
Safety Last: Software firms' incentives to take security seriously are too weak - martincmartin
http://www.economist.com/news/leaders/21720279-incentives-software-firms-take-security-seriously-are-too-weak-how-manage
======
YCode
One message I hear repeatedly from cyber security pros is their organizations
claim security is critical... That its, until you show them the price tag.

So long as they aren't willing to resource to security and they aren't held
accountable for breaches this trend will basically continue.

~~~
ksk
Yes, security is a practical reality and firms should be spending more on it.
But I don't quite understand the victim blaming. Why should a company that
gets attacked be held accountable?

~~~
Eridrus
Because their negligence results in harm's to entities other than the company.

Often to the firm's customers, either because the firm directly lost control
of private data or because their customers got hacked through their software.

~~~
ksk
I don't follow. Are you saying that a company should be blamed for flaws in
products which they simply purchased?

~~~
milesrout
If you provide a product or service to your customers you are entirely
responsible for it.

If I buy a laptop and it craps out I don't send it back to the manufacturer, I
take it back to the retailer.

~~~
blackflame7000
Let say I buy a RaspberryPi for use in an IoT product and then it comes out
that there is a flaw in Broadcom's Wifi SoC. Who's fault is that?

~~~
Eridrus
It's everyone's fault, the question is whether RPi or Broadcom were negligent,
or not, which has it's own legal standard already.

~~~
milesrout
Whether it's the fault of RPi or Broadcom is a matter for Broadcom and RPi,
not the retailer of the RPi or the end-user.

------
ksk
I think security in general has gotten so bad that keeping things secure by
putting them under lock and key is much more practical than using any of the
myriad different useless security products that claim to protect you.

~~~
jaypaulynice
Security hasn't gotten any worse than it's been. It's much more visible now
and all systems are practically connected through APIs..

Lack of security knowledge is the problem I think. In fact most companies that
are hacked don't know it and don't have the knowledge to detect and mitigate
them.

Security was much worse in the beginning of 2000's with dial ups.

Also don't forget about social engineering...that's a bigger concern than
physical hacks...

~~~
ksk
Well it depends on how you look at it. Today we have many more devices
connected to the internet, and like you mentioned, the interconnected nature
of devices, increases the surface area for exploits (and other non-exploits
like denial of service attacks). Also back in the day the people using
computers were more savvier about tech in general, making the whole situation
much more worse IMO.

------
jaypaulynice
This is the reason we're working on RESTfender
[https://restfender.co](https://restfender.co) We're in semi stealth mode but
more to come soon!

~~~
SteveNuts
That 4MB background image though

~~~
jaypaulynice
Haha...the original is 12MB. I reduced it to 1MB...it's hard to keep the
details if the image is any smaller...

