This post was originally published here by shaane syed.
Itād be awfully nice not to need car insurance. Or homeowners insurance. Or fire insurance. These added expenses donāt increase the value of your car or home, and thereās a good chance youāll never use them. The money you pour into insurance is arguably even being frittered away, of better used spent on investments or property improvements. You havenāt been in a car accident in ten years. Wouldnāt it have been better to put that money towards something else?
That question is clearly ludicrous. Insurance is a necessity you hope is never actually necessary since its use arises from an accident or catastrophe. The potential for crippling financial burden that youād face minus insurance makes paying for it worthwhile. The minute you cancel your car insurance you could find yourself in an accident whose costs dwarf the total amount of money youāve previously put in. The risk is too great.
Information security is similar to insurance in that having no (or weak) security is an incredible risk. Considering the massive damage that could hit your company following a data breach, itās always worth investing resources in ensuring you never face one. But since security doesnāt seem all that valuable until the moment youāre breached, it can be tempting to invest security expenditures elsewhere.
For that reason, maybe you disagree about how severely your company would be harmed by a breach. If so, you wouldnāt be alone. Back in 2014, Home Depot was hit by a huge breach that cost themĀ close to $200 millionĀ just in settlement payouts to consumers and credit card providers.
This breach didnāt come out of nowhere, though. In the year before, Home Depot was hit withĀ two smaller breachesĀ exposing issues that, had they been dealt with, would likely have enabled them to avoid the larger breach altogether. But itās not like they were previously ignoring security concerns out of maliceā there were almost certainly just other things in the company that received precedent due to their perceived value versus making improvements to security. Home Depot was just one ofĀ many companiesĀ that were aware of the inherent security flaws found in POS systems while doing nothing about them because of the added cost to do so.
Of course, itās possible to view all of this through the lens of moral hazard. If you lose customer credit card numbers or other sensitive data, itās ultimately their problem. Theyāll cancel their cards, spend a couple of hours on the phone jumping through hoops with their provider to get fraudulent charges removed, but your company will be fine, ultimately. Itāll cost you some money, force you to fire a few people for PR purposes, bring down profits for the year, give your lawyers something to do to justify their cost, and cause your support staff to break down crying, but thatās the cost of doing business and everything will return to normal after a bit.
And occasionally that might even be true. A company whose customers already hold them in fairly high esteem can recover quickly. Targetās breach in 2014 cost them $175 million and a quick drop in revenue, but less than a year later business had pretty muchĀ returned to normal. Terrible, but not catastrophic in the long term.
Target is unique, though, in that they have an established brand identity and a broad, loyal customer base. As a rule,Ā 64% of customersĀ say theyāre less likely to do business with a company that lost some of their sensitive data. 50% of customers say theyāre less likely even if the lost data is non-sensitive. Thereās a reason why one of the only activities that brings both sides of Congress together is publicly grilling and condemning CEOs whose companies incurred massive data breaches.
Being cavalier with your data is essentially the same as being cavalier with your company, just as being cavalier with your insurance is essentially being cavalier with your life. If you didnāt have car insurance, youād likely get through a major accident, but the damage would be felt for years after. You wouldnāt take that risk in your daily life, so donāt take that risk with your business.
Photo:WeLiveSecurity
