasonable security and a justice system that punishes those that go beyond that. Our justice system is AWOL on hacking.

A secure architecture&OS would be more economi

[KonoWatakushi]

x86 and systems based on it are hopeless from a security perspective, and that is even before considering the ticking time bomb that is Intel's Management Engine. It will be exploited eventually, and it would be surprising if the NSA wasn't already compelling Intel to backdoor it.

See the Mill security architecture, for an example of how a clever architecture can eliminate the bulk of common exploit vectors, and require little more than a recompile. It isn't the only option, but I highlight the Mill because it is a fascinating and novel architecture which also addresses many other long-standing issues with conventional systems. The security mechanisms also enable performant microkernels to be built, and protection between applications and libraries.

Operating systems will require work to take advantage of the protection features, but that will benefit everyone and be well worth the investment. This is the kind of "cyber" initiative I would like to see, rather than the focus on offensive capabilities. The latter poses a direct conflict of interest with securing systems, and ensures that adversaries will stock vulnerabilities rather than share and fix them.

Patching is less risky than getting hacked

[Neo-Rio-101]

We've known this for ages....and I learnt about it the hard way years ago as a webmaster.

I was tasked with managing a web server, and it turned out that PHP needed an immediate update.
Without further ado, to avoid the risk of getting hacked, I went and updated PHP to the next version up.
Turns out that doing so broke a number of customer webpages - who were reliant on some old broken and unmaintained code, who then complained and whined to our company that we threatened their businesses.

Lesson was simple: it is much easier to maintain old versions that keep things working AND DO NOTHING than to do any proactive security maintenance. This works in a number of ways.

Firstly, when you eventually get hacked IT IS NOT YOUR FAULT. It is the fault of some hacker and things will be seen that way. Blame gets shifted away from the admins anyhow.

Secondly, doing nothing is CHEAPER. It involves less risk, less change, and less responsibility. In a world where shareholders, finance and management dictate the aims of IT - you may as well fire the sysadmins because it's risky if they do any maintenance, meaning that since they're not going to do anything you may as well fire them. Just get contractors to build things to work once, then leave the systems on the internet indefinitely until they either end up getting hacked to the point of failure, or the hardware breaks down. Then rebuild the system from scratch with more contractors when that time eventuates.

That's how security patching works in the real world. In other words, it doesn't.

The thing is, it's ALL ABOUT SHIFTING BLAME in the world of IT, and IT is a risk, and it is expensive. That's why there is so much outsourcing combined with support contracts so company managers can point the finger at vendors when things go to hell and then walk away with legal indemnification and still keep their job when things eventually go to pot.