Network Security Is a Bad Joke
The Identity Theft Resource Center (ITRC) cataloged 783 reported breaches in 2015, and calculated 177 million records exposed, at minimum. The ITRC's tallies include only those breaches made public; the actual numbers are higher.
The number of reported security breaches appears to be growing every year, though it's hard to tell whether it's the number of security breaches that is increasing, or if it's just that more organizations are more willing to report.
On the supply side, almost every chip design house, network equipment manufacturer and software developer builds security into its products. But the approach is not holistic; these constituencies rarely talk to each other.
That is certainly problematic for network security, but the bigger problem by far is on the user side.
Customers demonstrably do not take security seriously enough. Government agencies, banks, retailers, insurance firms, consumer electronics manufacturers and other companies all say security is a priority, but the evidence proves otherwise.
Victims on the ITRC's list include everything from local retailers to multinationals to local and national governments. Companies who specialize in network security get hacked, Juniper Networks Inc. (NYSE: JNPR) and Kaspersky Lab among them. (See Juniper to Remove Controversial Security Code and Kaspersky's blog on its attack.)
Those hacks were embarrassing simply for having occurred. Sony Corp. (NYSE: SNE)'s breach was embarrassing due to what was stolen and revealed. But the most appalling breach yet was the attack on the US Office of Personnel Management, which went undetected and ongoing for at least two years and netted somebody not only the names and addresses of nearly everyone who works for the US government (directly or indirectly), but also social security numbers, and possibly security information that might include biometic data (fingerprints, etc.).
It's understandable that a local retailer might not have the resources to fend off an attack from maladjusted brats looking to test their skills, let alone digital espionage by foreign governments, but the US government does.
Other hacking victims in the last couple of years included Home Depot, JP Morgan Chase and Anthem. They have the resources to be more secure too, if they chose to be.
But there's little incentive to make security a priority.
The average cost of a security breach globally is roughly $3.8 million, according to the Ponemon Institute, and an average of $15 million in the US. Ponemon, with funding from IBM Corp. (NYSE: IBM), has been investigating the cost of data breaches for several years. Its global report was published in May; its US report in October.
Home Depot had revenue of $83 billion and a profit of $4.7 billion in 2014. At JP Morgan Chase, the numbers were $97.9 billion and $21.8 billion, respectively. For Anthem, $73 billion and $4.4 billion. Sony pulled in $75 billion and lost $1.2 billion.
On a percentage basis, what big companies lose on data breaches each year is less than what any individual chosen at random spends on caramel latte macchiatos or Corn Nuts. It's pocket change.
JP Morgan Chase CEO Jamie Dimon vowed to spend $250 million on cybersecurity, true. That's one company. And it sounds like a lot until you do the math; it's 0.0025% of revenue. That's a lovely contract for some IT security company, no doubt, but I wouldn't be surprised to learn JP Morgan Chase budgets about as much for janitorial services.
Investors don't care about security breaches. It's hard to find a single company with stock that experienced more than a brief blip due to news of a security breach.
A typical investor comment is this from a contributor to the Motley fool writing about Target Corp. 's 2013 data breach: "Investors should not panic over the unfortunate incident. The TJX Companies suffered a similar hack in 2007, yet store sales continued to grow at a healthy pace in the quarters following the incident."
The second major hack of a single company in six years -- a company that had every reason to be on guard -- was no big deal.
I could not find a report of anyone having lost their job over a data breach in 2015, with the notable exception of US OPM director Katherine Archuleta, and she resigned.
The Internet of Things is making it worse. Nannycams got hacked by psychopaths who think it's perfectly acceptable to victimize infants and toddlers. Hackers -- friendly, thank goodness -- demonstrated the ability to take over a moving vehicle.
Some individuals are concerned about all of this, but individuals are powerless. Citizens' groups have barely any more weight. Class action suits go nowhere. The most recent was the dismissal of a suit against Michael Stores Inc. in December. As has become typical with these cases, a judge ruled that there was no evidence anyone was harmed. The Federal District Court's decision is here.
Legally, it turns out, a data breach in and of itself is of no consequence.
Many network product manufacturers will still strive to provide security, as best they can, within limits -- which include customer diffidence, resources and a lack of industry-wide coordination. Many network operators and IT system managers will continue to try to make their networks secure.
But if the consequences for a security breach are so trivial that there is minimal fiscal penalty for lax security and literally no legal liability for the breaches themselves, then security is not only a bad joke, it's going to continue to be a bad joke for the foreseeable future.
— Brian Santo, Senior Editor, Components, T&M, Light Reading