
Sad reality: It's cheaper to get hacked than build strong IT defenses - jazzyb
http://www.theregister.co.uk/2016/09/23/if_your_company_has_terrible_it_security_that_could_be_a_rational_business_decision/
======
Noseshine
Why is that "sad"? Nature has gone the same path. We have basic defenses that
are "on" all the time (passive immune system - nonspecific), and we have an
adaptive response that reacts to what actually happens to us, which also means
threats we actually encounter will be recognized and fought more quickly and
better in the future. Or houses - having lived in the US, those front doors
are at least an order of magnitude less secure than any German front door, but
even those are not really able to keep out any determined intruder.

Why should be mount a very expensive all-out defense against a lot of
perceived threats? It's similar to " _every_ child (programmer, etc.) MUST
know this!". Making demands is easy. If people don't care there probably is a
deeper reason. Yes, the heuristic gets it wrong, that's why it's a heuristic,
but that it is one in the first place also has similar reasons.

It sure is possible to criticize a concrete company for concrete problems, but
the blanket statement of the headline is not useful.

~~~
Bartweiss
The problem is that this isn't about saving money _overall_. Users pay the
primary costs of the company's security errors, so it's a moral hazard
problem.

Right now, companies that lose data don't pay any costs at all until
afterwards, and those costs are usually minimal. The reputational damage is
reduced because no one knows until (well) after the breach, and any financial
info lost is consumer credit cards rather than corporate accounts. Yes, users
sometimes get free identity theft monitoring, but those services are quite
cheap to account for the fact that they don't actually _work_.

More specifically, this is asymmetric information and therefore the market
can't adjust for it. When Yahoo loses my data, will my passwords be salted and
well-hashed? How could I possibly know in advance? Consumers aren't making
privacy and risk choices, they're using the internet as best they can and
getting repeatedly burned for it.

If you want a clear contrast, companies are enormously concerned about
"whaling" attacks, and are working hard to prevent them. Those attacks take
corporate money in real time, so the costs are properly factored in. Moral
hazard is inherently about broken cost-benefit measurement.

~~~
mahyarm
The real problem is most payments & identity are pull vs push and the username
is the password. If they were push, then there wouldn't be customer payment
information to steal in the first place. All that would be taken would be
personal shipping addresses, and those are mostly public as it is already.

Same with social security numbers and identity in general.

To solve the root cause in this case although was decided to not be good by
the infrastructural organizations. Eating the fraud is cheaper than putting up
barriers to payments.

If fraud liability was moved %100 to banks, payment providers and governments,
we would see the problem fixed pretty quickly.

------
peterbonney
One reason it's true is because companies only measure actual cost, not
opportunity cost. How much did it cost Yahoo to have every tech-savvy person
in the world switch to Gmail because of Yahoo's lousy (and Google's excellent)
security infrastructure? Where the tech-savvy go, the tech-unsavvy often
follow. As they did with Gmail.

But lost revenue opportunities don't show up in the bottom line, so cost-
focused managers don't think about them. And they conclude it's "cheaper" to
not invest in this or that thing that their smarter competitors are doing.

"What gets measure gets managed." People think this (apocryphal) Drucker quote
is advice. It is not advice. It's a warning.

~~~
richmarr
Not sure I agree that it was Google and Yahoo's respective security
architecture that caused people to switch, even tech-savvy people.

~~~
peterbonney
Sure. But all the things Gmail offered were things that probably looked like
lousy investments to Yahoo. Why offer more storage? Why have better spam
filtering? Why have better security? It all costs money!!!

The point is only looking at actual cost, not opportunity cost.

~~~
richmarr
Yep. Good clarification.

------
vfxGer
I am sick of seeing headlines about teenager hacker being put in jail. It's
not because they are geniuses it's because of poor IT defense. The companies
should be severely fined for criminal negligence.

~~~
saiya-jin
I get what you mean, but poor defense ain't no excuse to hack the hell out of
company, neither legally nor morally. plus i don't buy the notion that some
teenager had no clue what he was doing would harm other's livehood (if yes,
then he should go through psychiatric evaluation).

if I don't put 3m electric fence with automatic sentry guns around my whole
hypothetical house and land, does it mean everybody is automatically invited
to freely try to break in, do damage, steal my stuff or post my private and
legal data online for others?

state should have better use for these guys, but there should definitely be
punishment, not reward in any way. that's how all countries run these days

~~~
thr0waway1239
I am not sure the analogy is very accurate. You do not advertise your house as
a place where other people can come and freely store their valuables and then
take it out as they please.

If you did, there is a name for what you have built: a bank. And you can be
pretty sure people then will not have any issues with whatever security
measures you take. Most of all, your cost of security installation is now
covered by other people's money, which effectively gives you very precise
calculations on what exactly you can and cannot spend. You are more than free
to return the money and shut down shop if you feel you are in a completely
unsafe neighborhood which makes your bank impossible to run at a profit.

To stretch this point a little further, imagine you did have a bank, and your
customer comes and demands to take their money out, and you say "Oops. I had
just left it out here on this desk, and when I went to pee, a kid just came in
and ran out with all your money. I feel bad for you, but the cost of moving
the stuff back and forth between front desk and the vault would make the
service unprofitable. Its not my fault, its all these children in the
neighborhood who keep pranking me".

The lowered barriers to hacking, combined with an ever moving target for what
constitutes good security, are genuine concerns. But as a company, you are
expected to shoulder the burden of security as a precondition of making the
claim that you provide a good service. One way or another, people actually pay
you to take care of their data as part of the service.

~~~
posterboy
> You do not advertise your house as a place where other people can come and
> freely store their valuables

A house offers protection, no doubt about it and anyone but a social recluse
will potentially offer it to others, although not foreigners. You are
certainly not trying to say negligence would be OK as long as it concerns
foreigners.

------
nickpsecurity
I think this article is making a decent point but with bad data. We know of
many cases where the cost of insecurity drastically outweighed the cost of
basic security. The most obvious is banking where no security would drain all
their money. So, they combine preventing, detection, auditing, and computers
hackers can't afford to keep losses manageable. Another example on putting a
number on it is the Target hit that, in last article I read, was something
like $100+ million in losses. Lets not even get to scenario where they start
targeting power plants or industrial equipment whose management foolishly
connected to net.

It also helps to look at the other end: minimum cost to stop most problems.
Australia's DSD said that just patching stuff and using whitelisting would've
prevented 75% of so-called APT's in their country. Throw in MAC-enabled Linux,
OpenBSD, sandboxed (even physically) browsers w/ NoScript, custom apps in safe
languages, VPN's by default, sanest configuration by default, and so on.
Residual risk gets _tiny_. What I just listed barely cost anything. Apathy,
which the article acknowledges, is only explanation.

A nice example was Playstation Network hack. I didn't expect them to spend
much on security. I also didn't expect it to come down to having no firewall
(they're free) in front of an Apache server that was unpatched for six months
(patches are free). That this level of negligence is even legal is the main
problem.

------
hannob
I wonder if one of the problems is that the focus is too much on costs.

What I see all the time in IT security that for many people doing security
means spending lots of money on products with highly questionable promises.
It's very doubtful that many of the security appliances you can see at RSA or
Black Hat do any good, in many cases they add additional risks. But the
industry is selling a story that the more boxes you buy and put in front of
your network the better.

For a lot of companies there are very cheap things they could do to improve
their security. This starts with such simple things as documenting on the
webpage who outside security researchers should contact if they think they
found an issue in the companies infrastructure.

So I have quite some doubts that the formula "spending more on security ==
better security" holds.

------
lagadu
It's sad because it's true. In 2018 the data protection EU regulation gets put
into play though, which might change that partially by effectively increasing
the cost of losing control of data.

~~~
sarnowski
For Reference:
[https://en.m.wikipedia.org/wiki/General_Data_Protection_Regu...](https://en.m.wikipedia.org/wiki/General_Data_Protection_Regulation)

This directive will drastically increase fines for data leaks in the EU.

------
marmot777
Everybody's probably seen this but please more forcing companies to
internalize their externalities. More law suits, please. I never thought I'd
say that. [http://www.scmagazine.com/class-action-lawsuit-filed-
against...](http://www.scmagazine.com/class-action-lawsuit-filed-against-
noodles-company-over-breach/article/521276/)

------
nathanaldensr
"Cheaper" is not including the full cost of compromised data. Compromises
don't only affect companies' bottom lines, but also those who were
compromised. The costs to individuals are undoubtedly much harder to quantify.

~~~
enraged_camel
I totally agree, but I think in this case they are saying it's cheaper _for
the company_ , which is what really matters in this context (since they're
comparing it to how much the company would pay for security).

I mean, if the company's website gets hacked and your credit card data is
stolen, then your card is charged $1,000, it's not the company that pays for
it, right? You either talk to your bank to mark the purchase as fraudulent and
get the charges reversed, or pay for it yourself (e.g. if it's a debit card).

Perhaps that's the solution though: a way to directly associate fraudulent
purchases with security breaches where credit card data has been stolen, and a
law that requires the breached party to pay all expenses related to that
fraud. _That_ would get all major retailers scramble to get their shit
secured.

~~~
nathanaldensr
Good point about what the article was comparing. I missed that.

I guess I'm just sour that articles like this tend to gloss over what is often
the most important impact of a security breach--the end-users' data and
privacy--and instead focus on easy-to-report numbers.

------
nmgsd
I'm not so sure it's cheaper. The business cost can be enormous. See the
Target breach, which led to FIRING the CEO. And Yahoo, which may have their
deal with Verizon at risk now due to the latest breach.

------
bikamonki
That is why as a sole dev I no longer offer full-stack solutions: clients
simply do not want to pay for the hours it takes to keep their back-ends
monitored and secured. Yet, dynamic data is mostly inevitable in any modern
web solution so I am increasingly relying on BAAS providers. My gamble is that
it should be easier/cheaper for BAAS providers to maintain a team of
knowledgeable and experienced engineers to tend infrastructure that runs
several back-ends. It seems like a natural step from _hey I trust you can run
my hardware take my money_ to _hey I trust you can manage my data take my
money_

------
jrochkind1
I think it's possible the global economy literally could not take the expense
of actually making everything secure.

~~~
raesene6
Definitely not if it was implemented in a big-bang, but a more gradual
approach might work.

The counterpoint of what will the costs be if we carry on with the current
level of security and drive IT systems more into everyone's lives has to be
considered too.

------
teekert
Yes, you notice it when you deal with sites where bad security can be costly,
like on a (bit)coin exchange (i.e. Bittrex). You get an email at every
successful login, 2FA is encouraged from the start, enabling the API keys
requires 2FA, Google reCAPTCHA at every login, logout as soon as you close the
browser, api keys with different levels of functionality, API requires SHA512
hashing of API key and API code and a time fingerprint. It's pretty refreshing
to be honest.

~~~
joosters
Seriously? Bitfinex was the latest, greatest bitcoin business with a security
breach, and they just pushed the losses onto their customers. Bad security at
bitcoin exchanges does not generally affect the company itself, but the users.

~~~
petertodd
Volume at Bitfinex has gone _way_ down; bad security is definitely costing
them in lost business. Equally, how could those losses not get pushed onto
customers? They were larger than the assets the company had available.

Bitcoin services aren't a good example here - they're very different than data
breaches. If anything, they're a rare example of a case where hacks usually do
lead to the destruction of the company; that Bitfinex wasn't killed
immediately is an exception, not the norm.

------
cmurf
Yahoo customers are advertisers, not people with email accounts. Account
holders are just a resource, and in aggregate I'm willing to bet most won't
know what this hack means to them, even if they learn about it. What are they
chances they lose 30% or more of this resource, users terminating their
accounts? The stock price suggests the account holders don't care or have no
meaningful recourse.

------
jbb555
Well physical security is the same. You could make your house entirely thief
proof but nobody does because the cost isn't worth it.

------
hoodunit
Part of the issue is that legally in the U.S. a) privacy violations are
usually punishable by law only if a specific non-privacy harm comes of it and
b) privacy is treated as an individual right and not a societal good. If a
company gets hacked and loses your credit card and bank information afaik it's
punishable only if someone actually fraudulently uses the information. It's up
to individuals to jointly complain about specific damages to effect changes,
and for any given individual there's little incentive to make your own life
difficult for vague potential benefits. Also in most cases the individual harm
is quite small, even if in aggregate or viewed as a societal harm there is
huge damage.

------
bagacrap
I found this to be true of securing my house. I had several break ins and the
total cost (mostly repairs) was still far less than the cost of installing an
alarm system, to speak nothing of paying for police response to false alarms.

~~~
a3n
Is there an emotional cost?

------
rbc
I think a lot of these problems could be nipped in the bud by more aggressive
code auditing and patch management. It's better to start with fewer zero-day
vulnerabilities. Once the zero-day exploits are out there, you have to act to
mitigate them. Another way to think about it is to compare it to home
construction.

You have to use good building materials to start. After the house is built,
you get into the decision cycle of maintaining, repairing or replacing the
home.

------
sandworm101
Sadder reality: This principal has been extended by many CEOs to justify not
doing _any_ security. The OP speaks of the costs of running a top-notch
system. That's expensive. But please do something. Something more than just
relying on your head of IT and your web designer. Read the Ashley-madison
report by the canadian privacy commissioner. A supposed unicorn and they were
doing nothing.

------
sabujp
Has your identity been stolen? If so, were you able to determine if a large
scale hack was the cause of that? Then were you able to go back and sue that
company for your losses? You probably don't even have much recourse, i.e. it's
cheaper for you to try to fix your own stolen identity issue than to sue the
company that got hacked for renumeration.

------
devonkim
All we have to know that it really doesn't matter to the business world
despite all the drama in corporate IT over security (if that) is that Apple,
Target, and Home Depot are having great quarters after their security breaches
so any consumer backlash is materially ineffective even if people do care -
not _enough_ care.

------
josaka
This may change as the plaintiff's bar gets more sophisticated. Many probably
remember the Home Depot data breach a few years ago. The card issuers brought
a class action against HD and the complaint (under MDL No. 14-02583-TWT) reads
like a nice treatise on causes of action in various states implicated by a
breach.

------
emodendroket
I feel like a lot of our problems would go away if companies faced penalties
with teeth for losing customer information.

------
tlogan
Now people ask why Oracle is still around? And this is the answer.

At least companies have somebody (with $$) to sue when security breach
happens.

I'm really confused with following: 1) people want free services and 2) people
want extra security

The above is like getting free home security system and then complaining how
alarm do not work consistently.

------
jdc0589
unless you work in an industry that deals with fairly private and regulated
data, but aren't a huge company with tons and tons of cash to burn. Then you
are horrendously screwed.

The hardened security infrastructure is still extremely expensive to implement
and maintain. You can't just deal with breaches because the fines (straight
from Uncle Sam) can be huge relative to your profits. Even if the fines
weren't bad enough at face value, you aren't a huge corporate giant, so
customer churn after a bad enough breach is going to be worse than it would be
for a bigger/older company. You are also paying large insurance premiums that
don't even fully cover the fallout of a potential breach.

------
lgleason
it's actually the tip of the ice burg. Given that there is no standard of care
and that there is no barrier to entry to being a software developer there are
a lot of things that are poorly done in this industry. Security is just one of
them. With that being said I've seen a lot of secruity people go overboard
with security and not take the other factors into account. IE: security people
trying to prevent the CEO from having acccess to resources, or adding in
policies that cost more to implement than the cost of the threat etc..

------
pjmlp
You see this in users as well.

I don't monitor the Apple forums nowadays, but it was common in the early
switcher days to have people asking how to disable UNIX security and make it
work just like Windows 9x.

------
KirinDave
Unleeeeessssss you are a bank.

The costs of intrusions against financial institutions are seldom fully
understood by people outside the industry but represent a lot of ongoing
costs.

------
cowardlydragon
What's even worse?

A mountain of bureaucracy that slows down everything as much as if you had
strong defenses, but is effectively as weak as bad security.

------
Raphmedia
"Oh, we just leaked the passwords of 300 0000 of our users? Too bad. Let's
make a tongue-in-cheek apology on twitter and move on!"

------
omouse
Time to start class-action lawsuits and force IT companies to at least buy
_insurance_.

