& cplSiteName &

Network Security Is a Bad Joke

Brian Santo
1/14/2016
50%
50%

The Identity Theft Resource Center (ITRC) cataloged 783 reported breaches in 2015, and calculated 177 million records exposed, at minimum. The ITRC's tallies include only those breaches made public; the actual numbers are higher.

The number of reported security breaches appears to be growing every year, though it's hard to tell whether it's the number of security breaches that is increasing, or if it's just that more organizations are more willing to report.

On the supply side, almost every chip design house, network equipment manufacturer and software developer builds security into its products. But the approach is not holistic; these constituencies rarely talk to each other.

That is certainly problematic for network security, but the bigger problem by far is on the user side.

Customers demonstrably do not take security seriously enough. Government agencies, banks, retailers, insurance firms, consumer electronics manufacturers and other companies all say security is a priority, but the evidence proves otherwise.

Victims on the ITRC's list include everything from local retailers to multinationals to local and national governments. Companies who specialize in network security get hacked, Juniper Networks Inc. (NYSE: JNPR) and Kaspersky Lab among them. (See Juniper to Remove Controversial Security Code and Kaspersky's blog on its attack.)

Those hacks were embarrassing simply for having occurred. Sony Corp. (NYSE: SNE)'s breach was embarrassing due to what was stolen and revealed. But the most appalling breach yet was the attack on the US Office of Personnel Management, which went undetected and ongoing for at least two years and netted somebody not only the names and addresses of nearly everyone who works for the US government (directly or indirectly), but also social security numbers, and possibly security information that might include biometic data (fingerprints, etc.).

It's understandable that a local retailer might not have the resources to fend off an attack from maladjusted brats looking to test their skills, let alone digital espionage by foreign governments, but the US government does.

Other hacking victims in the last couple of years included Home Depot, JP Morgan Chase and Anthem. They have the resources to be more secure too, if they chose to be.

But there's little incentive to make security a priority.

The average cost of a security breach globally is roughly $3.8 million, according to the Ponemon Institute, and an average of $15 million in the US. Ponemon, with funding from IBM Corp. (NYSE: IBM), has been investigating the cost of data breaches for several years. Its global report was published in May; its US report in October.

Home Depot had revenue of $83 billion and a profit of $4.7 billion in 2014. At JP Morgan Chase, the numbers were $97.9 billion and $21.8 billion, respectively. For Anthem, $73 billion and $4.4 billion. Sony pulled in $75 billion and lost $1.2 billion.

On a percentage basis, what big companies lose on data breaches each year is less than what any individual chosen at random spends on caramel latte macchiatos or Corn Nuts. It's pocket change.


Want to know more about network security issues? Check out our security channel here on Light Reading.


JP Morgan Chase CEO Jamie Dimon vowed to spend $250 million on cybersecurity, true. That's one company. And it sounds like a lot until you do the math; it's 0.0025% of revenue. That's a lovely contract for some IT security company, no doubt, but I wouldn't be surprised to learn JP Morgan Chase budgets about as much for janitorial services.

Investors don't care about security breaches. It's hard to find a single company with stock that experienced more than a brief blip due to news of a security breach.

A typical investor comment is this from a contributor to the Motley fool writing about Target Corp. 's 2013 data breach: "Investors should not panic over the unfortunate incident. The TJX Companies suffered a similar hack in 2007, yet store sales continued to grow at a healthy pace in the quarters following the incident."

The second major hack of a single company in six years -- a company that had every reason to be on guard -- was no big deal.

I could not find a report of anyone having lost their job over a data breach in 2015, with the notable exception of US OPM director Katherine Archuleta, and she resigned.

The Internet of Things is making it worse. Nannycams got hacked by psychopaths who think it's perfectly acceptable to victimize infants and toddlers. Hackers -- friendly, thank goodness -- demonstrated the ability to take over a moving vehicle.

Some individuals are concerned about all of this, but individuals are powerless. Citizens' groups have barely any more weight. Class action suits go nowhere. The most recent was the dismissal of a suit against Michael Stores Inc. in December. As has become typical with these cases, a judge ruled that there was no evidence anyone was harmed. The Federal District Court's decision is here.

Legally, it turns out, a data breach in and of itself is of no consequence.

Many network product manufacturers will still strive to provide security, as best they can, within limits -- which include customer diffidence, resources and a lack of industry-wide coordination. Many network operators and IT system managers will continue to try to make their networks secure.

But if the consequences for a security breach are so trivial that there is minimal fiscal penalty for lax security and literally no legal liability for the breaches themselves, then security is not only a bad joke, it's going to continue to be a bad joke for the foreseeable future.

— Brian Santo, Senior Editor, Components, T&M, Light Reading

(2)  | 
Comment  | 
Print  | 
Newest First  |  Oldest First  |  Threaded View        ADD A COMMENT
DHagar
50%
50%
DHagar,
User Rank: Light Sabre
1/14/2016 | 10:37:18 PM
Re: Truth and consequence
msilbey, I believe you are correct about the minimal consumer awareness or their ability to control their data on networks.  I further believe that the average consumer does not realize how vulnerable and exposed their data is.  I believe if, and hopefully it won't happen, there were more "personal impact" experiences with security breaches on consumer's personal data that impacts credit, health, security, they will be believers.

I believe Brian raises excellent points and effectively profiles the reality of the state of network security.  I fully agree that investors and big business need to make network security a "sustainability" issue and bear responsibility for the networks they own and operate.
msilbey
50%
50%
msilbey,
User Rank: Blogger
1/14/2016 | 2:29:20 PM
Truth and consequence
The consequences may be low for big companies, but it's also hard to get consumers to be proactive even when the potential for personal disaster is real. There's not much most of us can do if someone hacks our information from a third-party database, but we can be smarter about things like our own password policies and the use of public WiFi. Unfortunately, as with home security, it's hard to be motivated until something really bad occurs. 
More Blogs from Brianiac
The test/assurance crowd is missing in action when it comes to testing orchestration software – but whose fault is that?
The next G.fast plugfest will lead into the certification process for commercial products, which some service providers will start deploying shortly thereafter -- in just a few months' time.
Will test and measurement companies get infected with the M&A frenzy we've seen in other sectors?
Should we be worried about artificial intelligence? Maybe. But it sure makes for good reading, viewing and game playing.
You might think Amazon's Unlimited is just another me-too streaming music service. You'd be wrong. If successful, it will be a critical tool to help slice off a fat, juicy chunk of Google's $75 billion ad business.
Featured Video
Flash Poll
Upcoming Live Events
September 17-19, 2019, Dallas, Texas
October 1-2, 2019, New Orleans, Louisiana
October 10, 2019, New York, New York
October 22, 2019, Los Angeles, CA
November 5, 2019, London, England
November 7, 2019, London, UK
December 3, 2019, New York, New York
December 3-5, 2019, Vienna, Austria
March 16-18, 2020, Embassy Suites, Denver, Colorado
May 18-20, 2020, Irving Convention Center, Dallas, TX
All Upcoming Live Events
Partner Perspectives - content from our sponsors
Ryan Ding From Huawei: Industries + 5G, Enabling New Growth
By Ryan Ding, Executive Director of the Board, Huawei Technologies
Adaptive MIMO in the Era of 6GHz Wi-Fi
By James C. Chen, Quantenna
All Partner Perspectives