Sadly very true
Get hacked and virtually no impact to reputation or share price.
Compare it to the cost of doing secure IT and yet again the fucking bean-counters chose the low cost option and fuck those impacted by the breach.
Sad reality: It's cheaper to get hacked than build strong IT defenses
Whenever mega-hacks like the Yahoo! fiasco hit the news, inevitably the question gets asked as to why the IT security systems weren't good enough. The answer could be that it's not in a company's financial interest to be secure. A study by the RAND Corporation, published in the Journal of Cybersecurity, looked at the frequency …
-
-
-
Friday 23rd September 2016 11:02 GMT Destroy All Monsters
Re: Sadly very true
Company officers actually have a legal duty to operate the company in a financially responsible manner.
Oh really? And this is written where exactly?
The only one to complain will be the shareholder in any case...
Besides, the "financially responsible manner" is open to interpretation and risk management.
-
Friday 23rd September 2016 17:52 GMT Camilla Smythe
Re: Sadly very true
Perhaps others may have missed the sarcasm in your post thereby resulting in you getting more down votes than up votes.
I am sure that what you meant to say rather than imply is something along the lines of...
<sarc>Company officers actually have a legal duty to operate the company in a financially responsible manner.</sarc>
However the regulatory authorities involved, in this case financial, are either clueless shitwanks, limp thickdicks, in someone else's pocket, taking bribes or expect to parachute out of their 'public service' job into an executive role for the offending company on more money than they get at the moment along with a Golden Goodbye and Pension Pot from their previous 'public service role' so fuck all happens.
The previous applies to any and all regulatory authorities, unless they are fucking over a 'public service entity' whereby any fine and/or costs are paid for by your taxes, and, as a result, nothing short of exploding dildo LiION batteries will wake them from their slumber, probably not, having crawled off the wife in order to drool on the dog whilst snoring after another exceptional one minute performance with 10 inches of rock hard meat, 'Mr Limp' failed to protrude beyond the belly, leaving the wife to finish the job off and then the bean counters will still do a cost-benefit analysis.
Err... You might prefer to use different words.
HTH
-
Friday 23rd September 2016 18:05 GMT ShortLegs
Re: Sadly very true
"However the regulatory authorities involved, in this case financial, are either clueless shitwanks, limp thickdicks, in someone else's pocket, taking bribes or expect to parachute out of their 'public service' job into an executive role for the offending company on more money than they get at the moment along with a Golden Goodbye and Pension Pot from their previous 'public service role' so fuck all happens.
The previous applies to any and all regulatory authorities, unless they are fucking over a 'public service entity' whereby any fine and/or costs are paid for by your taxes, and, as a result, nothing short of exploding dildo LiION batteries will wake them from their slumber, probably not, having crawled off the wife in order to drool on the dog whilst snoring after another exceptional one minute performance with 10 inches of rock hard meat, 'Mr Limp' failed to protrude beyond the belly, leaving the wife to finish the job off and then the bean counters will still do a cost-benefit analysis.
Err... You might prefer to use different words."
Wow. Just wow. And I had to quote it just to flavour the full awesomeness again. Best rant I've read in years. If I could up-vote multiple times, I would.
-
-
Friday 23rd September 2016 21:44 GMT Captain DaFt
Re: Sadly very true
"Company officers actually have a legal duty to operate the company in a financially responsible manner."
Indeed they do.
But this is like a bank deciding: "The clients money is insured anyway, so why build an expensive vault? Just store the cash in cardboard boxes in the back room."
Bank saves millions, but would you call it "financially responsible"?
-
Friday 23rd September 2016 22:56 GMT Richard 12
Re: Sadly very true
Only unless and until the insurance company "recovers" the loss from the bank for failing to meet the terms of insurance.
Or the regulatory authority and/or court awards punitive fines and/or damages.
Clearly, insurance companies will be the main driver for good security for the foreseeable future.
-
-
-
Friday 23rd September 2016 21:22 GMT John Smith 19
"yet again the fucking bean-counters chose the low cost option"
It was a cost benefit analysis.
The cold equations said it'd cost them a shed load of money to do the changes and save about180 lives and 180 burns cases so the Board said f**k em.
IIRC one of those burns case was an 11YO boy. :(
Please note insurers regularly put a value on human life and some industries or products specify the model. IIRC a weighted average life time salary is often used, about $1-2m.
-
Saturday 24th September 2016 18:54 GMT Anonymous Coward
Re: "yet again the fucking bean-counters chose the low cost option"
Equating the value of human life is a very complex issue. I'm pleased to say that in my 20+ years of infosec I've only had to weigh the cost of the loss of data and reputation. Very often the cost of securing data is more than it's worth. The classic example is to question the value of storing a £200 lawn mower in a shed with a £5000 lock and vault door. Whilst you may feel that your personal data held by a bank or business is priceless, sadly you are in your own with your estimation of its value. It's not always the bean counter making the call: it's much more likely the infosec manager deciding how much to spend securing your data.
-
-
Tuesday 27th September 2016 02:34 GMT Anonymous Coward
Re: Sadly very true
The effect on your reputation varies based on your industry. A bank getting hacked and losing customer information is going to be quite expensive, not just in mitigating the effect on existing customer, but the loss of selfsame customers and a dearth of new ones for a significant period of time, not to mention the fines imposed by the regulators.
Pay the money, get the good stuff, and be the best in the business. That's where you want to be.
-
Friday 23rd September 2016 07:38 GMT Anonymous Coward
Pinto was one of the few times a reputation took a sustained hit
Decades later everyone still quotes it (that and the "Ratner Effect"). A few contributing factors:
(1) it was a stark pricing of life - in public spaces we're too squeamish to do this (see the "can't put a price on human life" items posted on every public heath decision)
(2) it used that pricing to directly drive company behaviour, rather than pretending to be "nice" (we all know that companies run on cash not cuddles, but we'd prefer to believe it otherwise and they spend a lot of advertising bucks on the pretence)
(3) it was a company still thought of as a cornerstone of the American Dream (early 70s, US car firms still coasting on fumes of previous glories)
(4) it was novel (the public revelation, if not the behaviour)
(5) for whatever reasons brand identities matter in that sector: automobile manufacturers like to tout their legacies. In IT who does, other than IBM (and that's pretty hollow nowadays)? Some firms "re-invent" themselves, like HP/Compaq/whatever-the-fuck-is-left-of-them-now, some supposedly valuable identities get transplanted like McAfee (private/Intel/make-us-an-offer)
Since this doesn't apply when a dot-com loses our personal data (most of us lack a similarly visceral reaction of its value and with so many similar cases in recent years there's no sustained shock) we can't hope that the risk to the reputation will be a useful deterrent. So if we don't want the damage externalised (i.e. shat all over the customers, as it is today) are we looking at somehow devising standards and imposing serious penalties? (so much devilry in the details of how standards should be developed and compliance tested, etc)
-
Friday 23rd September 2016 12:48 GMT I am the liquor
Re: Pinto was one of the few times a reputation took a sustained hit
The "Ratner effect" is an interesting study in reputational losses to a company. People think of it as a comment that destroyed a company. But it didn't - Ratners is still the largest jewellery chain in both the UK and North America. Of course, the name is different now. Ratner's comment didn't sink the company, just forced it to ditch one brand and continue business as usual through its others.
-
Saturday 24th September 2016 19:17 GMT Matt Bryant
Re: Mongo Re: Pinto was one of the few times a reputation took a sustained hit
".....(1) it was a stark pricing of life.....' No, it wasn't. The original Ford paper was nothing to do with "corporate culture" or "greed", it was simply a cost-benefit paper produced by Ford in 1973 for the NHTSA when the NHTSA was suggesting new rear-crash testing regulations. The original paper was a comparison of the costs to Ford of changing the Pinto fuel system and the cost to society of crash injuries and victims relating to burns from the existing design, not the cost of Ford being sued. This was subsequently taken waaaaaaaaaaay out of context by "progressive" Mother Jones journo Mark Dowie in a 1977 article, in which he even lied about the figures (he changed the analysis from 180 deaths to 500-900) to suit his Big Bad American Corporation theme. Ford was completely in line with the 1967 regulations when it originally designed the Pinto and the Pinto was later shown to be no more at risk from rear collisions than any of its competitors.
-
-
Friday 23rd September 2016 08:26 GMT TheWeenie
It's yet another example of biased risk-awareness.
You can take a service - let's say...a calendar. You've got a choice of going with provider A, who will give you a product that's free but with a few adverts and some behind-the-scenes data-slurping and the possibility that any details you give them may end up being sold in bulk by whichever unscrupulous group has compromised the security of that organisation.
Or you go with company B, who don't give you adverts, don't mine your data and invest heavily in their cyber-security platforms - but it'll cost you £10 a month for a product of a comparable standard.
Probably 95% of people would go for the former, and accept the risk that there's a very slight chance that some of their credentials will be compromised. If company A doesn't need your address and bank details, then the compromise is an inconvenience to the average user. If company B is compromised - and let's remember that no connected system can ever be 100% secure - then potentially you'll be exposed to a significantly larger loss - not just getting spammed for viagra and russian brides, but you may lose real beans-and-beers money from your bank account or credit card.
So yeah. I don't like the message but I kind of understand it. It feels like people increasingly see "being hacked" in the same vein as getting a speeding ticket - you do what you can to avoid it, and if it happens you'll be annoyed, but it's not the end of the world.
Interesting.
-
Friday 23rd September 2016 10:45 GMT Doctor Syntax
"If company A doesn't need your address and bank details, then the compromise is an inconvenience to the average user."
Really? A calendar as per your example? What's on the calendar?
Uncle Fred's 60th birthday next week? Ooh look, with got Uncle Fred's DoB. Is Uncle Fred identified in any further way? Does it have his email address? A little bit of information for ID theft and material for a more convincing phishing attempt - click on this e-birthday card.
Leave on holiday in 2 weeks time, return 10 days later? House unoccupied - nice.
Lots and lots of scope from a busy calendar.
-
Friday 23rd September 2016 11:55 GMT VinceH
"Lots and lots of scope from a busy calendar."
You can replace 'calendar' with whatever you like - the OP was clearly just trying to come up with a simple example.
Company A provides a Facepalmascope. It's free [but slurping]. Company B provides one for a small fee, with no slurping - but payment details. Etc.
Sometimes there's a time for pedantry, and sometimes there's a time to look beyond it to see the abstraction.
-
Friday 23rd September 2016 13:53 GMT Doctor Syntax
"You can replace 'calendar' with whatever you like - the OP was clearly just trying to come up with a simple example."
Of course. I was just taking his example in the same way. Whatever you use a service to store there's likely to be lots of criminal value in it beyond the login and financial stuff. What other examples do you want? Email server? Password store?
-
-
-
Friday 23rd September 2016 08:42 GMT Milton
What about externalised costs?
Curious to know to what degree affected companies have been able to externalise the costs of data breaches. What price can we put on the hassle / worry / embarrassment / waste of time / personal financial loss accruing to the people whose data is lost?
Companies won't invest in good security until they are liable for the true and full costs of their greed, laziness and incompetence. We need to push our politicians to formulate laws and enable compensation schemes that make it too expensive to be cavalier about security.
-
-
Friday 23rd September 2016 12:01 GMT VinceH
Re: What about externalised costs?
Well, once Article 50 is signed, it's supposed to be a two year process - and if Supreme Commander May signs it in early 2017 (as has been suggested), that means we'll still be in the EU until early 2019 - so it'll be interesting to see what happens with such things.
I'd rather it not be interesting, though, and just know.
-
Monday 26th September 2016 14:07 GMT Vic
Re: What about externalised costs?
Well, once Article 50 is signed, it's supposed to be a two year process
ITYF it's not more than two years; it can be shorter.
Now given that we're negotiating form a position of weakness - and the treaty seems to be set up to do that deliberately - I can't imagine it taking less than the full two years. But Boris was banging on about doing it more quickly the other day...
Vic.
-
-
-
Friday 23rd September 2016 09:03 GMT phillupson
Ultimately the decision is to be taken en-masse by the buying public, and time and time again the public proves it couldn't give a rats if a) They've not yet suffered personally and b) Insecure company A is cheaper. For example, look up phone/broadband in the UK, you'll almost certainly find TalkTalk is cheapest and they're getting new customers even as we speak yet everyone remembers their data breach, which proves TalkTalk were right to do a piss poor job as long as people can save about £20-£30 a year.
-
Friday 23rd September 2016 12:04 GMT VinceH
"For example, look up phone/broadband in the UK, you'll almost certainly find TalkTalk is cheapest and they're getting new customers even as we speak yet everyone remembers their data breach,"
Yup. I know a few - including two clients - who have signed up with them since that. When asked - with the breach specifically mentioned - they've all said the same thing: They were the cheapest.
People are stupid.
-
-
Friday 23rd September 2016 09:04 GMT Dan 55
Even when they do 'invest' in security they get it wrong
Take Yahoo (you can keep it). They want your phone number to do 2FA. They get hacked and the phone numbers they've got get stolen so if you gave them your phone number you're less secure, not more.
Why have they not used FreeOTP (or made a brain-dead tap-and-drool Yahoo-branded version based on the open source original) to do 2FA? If they had done this then I would have used 2FA, but they don't, they insist on a phone number which I'm never going to give them precisely because of hacks like this... or because they've probably sold them on to their "trusted partners" anyway.
Trust goes both ways, very few companies manage to show they're worthy of it.
-
-
Friday 23rd September 2016 11:47 GMT Bronek Kozicki
Re: Solution?
Or another step: require insurance for handling of users and customers data and let the insurance premiums factor in the possibility of breach in your particular setup. You cannot have "100% secure" and you have to pay one way or another - either in your security setup or in insurance premiums.
However, step one to this would be for companies to actually need insurance money, in significant quantity enough to bother with insurance in the first place. That's when fines (or perhaps civil action lawsuits) come in.
-
Friday 23rd September 2016 22:00 GMT Captain DaFt
Re: Solution?
" fine the companies that are hacked."
You want immediate action? Howls of agony and outrage? Actual results?
As well as fining the company, freeze 10% of each of the shareholder's stock for two years, or until the problem is fixed.
Most companies would be secure before the next quarter.
(And a lot of politicians would find lose campaign funds next election, so win/win!)
-
-
Friday 23rd September 2016 13:38 GMT WhatsData2U
I'll Take that Risk
Per comments by other posters, the cost doesn't really hit home... until it gets personal. Taking this kind of risk is a gamble to be sure, and one component the article doesn't look at is the future risks of IoT. We're on a digitization fastrack to ramping up connectivity of everything from cars and homes, to things we haven't even conceived of yet. The study cited looked at 2004-2015; even if we agreed with those round average numbers, that's not the future we're looking at.
-
Friday 23rd September 2016 14:51 GMT c1ue
The author of the report clearly knows nothing about cyber insurance.
How can a cyber insurance company know anything about the actual state of a company's cyber insurance when its primary data intake is a 9 page, user filled out form?
What cyber insurance company's do is 2 buckets:
1) Value at risk: how much would they possibly have to pay. This part, they can judge reasonably well.
2) Is the insuree trying at all? Trying but incapable? Not trying?
That's where the industry is at right now, and will continue to be until some way of understanding "good" security vs. "bad" security can be automatically and easily computed.
-
Tuesday 27th September 2016 02:52 GMT Charles 9
"That's where the industry is at right now, and will continue to be until some way of understanding "good" security vs. "bad" security can be automatically and easily computed."
But the human factor always gets involved which is why computers can't do it and why you need human actuaries; it takes one to know one, basically.
-
-
Friday 23rd September 2016 15:27 GMT Anonymous Coward
Capitalism
This is the kind of insanity that inevitably happens as a consequence of the mindless pursuit of wealth/capital for the sake of acruing more wealth/capital. Eventually no one wins, we're not quite there yet, soon enough we will be.
PS Marx had a thing or two to say about this kind of degeneracy.
PPS AC because of all the neo-con cuntz that lurk here
-
Saturday 24th September 2016 04:39 GMT Destroy All Monsters
Re: Capitalism
I will just state that you don't know what a neo-con is.
Protip: It has nothing to do with capitalism. It has, however, a lot to do with Troskyism and Zionism.
-
-
Friday 23rd September 2016 20:55 GMT cyberdemon
Blame the hacker
The real problem, if you ask me, is that is the operators of these sites are never accountable for their own shitty security. Everybody blames the hacker. The real black-hats are rarely caught, but sometimes a white-hat will politely point out a vulnerability and expect to be rewarded - instead he is ignored (perhaps to save face) and the vulnerability often remains unpatched. So a grey-hat comes along and rudely makes the vulnerability obvious to all. In most cases he is attacked by the organisation (never mind rewarded) and frequently prosecuted by the state (who want to make an example of him in the hopes that this will scare the black-hats).
IMO the real reason that companies never bother to secure their networks, is because they can always label it as a "cyberattack", as if NOBODY could have stopped this ACT OF TERROR on their systems.
When a system of this scale gets compromised, it should be the sysadmin, not just the "hacker" who gets held accountable by the state. It would be nice if there was a neutral authority that white-hats could report vulnerabilities to, which will confirm them and then force (by law) the companies involved to close them.
Then again, the cynic in me says these sites are deliberately left open so that the state spies can get in, whilst having yet another excuse to pursue and destroy anyone else who wields the same power.
Biting the hand that feeds IT
