The reason companies don’t fix cybersecurity [Same reason software is insecure]

The reason companies don’t fix cybersecurity by Erick Sherman.

From the post:

U.S. air traffic control systems are vulnerable to hackers, says the General Accounting Office. Cybercriminals target retail loyalty cards. Obsolete encryption leaves phones vulnerable.

When it comes to giant data breaches suffered by Sony (SNE), Home Depot (HD), Target (TGT), Anthem (ANTM) and many others, the vulnerability of online information is by now a fact of life. So why don’t corporations plug the gaps, improve their practices and safeguard sensitive consumer data? After all, these measures would prevent potential financial loss and identity theft.

The answer: The losses involved are so small compared to the revenue that it’s easier to take a chance and write off any losses should they occur. In other words, worrying about data breaches isn’t worth it to them.

To understand the attitude, you need to follow the money. Benjamin Dean, a fellow for Internet governance and cybersecurity at Columbia University’s School of International and Public Affairs, compared some high-profile data breach costs to the revenue of the companies. It turned out, some major breaches cost the companies that had lost the data relatively little.

Remember Target’s loss of 40 million of debit and credit card numbers and 70 million other records, which included addresses and phone numbers? The company recently said the total bill was $252 million between 2013 and 2014. After $90 million insurance coverage, $162 million was left. Tax deductions brought that amount down to $105 million. The sum was about 0.1 percent of Target’s 2014 revenue.

This isn’t unusual. For the loss of 56 million credit and debit card numbers and 53 million email addresses to hackers in 2014, Home Depot was out only a net $28 million, after a $15 million insurance payment. That’s less than 0.01 percent of the company’s 2014 revenue.

In 2014, the Ponemon Institute surveyed 314 companies around the world. The smallest by annual revenue was on the order of $100 million. Most were multibillion-dollar corporations. Ponemon’s estimate of the average data breach cost to these companies for the year was $3.5 million. The organization ran some numbers for CBS MoneyWatch. The average revenue size was $1.967 billion. That means the average data breach represented only 0.18 percent of revenue — a rounding error. (emphasis added)

Erick’s article is a must read on the lack of motivation for corporations to improve cybersecurity. The cost of breaches to major corporations now? In his words “…a rounding error.”

But major corporations didn’t write the software that led to universal cyberinsecurity. Software companies did. What would a cost analysis show for their cost of data breaches?

If you think 0.18 percent of revenue is low, software breaches cost software vendors 0.00 percent of revenue.

Tell me, what incentives do software vendors have to aggressively pursue the production of secure software?

Can you say: NONE AT ALL?

Some vendors do try harder than others but remember they are competing against other vendors who have no cost for ignoring insecure software.

Do the math and ask yourself: Where are the incentives for secure handling of data and secure software?

Without security incentives everyone and their data will be left naked and exposed to the entire world.

If you are eligible to vote in the United States, contact your Representatives and Senators saying if the 2016 elections arrive with no realistic incentives to avoid data breaches and to produce secure software, you will vote against every incumbent on the ballot.

Comments are closed.