News of the above fiasco splashed across media yesterday and earlier today, but I must confess, I’ve become jaded – I no longer read such news. In fact, the more likely scenario is I go, “Ah, another one”.
Why do we continue to be surprised?
We’re playing with fire, underestimating the importance of security, although we continue to talk about it as something beyond vital. At the end of the conversation, there’s always someone asking about costs and slashing budgets. And these are the results. The true risks of security cannot be measured in such rudimentary ways anymore. The time when we compared risk assessment to a horse in a stable (don’t spend more money for the fence than for the horse) is long gone. We need to change the approach and understand that the risks are much higher; losing your data can (and WILL) cost you your company.
Data breach notification laws now require that every user be notified (and that’s fairly across the board in all states). That alone can cost a fortune. Insurance companies will cover some of that cost (that is, if you have cyber security insurance) but you’ll still be out a lot of money. Let’s not even begin to peg a dollar value to corporate reputation, and loss thereof – how many of us refrained from shopping at Target for a long time at the beginning of this year???
That’s a cost you can neither easily quantify nor foresee.
When will the time come when companies take security seriously “for real” and not only on paper?
One has to wonder.