Given the recent spate of breach announcements from companies like Monster.com and TradeFreedom Securities Inc., I’ve been thinking about how poor security is going to impact organizations and consumers over the next few years.
Even though there have been an increasing number of attacks over the past 18-24 months, and even though the severity of the attacks is getting worse, consumers and private citizens don’t seem to be too troubled over these incidents, because the relationship between the attacks and actual personal discomfort has not been apparent for many. And to some extent, many folks see these attacks as inevitable.
They aren’t. Or, rather, they don’t have to be. There are many reasons for security issues, but many of them can be avoided or considerably mitigated by applying the right combination of people, process and technology — diligently.
What would be useful for us is to have some publicity when a company does security correctly, and manages to successfully defend against an attack of some sort. The problem with this suggestion is that it would draw undue attention to the organization in question, and make them a more definitive target — essentially, increasing their risk profile. So, the companies that are doing it well, are going to want to keep that success under the radar.
What we will have to settle for, instead, is free-market punishment of those organizations that perform security poorly. Yes, we live in an increasingly online world, but we should still be able to expect a measure of security and privacy for ourselves. Companies that don’t do this need to feel the loss as customers move to other firms that clearly share these values. This would provide a clear incentive to organizations to treat security with the respect that it deserves, and apply the necessary resources to doing it right and doing it well.
This brings us back to Monster.com. I wonder who many people actually stopped using Monster as a result of the publicity surrounding the breaches, and how many of those will stay away when the publicity dies down? Or have we all just rationalized the issue as inevitable? “It could have happened to any of the others…”
For that matter, I wonder if any of the other job boards are actually reviewing their own security posture right now, or if they’re just saying to themselves, “it must hurt to be Monster.com.”
I suspect that people are not going to keep burying their heads in the sand. As more breaches take place, more people will be directly affected in the form of Identity Theft, or increased hassles from changing out credit cards, etc. As a result, you can expect that just as the threats have changed over the past few years, forcing consumers and average citizens to become more savvy about technology, so too, the tolerance for poor security will change, and companies will confront a more diligent public, expecting them to keep private information private.
Companies need to get ahead of that curve by looking at the risks associated with poor security from the standpoint of long-term damage to the brand, and not simply from a short-term cost perspective.
At the end of the day, it is not possible to avoid paying for security — you either pay n dollars up front, or you pay 4n dollars, plus PR and brand rehabilitation costs. Pay, or pay big. Those are the options.
The public is tired of bearing the brunt of poor security — or, they will be any day now…