Hack The Planet

Because if you don't, who will?

Monday, February 22, 2016

Basic Economics is why we fail at Security…

In the InfoSec community we often rail against people not doing enough to secure their data. If they had only installed this, or hadn’t installed that. Why can’t these people understand?

The issue we run into is not that they don’t want to secure their information, they just can’t afford to do it. This week we saw a hospital and a school pay criminals to get ransomeware removed from their networks. The amount they paid was $17,000 and $8,500 respectively.

The reason I point this out is that they probably won’t be fined and so all they are out is a few thousand dollars and a little bad press. These institutions won’t really lose that much face though. They will be pitied that they were attacked by Big Bad Hackers, and then people will forget it happened. If you look at Target and Home Depot, two of the bigger breaches in the US, the overall impact to the business was minimal.

In the end it is more expensive to try and protect information, than it is pay the fine for a breach, or pay the criminals that encrypt your data and hold it for ransom. When you think about how much it costs just to hire someone capable of knowing how to protect your data you are already in the six figures, with just one person. You have already paid more than four times the amount that this hospital and school paid to get their information back, combined. This is all before you buy any security tools, which are never cheap.

At the end of the day, we are losing this battle because the cost of failure is acceptable.

How can we change the cost of failure to be in our favor? Do we increase the fines for being breached? Since share holders care about the bottom line, companies are incentivized through the lack of large fines, to be less secure. It could be argued that increasing fines would drive companies to not report breaches. There are laws today that require companies to report if they have been breached, but does it cost that much more to be fined for not reporting? Companies gamble all of the time this way, I’m looking at you VW. Our criminal counterparts at the same time, thinking like Walmart, know they can just charge less and keep getting paid.

Sadly, I don’t think the change will happen until attacks like the Sony hack become more frequent, forcing companies to re-evalute the cost of failure.

posted by holliday at 10:09 am  

Powered by WordPress