Omnipotent Hacker Myth Lets Business Off The Hook - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Government // Cybersecurity
Commentary
6/27/2011
05:57 PM
Connect Directly
LinkedIn
Google+
Twitter
RSS
E-Mail
50%
50%

Omnipotent Hacker Myth Lets Business Off The Hook

If the public believes hackers are almighty, companies have little incentive to take security seriously.

If you don't know much about computer security, you might come away from the past few months with the idea that criminal hackers are gods. Breathless news coverage has portrayed LulzSec and its ilk as capable of striking down mighty (though mortal) targets at whim, including law enforcement, three-letter government agencies, and major corporations. And if the hackers are omnipotent, companies can take even less responsibility for protecting customer information than they already do. After all, how are mere mortals expected to defend themselves against thunderbolts hurled by Zeus?

In the past, one compelling argument for vigorous information security was to protect a business' reputation. The reasoning: Companies that fail to safeguard customer data will suffer brand damage and lose customer trust, leading to lost sales and profits. While such losses have always been difficult to quantify, executives could understand at a gut level that exposing thousands of customer records to criminals makes the company look incompetent or even negligent.

But this argument is showing cracks. First, there's not a lot of evidence that a security breach has a lasting effect on a brand. Case in point is T.J. Maxx. The retailer announced a computer intrusion in January 2007. Over time, it was revealed that more than 45 million customer records were exposed. The company was lambasted in the press for months as details piled up about its atrocious security practices. But in February 2008, the parent company announced that sales at had actually gone up in the past year. DSW Shoes, OfficeMax, and grocery chain Hannaford Bros. also suffered breaches in the past few years, with little apparent fall-off in shoppers. We'll have to wait and see if Sony experiences any long-term customer losses due to the PlayStation Network breach, but I doubt it.

The omnipotent hacker myth could kill this brand-damage argument entirely. If the public sees an intrusion not as a preventable human activity, but rather an unstoppable act of a higher power, then how can you blame the victim? People get cancer, towns are flooded, and companies expose millions of credit card numbers. Stuff happens, right?

Security has always been a difficult sell to executives. Security systems are complicated and sometimes unwieldy, while businesses want to be agile. Security tools, and the people to operate them and analyze their output, are expensive.

10 Massive Security Breaches
(click image for larger view)
Slideshow: 10 Massive Security Breaches
Companies have always weighed the costs of security versus the costs of a potential breach, but in an era of omnipotent hackers, the balance begins to shift. You can imagine a CEO reasoning thusly: Do I want to A) spend lots money on security with no guarantee of protection, or B) put that money somewhere else and risk an intrusion? If a company knows that an intrusion isn't going to cost it customers in the long run, option B becomes more palatable.

There are other costs associated with breaches, such as lawsuits, fines, and the investigation and clean up. Those costs are also part of the risk management equation, and they should carry significant weight as companies evaluate their security stance. But if a company thinks it can bear those costs with no long-term brand erosion, why not roll the dice?

The media also bear some responsibility here. Mainstream outlets rarely bother to differentiate among the kinds and severity of attacks that groups like LulzSec and Anonymous perpetrate. It's one thing to penetrate systems and steal sensitive information. It's another to launch a distributed denial of service attack against a public-facing website. The first could have repercussions for lots of people; the second is dumb vandalism that takes little skill or knowledge. But when the media lump these attacks together as mighty displays of power, it imparts a degree of potency that's unwarranted.

That said, the ultimate responsibility falls on the companies that store sensitive customer information. No company can legitimately claim to be ignorant of the threats, or pretend that it isn't a target. But as attacks become more commonplace, and the public sees intrusions as inevitable, I worry that companies will take more security shortcuts--creating a self-fulfilling prophecy. It's the kind of catastrophe that only a vengeful god would enjoy.

Cybercriminals are not only exploiting small and midsize businesses--they're targeting them. In this Dark Reading Tech Center report, we identify how SMBs are exploited, where their security fails, and how they can shore up their defenses. Download it now.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
News
COVID-19: Using Data to Map Infections, Hospital Beds, and More
Jessica Davis, Senior Editor, Enterprise Apps,  3/25/2020
Commentary
Enterprise Guide to Robotic Process Automation
Cathleen Gagne, Managing Editor, InformationWeek,  3/23/2020
Slideshows
How Startup Innovation Can Help Enterprises Face COVID-19
Joao-Pierre S. Ruth, Senior Writer,  3/24/2020
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
IT Careers: Tech Drives Constant Change
Advances in information technology and management concepts mean that IT professionals must update their skill sets, even their career goals on an almost yearly basis. In this IT Trend Report, experts share advice on how IT pros can keep up with this every-changing job market. Read it today!
Slideshows
Flash Poll