As I have done in a previous post, I am taking this opportunity to share with our online audience some of the letters we receive regarding our online and print coverage. This letter comes from a reader of our most recent issue, and my response to his comments can be found below the letter. As always, I appreciate our readers' feeback and look forward to receiving more in the future.
Here is what our interested reader wrote:
In the article "Data Breach Spring" in the May/June issue of Infosecurity, there are several figures for the "cost" of a security breach which appear to include the costs of tightening up security measures after the breach. This is a common obfuscation by corporate victims of data security breaches. They should have made their systems secure in the first place, and the cost of making them secure after a breach is a mis-statement in the company's balance sheet of the actual cost of the computer system installed.
A typical example is the case of Gary McKinnon, where the US authorities hugely inflated the loss alleged to be caused by his intrusions by including the cost of adding security measures which should have been there already.
Consider the analogy of what happens if your house is burgled. Assuming you are insured, the insurers will pay for the replacement of items stolen, and for any damage caused during the burglary. In principle they can recover these costs from the burglar if he is caught, but this rarely happens in practice. When you come to renew your insurance, the insurers will typically require you to fit better locks or window grilles or whatever. They will not pay the cost of doing so, because that cost isn't attributable to the burglary, but to your failure to prevent the burglary by making your house secure earlier.
The same applies to computer systems. I'm not defending hackers here. Hacking into a computer system and corrupting or stealing data is a crime and should be treated as such. However the cost of protective measures against hacking is attributable to owner of the computer system and not to the hacker who breaks into it because the protective measures were not installed yet.
Richard P. Parkins, M.A.
And here is my response, since I personally wrote the article Richard references:
Dear Richard,
Your point on this topic is well taken. I would agree entirely that these costs, or the costs associated with suring up security post-incident, are truly costs that organizations should have been putting out for all along. The lesson from all of these breaches is that, even among very large organizations, data security can be woefully inadequate and easily exploited by hackers – oftentimes by those with even rudimetary skills.
I also believe your analogy regarding insurance to be on point. It's not the hacker itself that cost the organization the additional funds to plug security holes; after all, these holes likely should have been addressed before they were exploited. However, my use of the data breach costs cited in the article are purely for comparative and informational purposes.
And since I am not an accountant, I will make no comment on the "voodoo math" that often comprises corporate balance sheets.
But, I will say this: When Sony, Epsilon, or even the US government total up the costs of an incident, and start seeing all the zeros at the end of it, it serves as both a lesson for them and others. Forrester's analyst Chenxi Wang told me when researching the article that this rash of data breaches might actually be a good thing – a "wake up call" to be more careful with consumer data. While not every organization out there took notice of the breaches and their associated costs, I certainly hope there were some that were paying attention, and heeded the call.
Only time, and some up-front investment, will tell us if this is the case. Sure there will be more breaches – they happen every day. But I hope there are some out there who read the headlines, saw the numbers, and were motivated to start asking the important questions about how secure their data is.
Warmest regards,
Drew