Sad Reality: It's Cheaper To Get Hacked Than Build Strong IT Defenses

It's no secret that more companies are getting hacked now than ever. The government is getting hacked, major corporate companies are getting hacked, and even news outlets are getting hacked. This raises the obvious question: why aren't people investing more in bolstering their security? The answer is, as a report on The Register points out, money. Despite losing a significant sum of money on a data breach, it is still in a company's best interest to not spend on upgrading their security infrastructure. From the report: A study by the RAND Corporation, published in the Journal of Cybersecurity, looked at the frequency and cost of IT security failures in US businesses and found that the cost of a break-in is much lower than thought -- typically around $200,000 per case. With top-shelf security systems costing a lot more than that, not beefing up security looks in some ways like a smart business decision. "I've spent my life in security and everyone expects firms to invest more and more," the report's author Sasha Romanosky told The Reg. "But maybe firms are making rational investments and we shouldn't begrudge firms for taking these actions. We all do the same thing, we minimize our costs." Romanosky analyzed 12,000 incident reports and found that typically they only account for 0.4 per cent of a company's annual revenues. That compares to billing fraud, which averages at 5 per cent, or retail shrinkage (ie, shoplifting and insider theft), which accounts for 1.3 per cent of revenues. As for reputational damage, Romanosky found that it was almost impossible to quantify. He spoke to many executives and none of them could give a reliable metric for how to measure the PR cost of a public failure of IT security systems.

The power of a concentrated marketplace

People have no options in the market for strong security, otherwise they'd punish these companies in sales.

Re: The power of a concentrated marketplace

[vux984]

The loss of reputation has a direct impact on revenue.

And how much were you paying them before?

Even the summary mentions the companies are having a hard time quantifying the costs of lost PR.

Just ask yahoo. I trust them even less now.

And how much is your trust worth to yahoo? How much money were they getting from you before? How much now?

Most people don't really seem that affected by breaches. Hell, I would have thought the breach at Ashley Madison would have done them completely in on reputation loss alone...

Re:Bottom line...

[alvinrod]

If valuable information wasn't being stored in plain-text or otherwise easily accessible it wouldn't matter. The ideal solution is to avoid storing sensitive user information that isn't needed whenever possible and encrypt if you absolutely must store something sensitive (medical records, etc.) because the reality is that no matter how much you spend on defense, it only takes one successful attack to render it all pointless. Further, even with exceptionally secure software, it's often a weakness in the humans maintaining it or overseeing it that leads to a successful attack.

It's safest to assume that no matter how good your security, someone will eventually break through. As such, any sensitive user data should be encrypted so that it's not feasible for it to be exploited or used nefariously by the hackers who broke in. Everything else is just mitigating risk or delaying attackers. A locked door or alarm system won't stop a truly dedicated burglar, but it will make most look for another target or make it easier for them to slip up during the process in some way that leads to finding them.

Re:And you can bill the hacker the costs to fix st

[JoeMerchant]

It is also cheaper (and usually more pleasant) to live in houses with breakable glass windows and pickable locks, and just prosecute the burglars who flaunt the niceties and come in anyway.

Then they need an incentive

[somenickname]

If it's truly the case that it's cheaper to let data breaches happen than to protect against them, then some sort of incentive (or, punishment) needs to be put into place to change that situation. This is one of the few areas where government intervention is actually warranted: When something is not in the best interest of corporations but is very much in the best interest of citizens.

It's probably cheaper to let factory workers die on the job than it is to put all the safety measures in place to ensure they don't. Yet corporations put those safety measures in place anyway. They don't do it out of fondness of the workers, they do it because the government will shut them down if they don't.

Two words: "Ford Pinto"

[buss_error]

113 million dollars to fix.
49 million dollars for the death and destruction costs.
Ford chose death and destruction over the lives of customers.

To this day I won't own Ford.

http://www.popularmechanics.co...

It's not just a cost issue.

[nuckfuts]

Having tried the preventive approach on computer security for years, I came to the reluctant conclusion that it's a losing game. In every business scenario I've dealt with, it is simply impossible to protect against every threat and every zero-day exploit that comes down the pipe. Software patching, firewalls, antivirus, specialized appliances, you name it - they all have their limitations. You can protect against any number of possible exploits, but if only one gets through, you lose. So businesses must weight the costs spending more and more on preventive security solutions versus the cost of a security breach.

Obviously the implications of a breach are more severe for some businesses than others, but in many cases I deal with it makes more sense to focus on a good recovery solution rather than focussing mainly on prevention.