Sad reality: It's cheaper to get hacked than build strong IT defenses
theregister.co.ukWhy is that "sad"? Nature has gone the same path. We have basic defenses that are "on" all the time (passive immune system - nonspecific), and we have an adaptive response that reacts to what actually happens to us, which also means threats we actually encounter will be recognized and fought more quickly and better in the future. Or houses - having lived in the US, those front doors are at least an order of magnitude less secure than any German front door, but even those are not really able to keep out any determined intruder.
Why should be mount a very expensive all-out defense against a lot of perceived threats? It's similar to "every child (programmer, etc.) MUST know this!". Making demands is easy. If people don't care there probably is a deeper reason. Yes, the heuristic gets it wrong, that's why it's a heuristic, but that it is one in the first place also has similar reasons.
It sure is possible to criticize a concrete company for concrete problems, but the blanket statement of the headline is not useful.
The problem is that this isn't about saving money overall. Users pay the primary costs of the company's security errors, so it's a moral hazard problem.
Right now, companies that lose data don't pay any costs at all until afterwards, and those costs are usually minimal. The reputational damage is reduced because no one knows until (well) after the breach, and any financial info lost is consumer credit cards rather than corporate accounts. Yes, users sometimes get free identity theft monitoring, but those services are quite cheap to account for the fact that they don't actually work.
More specifically, this is asymmetric information and therefore the market can't adjust for it. When Yahoo loses my data, will my passwords be salted and well-hashed? How could I possibly know in advance? Consumers aren't making privacy and risk choices, they're using the internet as best they can and getting repeatedly burned for it.
If you want a clear contrast, companies are enormously concerned about "whaling" attacks, and are working hard to prevent them. Those attacks take corporate money in real time, so the costs are properly factored in. Moral hazard is inherently about broken cost-benefit measurement.
The real problem is most payments & identity are pull vs push and the username is the password. If they were push, then there wouldn't be customer payment information to steal in the first place. All that would be taken would be personal shipping addresses, and those are mostly public as it is already.
Same with social security numbers and identity in general.
To solve the root cause in this case although was decided to not be good by the infrastructural organizations. Eating the fraud is cheaper than putting up barriers to payments.
If fraud liability was moved %100 to banks, payment providers and governments, we would see the problem fixed pretty quickly.
> The problem is that this isn't about saving money _overall_.
It hasn't been shown to be otherwise either though.
> companies that lose data don't pay any costs at all until afterwards
Because we don't know what they should pay. We need reliable research that nails down how much a security breach costs society, and until have it, it's impossible to provide companies with the right incentives.
Note that the cost should depend on the circumstances. For example, if Google or Facebook has a major breach, it would probably have a bigger impact (on a per-user basis) than a small service.
If you just impose a uniform per-user cost for data breaches, then you're essentially giving larger services an unfair competitive advantage.
When your front door isn't secure enough, you and/or your insurance company eat the loss. The point of this headline is that when Yahoo gets attack their customers are going to eat the loss, yet it's Yahoo who screwed up.
That's IMO a clear example of mis-aligned incentives.
Has Yahoo acted grossly negligent? (I don't know the specifics in this case) If so then they are liable for resulting damages, if not then they didn't screw up.
See, no customer is entitled to a 100% guarantee that their private data will never leak. Why? Because it is not possible to guarantee such a thing.
The only thing you are entitled to is that the corporation handles your data following industry standards which usually is at least identical but most often even better than what the law requires.
If a 100% guarantee was somehow a legal requirement then the IT industry would cease to exist the following morning.
It's not possible to 100% guarantee that data will never leak, but it's entirely possible to 100% guarantee that the company will cover the full costs of a leak. If that was somehow a legal requirement, everyone would go out and buy insurance for it and then life would go on, probably with additional emphasis on security.
I have a different position on that. My perspective is that if a company doesn't act negligent, follows all legal procedures and industry standards regarding data security then why should it be made to pay for damages caused by a third party.
It didn't cause the damage, it's been the criminals who did that. They should be held accountable for this.
That seems pretty reasonable too. I like the idea of making the business liable regardless because it more or less automatically optimizes the combined cost of security and losses. Companies will in theory spend money on security until each dollar spent mitigates less than a dollar in losses, then stop.
The trick, of course, is making sure companies estimate their risk properly and don't just screw everyone over by underspending on security and then going bankrupt when hacked. Mandatory liability insurance could help with that, since insurance companies basically exist to assess risk in something like a realistic fashion.
So you think that startups with hockey-stick growth should have to design systems which are impervious to extremely sophisticated criminals? That seems unlikely.
Edit: also, the main risk here is password reuse. How is Yahoo supposed to estimate that and why are they on the hook for user's bad security practices?
I'm not sure how "mandatory liability insurance" gets translated into "have to design systems which are impervious."
You're forced to spend money to mitigate losses. If you can do something to decrease the losses, or the likelyhood of suffering one, then the insurance will cost less.
Right, so your spending will increase up to the point where your ROI is 1:1, then you'll stop. That point will be long before you reach imperviousness.
Companies seem to hold on to extra data because, "why not?" Previously, they were limited by sorting and storing physical documents. Let's say you changed your address. In the past I imagine most companies would update their file (discarding the old address, because that would cause confusion) and nowadays I can see companies keeping the old one around because it might be useful later.
I would like a scenario where companies choose not to store data not immediately useful to them. They already have incentives to store old data (it's cheap, audits, monetizing later, direct advertising, etc). The best tool I can think of is liability.
I don't think the balance between companies and individuals are always equal. If I want to sign up for cable TV I have to agree to their contract (I don't get to negotiate terms), which commonly includes; giving them your birthdate or social security number, giving up the ability to sue by agreeing to arbitration, agreeing to a 12 month contract, etc. Yes, I'm not forced to agree to that contract and can go without cable (and I can see why they need much of that info--at least upfront), but the limited alternatives (and less-than-diligent consumers) allow companies to add creepy data collection without much pushback.
Is it also your position that the current legal standards for what constitutes negligence when handling customer information are appropriate?
Yes, we are lamenting the situation. There is no incentive for companies to go beyond the rather lame line of duty. So we're left with an industry full of holes.
A guarantee does not say something will not happen. It says if it does happen, recompense will be provided.
Consider many other product markets, when there is a defect in someone's product there are legal remedies. These are in place to provide an incentive for companies to do something they otherwise would not.
Examples of this would be food safety legislation, fire safety legislation, building regulations etc. In all those cases it was considered a good thing (by society) to implement laws to make companies take these things into account.
IT in general, lack this kind of legislation, and as a result companies unsurprisingly make commercial decisions not to improve security where they feel it would cost a lot of money to do so.
The problem comes in the negative externality, the company with bad security isn't the company that takes the loss, similar to the negative externality that the person who made a weak bridge likely doesn't die when it collapses.
So a logical argument might be to use legislation to fix this externality and make it a better decision for companies to improve their security...
Because attacks in software are always getting better, not worse. If it's a smaller company it's a shame - many of them simply don't have the resources to dedicate to properly hardening themselves against attack, and it can destroy their company.
Places like Yahoo have no such excuse.
I ran an unsuccessful game service for a while, and due to the nature of our product (custom 3D characters) we suspected to receive and did receive an incredible number of hack attempts for a pretty much unknown web service. Expecting the issue, we got a US $20K SonicWall hardware firewall of the class used by banks. Best investment ever. On four separate occasions we had DoS attacks that the SonicWall shrugged off without a sweat. Typically, we'd see 100-300 actual hack attempts per day for this unknown service. To handle this, it takes is being serious, and listening and following your security experts guidance without cutting corners. They are aware security is expensive and have already mentally scaled their recommendations to a balance between what they think you can afford and security you'll need. Go with their recommendation - they are the expert.
Are you conflating DoS (something a firewall can deal with) with the kind of hacking that can penetrate a system? I'm not sure a firewall can do anything about (for example) SQL injection.
I think commenter is describing his company's operation, what attacks they were facing, and that listening to advice countered them. Commenter doesn't mention a SQL Injection or claim his case applies to anything else. Instead, merely points out that listening to professionals who understand risks of your technology and following their advise can prevent problems caused by those risks. That was my take.
The difference being -- it's easy to pay somebody else enough to get rid of Dos attacks for you, and you never have to think about it.
Penetration isn't quite as easy.
I pointed out here...
https://news.ycombinator.com/item?id=12566098
...that a few, inexpensive practices stop almost all the common methods currently. There's also frameworks and stacks that immunize web applications against common ones for them with little to no effort by developers. These fit parent's claim where you just follow basic, security advice with available tools for each category to stop many attacks.
Now, that's not going to cover everything. A dedicated, professional attacker or team targeting your individual business might break past it all. Most breaches we see, though, are companies not doing the basics.
From your points:
> Australia's DSD said that just patching stuff and using whitelisting would've prevented 75% of so-called APT's in their country. Throw in MAC-enabled Linux, OpenBSD, sandboxed (even physically) browsers w/ NoScript, custom apps in safe languages, VPN's by default, sanest configuration by default, and so on. Residual risk gets tiny. What I just listed barely cost anything.
That's a lot more invasive ongoing work than "add piece of hardware", or "add this DNS record".
Add this whitelisting software with your main apps on the list. Install updates when available by clicking update. Done for 75% of it. Your admin using OpenBSD or Linux install instead of something else for backend is invisible to you. The developers writing apps withbone framework or library use a different one. I'm not seeing this invasive nature of easy stuff. Straightforward.
Seems more do given the number of companies with 1-5 IT people that do stuff like this. They just care, Google tech X plus security/hardening guide, and follow the advice. Apply patches, check logs on occasion. A little less apathy goes a long way.
Thanks - that what I was getting at.
I'm not familiar with Sonicwall specifically, but a packet-inspecting web app firewall can indeed do something about SQL injections, obvious ones anyway.
> don't have the resources to dedicate to properly hardening themselves against attack
FTFY: Don't want to consider having the resources to dedicate to properly hardening themselves against attack
So what's so special about doors in Germany?
I remember seeing this in an HN thread a while ago... https://news.ycombinator.com/item?id=11822442
> Why is that "sad"? Nature has gone the same path. We have basic defenses that are "on" all the time (passive immune system - nonspecific), and we have an adaptive response that reacts to what actually happens to us
While it's true that nature has taken the same path for the same reasons, I don't think I'd have to look very hard for people to agree that the fact that people fall ill, sometimes seriously so, is "sad".
Because there are significant external costs that the entities sloppily handling records don't have to pay but the rest of us do. Presumably that's the reference they had in mind when they referred to the "Ford Pinto formula," since it's unlikely customers would have agreed that it was better to have cars that had some risk of blowing up and killing them so Ford could make more money.
All products carry some risk, and all companies calculate the risk vs the cost of mitigation. It's impossible to make any product if safety trumps everything else.
OK, but if it costs you tens of thousands of dollars when some bad thing happens and it costs the vendor nothing they're likely not actually making a reasonable trade-off; they're just leaving you out to dry.
> Why is that "sad"?
It may be sad for security researchers.
Or for end-users who got their data breached, and aren't compensated fairly.
One reason it's true is because companies only measure actual cost, not opportunity cost. How much did it cost Yahoo to have every tech-savvy person in the world switch to Gmail because of Yahoo's lousy (and Google's excellent) security infrastructure? Where the tech-savvy go, the tech-unsavvy often follow. As they did with Gmail.
But lost revenue opportunities don't show up in the bottom line, so cost-focused managers don't think about them. And they conclude it's "cheaper" to not invest in this or that thing that their smarter competitors are doing.
"What gets measure gets managed." People think this (apocryphal) Drucker quote is advice. It is not advice. It's a warning.
Actually, it was the free space. Everyone who used Gmail didn't trust it very much and was wary about Google sharing their info, especially as it was showing ads related to your email archive.
Not sure I agree that it was Google and Yahoo's respective security architecture that caused people to switch, even tech-savvy people.
Sure. But all the things Gmail offered were things that probably looked like lousy investments to Yahoo. Why offer more storage? Why have better spam filtering? Why have better security? It all costs money!!!
The point is only looking at actual cost, not opportunity cost.
Yep. Good clarification.
Fully agreed. It was all about a lot of free storage space.
And spam. Yahoo accounts got so much spam.
For a long while you had to configure Yahoo to actually store sent mail, otherwise once sent it was gone for good.
I am sick of seeing headlines about teenager hacker being put in jail. It's not because they are geniuses it's because of poor IT defense. The companies should be severely fined for criminal negligence.
I get what you mean, but poor defense ain't no excuse to hack the hell out of company, neither legally nor morally. plus i don't buy the notion that some teenager had no clue what he was doing would harm other's livehood (if yes, then he should go through psychiatric evaluation).
if I don't put 3m electric fence with automatic sentry guns around my whole hypothetical house and land, does it mean everybody is automatically invited to freely try to break in, do damage, steal my stuff or post my private and legal data online for others?
state should have better use for these guys, but there should definitely be punishment, not reward in any way. that's how all countries run these days
I am not sure the analogy is very accurate. You do not advertise your house as a place where other people can come and freely store their valuables and then take it out as they please.
If you did, there is a name for what you have built: a bank. And you can be pretty sure people then will not have any issues with whatever security measures you take. Most of all, your cost of security installation is now covered by other people's money, which effectively gives you very precise calculations on what exactly you can and cannot spend. You are more than free to return the money and shut down shop if you feel you are in a completely unsafe neighborhood which makes your bank impossible to run at a profit.
To stretch this point a little further, imagine you did have a bank, and your customer comes and demands to take their money out, and you say "Oops. I had just left it out here on this desk, and when I went to pee, a kid just came in and ran out with all your money. I feel bad for you, but the cost of moving the stuff back and forth between front desk and the vault would make the service unprofitable. Its not my fault, its all these children in the neighborhood who keep pranking me".
The lowered barriers to hacking, combined with an ever moving target for what constitutes good security, are genuine concerns. But as a company, you are expected to shoulder the burden of security as a precondition of making the claim that you provide a good service. One way or another, people actually pay you to take care of their data as part of the service.
> You do not advertise your house as a place where other people can come and freely store their valuables
A house offers protection, no doubt about it and anyone but a social recluse will potentially offer it to others, although not foreigners. You are certainly not trying to say negligence would be OK as long as it concerns foreigners.
> I am not sure the analogy is very accurate. You do not advertise your house as a place where other people can come and freely store their valuables and then take it out as they please.
Your bank doesn't have weapons turrets in its physical branches, either.
I don't think the house analogy works. You don't keep other peoples stuff at your house. If you ran a storage warehouse, I'm pretty sure your customers would expect you to have adequate security. If a customer came in through the back door of my warehouse, and told me the lock doesn't work, I wouldn't punish him. I would fix the lock.
> If a customer came in through the back door of my warehouse, and told me the lock doesn't work, I wouldn't punish him. I would fix the lock.
And if that same customer smashed a bunch of stuff, vandalized the walls, and stole product that was being stored in the warehouse - you'd prosecute the hell out of him... and then fix the lock.
Indeed but if you don't build a fence around your swimming pool and a child wanders over and drowns that is often on you. I'd like to see some fines for negligence in examples like this. Both the attacker and the victim are at fault in my opinion.
If you have a swimming pool on your property, then yes you need to fence it, and fence it well. If some kid climbs that fence and drowns in your pool, kiss that property goodbye.
"Attractive Nuisance"
Which teenager hackers?
Yes, if the IT defenses are poor and they get in fair enough, another one is if they get the password list and shop around
You're saying like it's ok to rob the house with only one lock as opposed to the one with several locks and security cameras
More like, if you don't put locks on your doors, maybe no one should insure you and maybe the cops shouldn't waste their time when you couldn't be bothered to even take symbolic action to protect yourself.
How dare you! I put a note on the door that says that all unauthorized persons are forbidden from entering the house.
This analogy fails when you consider the complexities in securing a sprawling IT architecture for a massive corporation compared to putting a lock on a door.
Companies like Yahoo did try to secure themselves. They were just really bad at it.
The point of the analogy is that casual negligence of even the most basic security procedures should have built-in consequences... for the negligent party.
Consequences, yes. But the parent poster was suggesting the culpability should fall on the victim, not the attacker, which is just ridiculous.
They should be fined for negligence, but that doesn't mean the attacker is somehow morally right in any way.
Culpability can be shared, in the real world.
Sure, but when it comes to blame the bulk should still belong to the intruder.
Hacking is not the same as robbing. Hacker doesn't take anything away from you, except some reputation.
I don't understand the point your trying to make. In most recent high-profile hacking cases, hackers stole customer information (including credit card numbers) from the businesses. The financial fall-out for those customers could be much worse than a physical robbery.
Stealing money can be robbing, I agree.
But (this is unrelated matter) why is it possible to steal someone's money just by copying several short numbers? We have all kinds of advanced cryptography today but some payment systems still rely on transistor era technologies.
And even worse, companies can track customers using CC numbers. That is wrong too. The shop should not get your name or other unique identifier when you just buy something with a card.
They didn't steal money, they stole information which could be used to get money. What you're saying is equivalent to, "They stole the design for our car's master ignition key, but since they didn't steal an actual key or a car, no harm no foul." It's not the same as stealing a car, but it's also clearly about stealing cars.
If they're taking password from users (and maybe even other data like Credit Card numbers - regardless of the security failures of the site), they are taking something from you
Blaming the victim is easy.
I'd say that depends on the hack. The hacks just for prestige aren't really that prevalent any more.
These days it's hack for stealing creds or money or secrets or perhaps just putting ransomeware on all the comapanies systems to get a bitcoin payment out of them...
Even for prestige, is it ok for gang members to break and enter properties, even if they don't anything, for prestige? I suspect not so the same should apply.
Money, lost business, customer data are valuable things and hardly nothing.
An uncovered and unlocked hot tub in the back yard can be seen as an "attractive nuisance." Sure, the kid trespassed by climbing over the fence, but he wouldn't have drowned if the thing had been secured.
Sure, the hacker broke the law by hacking in, but I wouldn't have had my PII stolen if the thing had been secured.
You wouldn't say the same about a deadbeat teenager who smashes a car window and grabs someone's purse. "It's not because they're criminal masterminds, it's because of poor car defense."
Locks, physical and mathematical, are for the deterrence and convenience of the generally honest. Law enforcement, as an active defense, is for the deterrence of the actively attacking. At some point you're always going to have to stop turtling and build an army.
And I get downvoted for saying self-driving car companies should be fined signficant amounts of money for both car accidents due to poor self-driving software capabilities but also for security breaches.
What if it's "cheaper" for the car companies to let the cars crash than adopt stronger security? You may think that there's no way a recall would be worth it, but we're already seeing companies such as Tesla "fix" the issue over the air, and chances are most of the new self-driving cars will be fixed the same way, if not all.
The only thing that would be left is the "bad PR", which may be much smaller in the future, because there won't be any recalls. If only 2 people die, and then all cars are fixed, the outrage just won't be as big as when 100 people die due to a brake malfunction, and then 5 million cars have to be recalled, impacting 5 million people (as opposed to only the families of those two in the former example) that would then personally spread the bad news.
Also the "bad PR" doesn't seem to affect tech companies, or even retailers, or banks, all that much, so I doubt it would affect car companies that much more in the future (for the reasons I mentioned above).
You looked at PR and outrage but not a major cost: class-action lawsuits. It's what made Pinto risk assessment so wrong.
It's not illegal to have crappy IT but it is illegal to hack or exploit a companies computer systems.
Just because there isn't a fense around an area that says no trespassing doesn't make it legal to walk through.
"But they didn't have a fense and it was easy to walk into the area."
All that needs to happen is for a court to define poor IT security as an "Attractive Nuisance", and just generally make companies liable for their customer's information (and more broadly if possible).
Doesn't the attractive nuisance doctrine only apply to children?
Yes, but then, the discussion was about "teenage hackers". More broadly though, I was just trying to get the idea across using an existing bit of common law.
Why not both?
I think this article is making a decent point but with bad data. We know of many cases where the cost of insecurity drastically outweighed the cost of basic security. The most obvious is banking where no security would drain all their money. So, they combine preventing, detection, auditing, and computers hackers can't afford to keep losses manageable. Another example on putting a number on it is the Target hit that, in last article I read, was something like $100+ million in losses. Lets not even get to scenario where they start targeting power plants or industrial equipment whose management foolishly connected to net.
It also helps to look at the other end: minimum cost to stop most problems. Australia's DSD said that just patching stuff and using whitelisting would've prevented 75% of so-called APT's in their country. Throw in MAC-enabled Linux, OpenBSD, sandboxed (even physically) browsers w/ NoScript, custom apps in safe languages, VPN's by default, sanest configuration by default, and so on. Residual risk gets tiny. What I just listed barely cost anything. Apathy, which the article acknowledges, is only explanation.
A nice example was Playstation Network hack. I didn't expect them to spend much on security. I also didn't expect it to come down to having no firewall (they're free) in front of an Apache server that was unpatched for six months (patches are free). That this level of negligence is even legal is the main problem.
I wonder if one of the problems is that the focus is too much on costs.
What I see all the time in IT security that for many people doing security means spending lots of money on products with highly questionable promises. It's very doubtful that many of the security appliances you can see at RSA or Black Hat do any good, in many cases they add additional risks. But the industry is selling a story that the more boxes you buy and put in front of your network the better.
For a lot of companies there are very cheap things they could do to improve their security. This starts with such simple things as documenting on the webpage who outside security researchers should contact if they think they found an issue in the companies infrastructure.
So I have quite some doubts that the formula "spending more on security == better security" holds.
It's sad because it's true. In 2018 the data protection EU regulation gets put into play though, which might change that partially by effectively increasing the cost of losing control of data.
For Reference: https://en.m.wikipedia.org/wiki/General_Data_Protection_Regu...
This directive will drastically increase fines for data leaks in the EU.
Everybody's probably seen this but please more forcing companies to internalize their externalities. More law suits, please. I never thought I'd say that. http://www.scmagazine.com/class-action-lawsuit-filed-against...
"Cheaper" is not including the full cost of compromised data. Compromises don't only affect companies' bottom lines, but also those who were compromised. The costs to individuals are undoubtedly much harder to quantify.
I totally agree, but I think in this case they are saying it's cheaper for the company, which is what really matters in this context (since they're comparing it to how much the company would pay for security).
I mean, if the company's website gets hacked and your credit card data is stolen, then your card is charged $1,000, it's not the company that pays for it, right? You either talk to your bank to mark the purchase as fraudulent and get the charges reversed, or pay for it yourself (e.g. if it's a debit card).
Perhaps that's the solution though: a way to directly associate fraudulent purchases with security breaches where credit card data has been stolen, and a law that requires the breached party to pay all expenses related to that fraud. That would get all major retailers scramble to get their shit secured.
Good point about what the article was comparing. I missed that.
I guess I'm just sour that articles like this tend to gloss over what is often the most important impact of a security breach--the end-users' data and privacy--and instead focus on easy-to-report numbers.
Solution: Make it cost the company and keep them from passing along that cost to consumers.
Oh, that sounds totally reasonable. What are you going to call the government agency which reviews the industry-wide acceptable pricing to determine what is the right price for a private business to charge consumers?
I don't think the name is the most important thing, do you?
Well, sure. I can only imagine companies are happy not to pay that cost and let customers continue to deal with it.
I'm not so sure it's cheaper. The business cost can be enormous. See the Target breach, which led to FIRING the CEO. And Yahoo, which may have their deal with Verizon at risk now due to the latest breach.
That is why as a sole dev I no longer offer full-stack solutions: clients simply do not want to pay for the hours it takes to keep their back-ends monitored and secured. Yet, dynamic data is mostly inevitable in any modern web solution so I am increasingly relying on BAAS providers. My gamble is that it should be easier/cheaper for BAAS providers to maintain a team of knowledgeable and experienced engineers to tend infrastructure that runs several back-ends. It seems like a natural step from hey I trust you can run my hardware take my money to hey I trust you can manage my data take my money
I think it's possible the global economy literally could not take the expense of actually making everything secure.
Definitely not if it was implemented in a big-bang, but a more gradual approach might work.
The counterpoint of what will the costs be if we carry on with the current level of security and drive IT systems more into everyone's lives has to be considered too.
Yes, you notice it when you deal with sites where bad security can be costly, like on a (bit)coin exchange (i.e. Bittrex). You get an email at every successful login, 2FA is encouraged from the start, enabling the API keys requires 2FA, Google reCAPTCHA at every login, logout as soon as you close the browser, api keys with different levels of functionality, API requires SHA512 hashing of API key and API code and a time fingerprint. It's pretty refreshing to be honest.
Seriously? Bitfinex was the latest, greatest bitcoin business with a security breach, and they just pushed the losses onto their customers. Bad security at bitcoin exchanges does not generally affect the company itself, but the users.
Volume at Bitfinex has gone _way_ down; bad security is definitely costing them in lost business. Equally, how could those losses not get pushed onto customers? They were larger than the assets the company had available.
Bitcoin services aren't a good example here - they're very different than data breaches. If anything, they're a rare example of a case where hacks usually do lead to the destruction of the company; that Bitfinex wasn't killed immediately is an exception, not the norm.
Yahoo customers are advertisers, not people with email accounts. Account holders are just a resource, and in aggregate I'm willing to bet most won't know what this hack means to them, even if they learn about it. What are they chances they lose 30% or more of this resource, users terminating their accounts? The stock price suggests the account holders don't care or have no meaningful recourse.
Well physical security is the same. You could make your house entirely thief proof but nobody does because the cost isn't worth it.
Part of the issue is that legally in the U.S. a) privacy violations are usually punishable by law only if a specific non-privacy harm comes of it and b) privacy is treated as an individual right and not a societal good. If a company gets hacked and loses your credit card and bank information afaik it's punishable only if someone actually fraudulently uses the information. It's up to individuals to jointly complain about specific damages to effect changes, and for any given individual there's little incentive to make your own life difficult for vague potential benefits. Also in most cases the individual harm is quite small, even if in aggregate or viewed as a societal harm there is huge damage.
I found this to be true of securing my house. I had several break ins and the total cost (mostly repairs) was still far less than the cost of installing an alarm system, to speak nothing of paying for police response to false alarms.
Is there an emotional cost?
I think a lot of these problems could be nipped in the bud by more aggressive code auditing and patch management. It's better to start with fewer zero-day vulnerabilities. Once the zero-day exploits are out there, you have to act to mitigate them. Another way to think about it is to compare it to home construction.
You have to use good building materials to start. After the house is built, you get into the decision cycle of maintaining, repairing or replacing the home.
Sadder reality: This principal has been extended by many CEOs to justify not doing any security. The OP speaks of the costs of running a top-notch system. That's expensive. But please do something. Something more than just relying on your head of IT and your web designer. Read the Ashley-madison report by the canadian privacy commissioner. A supposed unicorn and they were doing nothing.
Has your identity been stolen? If so, were you able to determine if a large scale hack was the cause of that? Then were you able to go back and sue that company for your losses? You probably don't even have much recourse, i.e. it's cheaper for you to try to fix your own stolen identity issue than to sue the company that got hacked for renumeration.
All we have to know that it really doesn't matter to the business world despite all the drama in corporate IT over security (if that) is that Apple, Target, and Home Depot are having great quarters after their security breaches so any consumer backlash is materially ineffective even if people do care - not enough care.
This may change as the plaintiff's bar gets more sophisticated. Many probably remember the Home Depot data breach a few years ago. The card issuers brought a class action against HD and the complaint (under MDL No. 14-02583-TWT) reads like a nice treatise on causes of action in various states implicated by a breach.
I feel like a lot of our problems would go away if companies faced penalties with teeth for losing customer information.
Now people ask why Oracle is still around? And this is the answer.
At least companies have somebody (with $$) to sue when security breach happens.
I'm really confused with following: 1) people want free services and 2) people want extra security
The above is like getting free home security system and then complaining how alarm do not work consistently.
unless you work in an industry that deals with fairly private and regulated data, but aren't a huge company with tons and tons of cash to burn. Then you are horrendously screwed.
The hardened security infrastructure is still extremely expensive to implement and maintain. You can't just deal with breaches because the fines (straight from Uncle Sam) can be huge relative to your profits. Even if the fines weren't bad enough at face value, you aren't a huge corporate giant, so customer churn after a bad enough breach is going to be worse than it would be for a bigger/older company. You are also paying large insurance premiums that don't even fully cover the fallout of a potential breach.
it's actually the tip of the ice burg. Given that there is no standard of care and that there is no barrier to entry to being a software developer there are a lot of things that are poorly done in this industry. Security is just one of them. With that being said I've seen a lot of secruity people go overboard with security and not take the other factors into account. IE: security people trying to prevent the CEO from having acccess to resources, or adding in policies that cost more to implement than the cost of the threat etc..
You see this in users as well.
I don't monitor the Apple forums nowadays, but it was common in the early switcher days to have people asking how to disable UNIX security and make it work just like Windows 9x.
Unleeeeessssss you are a bank.
The costs of intrusions against financial institutions are seldom fully understood by people outside the industry but represent a lot of ongoing costs.
What's even worse?
A mountain of bureaucracy that slows down everything as much as if you had strong defenses, but is effectively as weak as bad security.
"Oh, we just leaked the passwords of 300 0000 of our users? Too bad. Let's make a tongue-in-cheek apology on twitter and move on!"
Time to start class-action lawsuits and force IT companies to at least buy insurance.