The real reason companies don't take security seriously: Their money isn't on the line

securitycode.jpg

Image: iStockphoto/bluebay2014

Every other day there’s yet another security breach. Yahoo’s announcement that 500 million accounts had been compromised is the most recent, and largest, but even that can barely raise more than a yawn from investors. The reason, according to professors Shiva Rajgopal (Columbia Business School) and Suraj Srinivasan (Harvard Business School), is that a gaping chasm exists between the costs of security breaches and the amount a company’s investors must pay to remediate them.

In short, markets are failing to properly price security breaches, causing companies to grow lax in their security procedures.

Let them eat cake

Back to Yahoo. Despite yielding a bonanza of names, dates of birth, hashed passwords (mostly bcrypt), and security questions and answers for 500 million customers, Yahoo hasn’t really faced much backlash. Sure, Verizon used the breach as a $1 billion bargaining chip in its planned acquisition of Yahoo, but the stock market barely registered the breach, sending Yahoo shares down just 3% the day after the announcement.

SEE Yahoo confirms 500M accounts leaked in massive data breach

More about IT Security

As Rajgopal and Srinivasan calculate, that drop works out to $1.2 billion, or 3% of Yahoo’s $40 billion market cap. That’s roughly equal to the amount by which Verizon is trying to lower its bid, but it’s also a tiny amount compared to how much it costs to fix a broken account. By Ponemon Institute estimates, it costs $221 to resolve each breached account.

Granted, much of this $221 will be covered by the insurance companies, but it still indicates a wide disparity between the cost (and bother) borne by a company and its customers, and may lead to those same companies taking a comparatively casual approach to security.

The price isn’t right

If investors were made to bear the true costs of breaches, they’d flee the stocks of those companies that couldn’t get their security act together. This, in turn, would drive enterprises to invest in better security which, in turn, would benefit their customers.

SEE Over 400,000 sensitive healthcare records leaked on the Dark Web

Rajgopal and Srinivasan suggest that improved technology and other mechanisms could help limit the impact or incidence of data breaches, but the easiest solution to the problem is simply to find ways to make those investors more fully feel the financial burden of a breach. Until we do, companies will effectively keep passing the burden of breaches on to the people least able to bear them: You and me.

Also see