The Costs of Bad Security
Mounting threats to the security of information are forcing companies to make more sophisticated cost-benefit analyses when they craft their security strategies.
Last month, Sony revealed the price tag associated with cleaning up the massive security breach that exposed personal information of more than 100 million users of its PlayStation Network and Qriocity streaming-media services: at least $171 million. It was the largest such breach any company had ever experienced, according to Sony’s chairman, Sir Howard Stringer, and the staggering sum will cover security improvements, customer compensation, and investigative services. But the full toll will be harder to measure, because it will include the loss of customer confidence in the company.
The episode was a reminder of the stakes involved in data security—and an indicator that many organizations are not protecting themselves well enough. “When it comes to all of these security problems, companies aren’t spending up front but have to spend a lot of money on the back end to fix things,” says Thomas Ristenpart, a computer security researcher at the University of Wisconsin, Madison.
This month, Business Impact focuses on securing data against theft and loss. We will explore the security tactics that companies ought to be using, the investments they ought to be making, and the questions they ought to be asking. We’ll examine smart practices for mobile devices, remote workers, and cloud computing, and we’ll get insights from top thinkers in the field.
Threats to the security of information are multiplying in part because the world’s storehouses of data are rapidly growing as the cost of storage plummets and the availability of computers and network access expands. As this mother lode of data grows, so does its attractiveness to criminals and hackers.
To protect themselves, businesses can impose access controls on confidential data, encrypt this data and appropriately manage encryption keys, audit user activities, and bring on consultants to make sure security practices are up to date. And since the weak link in the security chain is often people, one of the most important things businesses can do is simply to train employees on basic data security practices. This month’s package of stories will argue that information security isn’t just a matter for the IT department to worry about. It has to register throughout a company, starting at the highest levels, where decisions about capital investments are made.
One big challenge was reflected in a 2009 cybersecurity research roadmap (PDF) produced by the U.S. Department of Homeland Security. Among other things, it found that because information technologies and attack methods are evolving so fast, organizations find it hard to determine whether their data is becoming more or less secure, whether it’s more or less secure than that of other organizations, and whether a given level of investment is worthwhile. It doesn’t help that many organizations assess basic questions about security from a short-term financial perspective—even though cost-benefit analyses are hard to make because the cost of failing to take appropriate security measures might not be apparent for years. “Decisions resulting from such analyses will frequently be detrimental to making significant security improvements in the long term,” the report says.
It complicates matters even more that when data breaches occur, companies aren’t always entirely forthcoming. (Sony took six days to warn users that their information had been exposed.) Faster responses would help victims or potential victimsindividuals or companies whose data was exposed take steps to mitigate damage.
Possible changes in government regulations could tighten the rules on how such breaches are reported and what must be revealed. In the United States, 47 state laws currently govern the disclosure of data breaches that expose personal information, but President Obama recently proposed that a single federal law should govern the process.
That would be helpful, says cryptologist Bruce Schneier, chief technologist for the global telecommunications company BT—though just how helpful depends on how thorough the law turns out to be. What’s clear now is that the aftermath of data breaches is sometimes murky. “We don’t know who had access to the data—whether they are criminals, or kids, or spies,” Schneier says. “We don’t know the vulnerability that caused the breach.” Sometimes all we know for sure is how much the damage cost.