Skip to Content

The Costs of Bad Security

Mounting threats to the security of information are forcing companies to make more sophisticated cost-benefit analyses when they craft their security strategies.

Last month, Sony revealed the price tag associated with cleaning up the massive security breach that exposed personal information of more than 100 million users of its PlayStation Network and Qriocity streaming-media services: at least $171 million. It was the largest such breach any company had ever experienced, according to Sony’s chairman, Sir Howard Stringer, and the staggering sum will cover security improvements, customer compensation, and investigative services. But the full toll will be harder to measure, because it will include the loss of customer confidence in the company.

Keeping up: The Enterprise Strategy Group, a consulting firm, asked 308 IT professionals in large companies what factors motivated their decisions to improve data security. Regulatory compliance topped the list

The episode was a reminder of the stakes involved in data security—and an indicator that many organizations are not protecting themselves well enough. “When it comes to all of these security problems, companies aren’t spending up front but have to spend a lot of money on the back end to fix things,” says Thomas Ristenpart, a computer security researcher at the University of Wisconsin, Madison.

This month, Business Impact focuses on securing data against theft and loss. We will explore the security tactics that companies ought to be using, the investments they ought to be making, and the questions they ought to be asking. We’ll examine smart practices for mobile devices, remote workers, and cloud computing, and we’ll get insights from top thinkers in the field.

Threats to the security of information are multiplying in part because the world’s storehouses of data are rapidly growing as the cost of storage plummets and the availability of computers and network access expands. As this mother lode of data grows, so does its attractiveness to criminals and hackers.

To protect themselves, businesses can impose access controls on confidential data, encrypt this data and appropriately manage encryption keys, audit user activities, and bring on consultants to make sure security practices are up to date. And since the weak link in the security chain is often people, one of the most important things businesses can do is simply to train employees on basic data security practices. This month’s package of stories will argue that information security isn’t just a matter for the IT department to worry about. It has to register throughout a company, starting at the highest levels, where decisions about capital investments are made.

Big worries: The same survey from the Enterprise Strategy Group asked the same group of IT employees to identify weak spots in their network security.

One big challenge was reflected in a 2009 cybersecurity research roadmap (PDF) produced by the U.S. Department of Homeland Security. Among other things, it found that because information technologies and attack methods are evolving so fast, organizations find it hard to determine whether their data is becoming more or less secure, whether it’s more or less secure than that of other organizations, and whether a given level of investment is worthwhile. It doesn’t help that many organizations assess basic questions about security from a short-term financial perspective—even though cost-benefit analyses are hard to make because the cost of failing to take appropriate security measures might not be apparent for years. “Decisions resulting from such analyses will frequently be detrimental to making significant security improvements in the long term,” the report says.

It complicates matters even more that when data breaches occur, companies aren’t always entirely forthcoming. (Sony took six days to warn users that their information had been exposed.) Faster responses would help victims or potential victimsindividuals or companies whose data was exposed take steps to mitigate damage.

Possible changes in government regulations could tighten the rules on how such breaches are reported and what must be revealed. In the United States, 47 state laws currently govern the disclosure of data breaches that expose personal information, but President Obama recently proposed that a single federal law should govern the process.

That would be helpful, says cryptologist Bruce Schneier, chief technologist for the global telecommunications company BT—though just how helpful depends on how thorough the law turns out to be. What’s clear now is that the aftermath of data breaches is sometimes murky. “We don’t know who had access to the data—whether they are criminals, or kids, or spies,” Schneier says. “We don’t know the vulnerability that caused the breach.” Sometimes all we know for sure is how much the damage cost.

Keep Reading

Most Popular

10 Breakthrough Technologies 2024

Every year, we look for promising technologies poised to have a real impact on the world. Here are the advances that we think matter most right now.

Scientists are finding signals of long covid in blood. They could lead to new treatments.

Faults in a certain part of the immune system might be at the root of some long covid cases, new research suggests.

AI for everything: 10 Breakthrough Technologies 2024

Generative AI tools like ChatGPT reached mass adoption in record time, and reset the course of an entire industry.

What’s next for AI in 2024

Our writers look at the four hot trends to watch out for this year

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.