Sad reality: It's cheaper to get hacked than build strong IT defenses

Why is that &quot;sad&quot;? Nature has gone the same path. We have basic defenses that are &quot;on&quot; all the time (passive immune system - nonspecific), and we have an adaptive response that reacts to what actually happens to us, which also means threats we actually encounter will be recognized and fought more quickly and better in the future. Or houses - having lived in the US, those front doors are at least an order of magnitude less secure than any German front door, but even those are not really able to keep out any determined intruder.<p>Why should be mount a very expensive all-out defense against a lot of perceived threats? It&#x27;s similar to &quot;<i>every</i> child (programmer, etc.) MUST know this!&quot;. Making demands is easy. If people don&#x27;t care there probably is a deeper reason. Yes, the heuristic gets it wrong, that&#x27;s why it&#x27;s a heuristic, but that it is one in the first place also has similar reasons.<p>It sure is possible to criticize a concrete company for concrete problems, but the blanket statement of the headline is not useful.

One reason it&#x27;s true is because companies only measure actual cost, not opportunity cost. How much did it cost Yahoo to have every tech-savvy person in the world switch to Gmail because of Yahoo&#x27;s lousy (and Google&#x27;s excellent) security infrastructure? Where the tech-savvy go, the tech-unsavvy often follow. As they did with Gmail.<p>But lost revenue opportunities don&#x27;t show up in the bottom line, so cost-focused managers don&#x27;t think about them. And they conclude it&#x27;s &quot;cheaper&quot; to not invest in this or that thing that their smarter competitors are doing.<p>&quot;What gets measure gets managed.&quot; People think this (apocryphal) Drucker quote is advice. It is not advice. It&#x27;s a warning.

I am sick of seeing headlines about teenager hacker being put in jail. It&#x27;s not because they are geniuses it&#x27;s because of poor IT defense. The companies should be severely fined for criminal negligence.

I think this article is making a decent point but with bad data. We know of many cases where the cost of insecurity drastically outweighed the cost of basic security. The most obvious is banking where no security would drain all their money. So, they combine preventing, detection, auditing, and computers hackers can&#x27;t afford to keep losses manageable. Another example on putting a number on it is the Target hit that, in last article I read, was something like $100+ million in losses. Lets not even get to scenario where they start targeting power plants or industrial equipment whose management foolishly connected to net.<p>It also helps to look at the other end: minimum cost to stop most problems. Australia&#x27;s DSD said that just patching stuff and using whitelisting would&#x27;ve prevented 75% of so-called APT&#x27;s in their country. Throw in MAC-enabled Linux, OpenBSD, sandboxed (even physically) browsers w&#x2F; NoScript, custom apps in safe languages, VPN&#x27;s by default, sanest configuration by default, and so on. Residual risk gets <i>tiny</i>. What I just listed barely cost anything. Apathy, which the article acknowledges, is only explanation.<p>A nice example was Playstation Network hack. I didn&#x27;t expect them to spend much on security. I also didn&#x27;t expect it to come down to having no firewall (they&#x27;re free) in front of an Apache server that was unpatched for six months (patches are free). That this level of negligence is even legal is the main problem.

I wonder if one of the problems is that the focus is too much on costs.<p>What I see all the time in IT security that for many people doing security means spending lots of money on products with highly questionable promises. It&#x27;s very doubtful that many of the security appliances you can see at RSA or Black Hat do any good, in many cases they add additional risks. But the industry is selling a story that the more boxes you buy and put in front of your network the better.<p>For a lot of companies there are very cheap things they could do to improve their security. This starts with such simple things as documenting on the webpage who outside security researchers should contact if they think they found an issue in the companies infrastructure.<p>So I have quite some doubts that the formula &quot;spending more on security == better security&quot; holds.

It&#x27;s sad because it&#x27;s true. In 2018 the data protection EU regulation gets put into play though, which might change that partially by effectively increasing the cost of losing control of data.

Everybody&#x27;s probably seen this but please more forcing companies to internalize their externalities. More law suits, please. I never thought I&#x27;d say that. <a href="http:&#x2F;&#x2F;www.scmagazine.com&#x2F;class-action-lawsuit-filed-against-noodles-company-over-breach&#x2F;article&#x2F;521276&#x2F;" rel="nofollow">http:&#x2F;&#x2F;www.scmagazine.com&#x2F;class-action-lawsuit-filed-against...</a>

&quot;Cheaper&quot; is not including the full cost of compromised data. Compromises don&#x27;t only affect companies&#x27; bottom lines, but also those who were compromised. The costs to individuals are undoubtedly much harder to quantify.

I&#x27;m not so sure it&#x27;s cheaper. The business cost can be enormous. See the Target breach, which led to FIRING the CEO. And Yahoo, which may have their deal with Verizon at risk now due to the latest breach.

That is why as a sole dev I no longer offer full-stack solutions: clients simply do not want to pay for the hours it takes to keep their back-ends monitored and secured. Yet, dynamic data is mostly inevitable in any modern web solution so I am increasingly relying on BAAS providers. My gamble is that it should be easier&#x2F;cheaper for BAAS providers to maintain a team of knowledgeable and experienced engineers to tend infrastructure that runs several back-ends. It seems like a natural step from <i>hey I trust you can run my hardware take my money</i> to <i>hey I trust you can manage my data take my money</i>

I think it&#x27;s possible the global economy literally could not take the expense of actually making everything secure.

Yes, you notice it when you deal with sites where bad security can be costly, like on a (bit)coin exchange (i.e. Bittrex). You get an email at every successful login, 2FA is encouraged from the start, enabling the API keys requires 2FA, Google reCAPTCHA at every login, logout as soon as you close the browser, api keys with different levels of functionality, API requires SHA512 hashing of API key and API code and a time fingerprint. It&#x27;s pretty refreshing to be honest.

Yahoo customers are advertisers, not people with email accounts. Account holders are just a resource, and in aggregate I&#x27;m willing to bet most won&#x27;t know what this hack means to them, even if they learn about it. What are they chances they lose 30% or more of this resource, users terminating their accounts? The stock price suggests the account holders don&#x27;t care or have no meaningful recourse.

Well physical security is the same. You could make your house entirely thief proof but nobody does because the cost isn&#x27;t worth it.

Part of the issue is that legally in the U.S. a) privacy violations are usually punishable by law only if a specific non-privacy harm comes of it and b) privacy is treated as an individual right and not a societal good. If a company gets hacked and loses your credit card and bank information afaik it&#x27;s punishable only if someone actually fraudulently uses the information. It&#x27;s up to individuals to jointly complain about specific damages to effect changes, and for any given individual there&#x27;s little incentive to make your own life difficult for vague potential benefits. Also in most cases the individual harm is quite small, even if in aggregate or viewed as a societal harm there is huge damage.

I found this to be true of securing my house. I had several break ins and the total cost (mostly repairs) was still far less than the cost of installing an alarm system, to speak nothing of paying for police response to false alarms.

I think a lot of these problems could be nipped in the bud by more aggressive code auditing and patch management. It&#x27;s better to start with fewer zero-day vulnerabilities. Once the zero-day exploits are out there, you have to act to mitigate them. Another way to think about it is to compare it to home construction.<p>You have to use good building materials to start. After the house is built, you get into the decision cycle of maintaining, repairing or replacing the home.

Sadder reality: This principal has been extended by many CEOs to justify not doing <i>any</i> security. The OP speaks of the costs of running a top-notch system. That&#x27;s expensive. But please do something. Something more than just relying on your head of IT and your web designer. Read the Ashley-madison report by the canadian privacy commissioner. A supposed unicorn and they were doing nothing.

Has your identity been stolen? If so, were you able to determine if a large scale hack was the cause of that? Then were you able to go back and sue that company for your losses? You probably don&#x27;t even have much recourse, i.e. it&#x27;s cheaper for you to try to fix your own stolen identity issue than to sue the company that got hacked for renumeration.

All we have to know that it really doesn&#x27;t matter to the business world despite all the drama in corporate IT over security (if that) is that Apple, Target, and Home Depot are having great quarters after their security breaches so any consumer backlash is materially ineffective even if people do care - not <i>enough</i> care.

This may change as the plaintiff&#x27;s bar gets more sophisticated. Many probably remember the Home Depot data breach a few years ago. The card issuers brought a class action against HD and the complaint (under MDL No. 14-02583-TWT) reads like a nice treatise on causes of action in various states implicated by a breach.

I feel like a lot of our problems would go away if companies faced penalties with teeth for losing customer information.

Now people ask why Oracle is still around? And this is the answer.<p>At least companies have somebody (with $$) to sue when security breach happens.<p>I&#x27;m really confused with following: 1) people want free services and 2) people want extra security<p>The above is like getting free home security system and then complaining how alarm do not work consistently.

unless you work in an industry that deals with fairly private and regulated data, but aren&#x27;t a huge company with tons and tons of cash to burn. Then you are horrendously screwed.<p>The hardened security infrastructure is still extremely expensive to implement and maintain. You can&#x27;t just deal with breaches because the fines (straight from Uncle Sam) can be huge relative to your profits. Even if the fines weren&#x27;t bad enough at face value, you aren&#x27;t a huge corporate giant, so customer churn after a bad enough breach is going to be worse than it would be for a bigger&#x2F;older company. You are also paying large insurance premiums that don&#x27;t even fully cover the fallout of a potential breach.

it&#x27;s actually the tip of the ice burg. Given that there is no standard of care and that there is no barrier to entry to being a software developer there are a lot of things that are poorly done in this industry. Security is just one of them. With that being said I&#x27;ve seen a lot of secruity people go overboard with security and not take the other factors into account. IE: security people trying to prevent the CEO from having acccess to resources, or adding in policies that cost more to implement than the cost of the threat etc..

You see this in users as well.<p>I don&#x27;t monitor the Apple forums nowadays, but it was common in the early switcher days to have people asking how to disable UNIX security and make it work just like Windows 9x.

Unleeeeessssss you are a bank.<p>The costs of intrusions against financial institutions are seldom fully understood by people outside the industry but represent a lot of ongoing costs.

What&#x27;s even worse?<p>A mountain of bureaucracy that slows down everything as much as if you had strong defenses, but is effectively as weak as bad security.

&quot;Oh, we just leaked the passwords of 300 0000 of our users? Too bad. Let&#x27;s make a tongue-in-cheek apology on twitter and move on!&quot;

Time to start class-action lawsuits and force IT companies to at least buy <i>insurance</i>.