If you don't know much about computer security, you might come away from the past few months with the idea that criminal hackers are gods. Breathless news coverage has portrayed LulzSec and its ilk as capable of striking down mighty (though mortal) targets at whim, including law enforcement, three-letter government agencies, and major corporations. And if the hackers are omnipotent, companies can take even less responsibility for protecting customer information than they already do. After all, how are mere mortals expected to defend themselves against thunderbolts hurled by Zeus?
In the past, one compelling argument for vigorous information security was to protect a business' reputation. The reasoning: Companies that fail to safeguard customer data will suffer brand damage and lose customer trust, leading to lost sales and profits. While such losses have always been difficult to quantify, executives could understand at a gut level that exposing thousands of customer records to criminals makes the company look incompetent or even negligent.
But this argument is showing cracks. First, there's not a lot of evidence that a security breach has a lasting effect on a brand. Case in point is T.J. Maxx. The retailer announced a computer intrusion in January 2007. Over time, it was revealed that more than 45 million customer records were exposed. The company was lambasted in the press for months as details piled up about its atrocious security practices. But in February 2008, the parent company announced that sales at had actually gone up in the past year. DSW Shoes, OfficeMax, and grocery chain Hannaford Bros. also suffered breaches in the past few years, with little apparent fall-off in shoppers. We'll have to wait and see if Sony experiences any long-term customer losses due to the PlayStation Network breach, but I doubt it.
The omnipotent hacker myth could kill this brand-damage argument entirely. If the public sees an intrusion not as a preventable human activity, but rather an unstoppable act of a higher power, then how can you blame the victim? People get cancer, towns are flooded, and companies expose millions of credit card numbers. Stuff happens, right?
Security has always been a difficult sell to executives. Security systems are complicated and sometimes unwieldy, while businesses want to be agile. Security tools, and the people to operate them and analyze their output, are expensive.
There are other costs associated with breaches, such as lawsuits, fines, and the investigation and clean up. Those costs are also part of the risk management equation, and they should carry significant weight as companies evaluate their security stance. But if a company thinks it can bear those costs with no long-term brand erosion, why not roll the dice?
The media also bear some responsibility here. Mainstream outlets rarely bother to differentiate among the kinds and severity of attacks that groups like LulzSec and Anonymous perpetrate. It's one thing to penetrate systems and steal sensitive information. It's another to launch a distributed denial of service attack against a public-facing website. The first could have repercussions for lots of people; the second is dumb vandalism that takes little skill or knowledge. But when the media lump these attacks together as mighty displays of power, it imparts a degree of potency that's unwarranted.
That said, the ultimate responsibility falls on the companies that store sensitive customer information. No company can legitimately claim to be ignorant of the threats, or pretend that it isn't a target. But as attacks become more commonplace, and the public sees intrusions as inevitable, I worry that companies will take more security shortcuts--creating a self-fulfilling prophecy. It's the kind of catastrophe that only a vengeful god would enjoy.
Cybercriminals are not only exploiting small and midsize businesses--they're targeting them. In this Dark Reading Tech Center report, we identify how SMBs are exploited, where their security fails, and how they can shore up their defenses. Download it now.