Everyone's security is awful, as the penalty for failure is less than the expense required to make it secure. Until the former becomes higher the latter will guarantee insecurity rules.
Everyone always talks about making penalties more severe for data leaks. I have to wonder what the consequences of that would be. Bankrupting your competitor might become as easy as paying a few bitcoins to a foreign mercenary.
I think better security and encryption protocols need to be developed that mitigate the severity of a single leak. Without more compartmentalization of data and more control put into the hands of users, leaks of these massive, un-encrypted databases appear inevitable.
> Bankrupting your competitor might become as easy as paying a few bitcoins to a foreign mercenary.
This would result in insurance policies to guarantee against that outcome. Those policies in turn would introduce both costs and practices across industries that would improve the security of all the insured (and indirectly, their customers).
Unlike hiring a Rainmaker to look nice for the C-suite, imposing these costs would make sure that there's effective mitigations. Just like safety matters for your car, it would start to matter for your software.
> This would result in insurance policies to guarantee against that outcome. Those policies in turn would introduce both costs and practices
Equifax had over $100mm of cybersecurity insurance coverage [1]. The breach cost them over $2bn, including fines. This isn't purely a motivation problem.
Does the basic security scanning the hacker was doing costs hundreds of millions for big companies? Because that's the fines some big companies are getting:
Equifax agreed to pay 600 million, but still saw profits up 20% for the year... Sure they could have made 600 million MORE in profit, but that's still just 15% of their profits for the year.. sure they'll spend a few million in the area they need to shore up one time and wait for the next incident... It's just good for business... Invest enough to keep these incidents down to one every 5 years, pay fine, repeat.
Scanning is pretty inexpensive. Maintaining a complex system that passes the scans? That's something different altogether.
If I take a clunker to a mechanic, how much will it cost me to hear everything that needs fixing? About $150. But actually performing the fixes? One order of magnitude greater - and that's if I'm very, very lucky!
