Why large companies don't invest in security

Data breaches are currently embarrassing but not crippling. But major data breaches will destroy companies once instant anonymous digital transactions become mainstream.

Winter is coming

Photo: Nathan Csonka Photography (Some rights reserved)

1. Even the largest company data breaches to date have been relatively minor. No really.

The scale of the data breaches listed in the following infographic is shocking. Hundreds of millions of users have been harmed by major data breaches over the last 10 years:

Data breaches

Image: Business Insider (Click image for the original interactive version created by Information is Beautiful)

However, the large organisations listed in this infographic have shrugged off these breaches and are still running. A few senior executives have been pushed out, or there have been some financial losses, but these organisations have been inconvenienced but not crippled. And third parties, such as customers whose credit card details have been exposed to the world, have been (often seriously) inconvenienced, but not financially crippled or bankrupted in large numbers.

This is going to change. And soon.

2. Companies have not prioritised security because the consequences of major security breaches have usually been relatively minor

Sony was hacked in the nastiest possible way in late 2014. But as Ben Thompson (article behind a paid firewall) says:

There is a serious problem when it comes to Internet security: companies and their managers are simply not incentivized to prioritize security. Putting in place real security is difficult, it’s expensive, and it’s like proving a negative when it comes to ascribing value: what is it worth to have not yet been hacked?

Sony Pictures Entertainment executive director of information security Jason Spaltro actually says so himself in this article on CIO.com:

Noncompliance is a fact of life as the list of security and privacy regulations grows. The key is knowing how to comply just enough so that you don't waste your time or bankrupt your company.

Ben Thompson called this CIO.com article "surreal" (article behind a paid firewall), but this attitude is actually common practice in large organisations because paying for security, like paying for anything in organisations, requires that security to pass a cost/benefit analysis. Organisations have (correctly) assumed to date that the worst outcome of implementing inadequate, or frankly negligent, security is that you might lose a bit of money and some of your senior executives might go. Therefore, why would those organisations spend time and money implementing quality security? It is very expensive and time consuming to implement security measures that do not hamper the business from doing business.

The answer? Future security breaches will actually destroy some companies once anonymous digital currencies become mainstream.

3. Mainstream anonymous digital transactions will make money laundering much easier

William Gibson is a science fiction writer best known for coining the term "cyberspace". In 1982, Gibson published a short story called Burning Chrome. In that story, Gibson predicted that the rise of anonymous digital credit (such as bitcoin transactions) would change the nature and scale of crime, and result in data breaches that destroy companies. Burning Chrome is one such story:

"He was fading fast, and smart money was already whispering that the edge was off his game. He needed that one big score, and soon, because he didn't know any other kind of life, and all his clocks were set for hustler's time, calibrated in risk and adrenaline and that supernal dawn calm that comes when every move's proved right and a sweet lump of someone else's credit clicks into your own account.”

Gibson foresaw that the missing link, that will make widespread catastrophic security breaches possible, is easier money laundering.

4. And company data breaches will be catastrophic once money can be easily laundered

Let's assume that it is only a matter of time before digital currencies such as bitcoin, that can be stored and transmitted anonymously, become mainstream. These currencies, or other forms of instantaneous anonymous transactions, will at least initially operate alongside traditional currencies backed by national governments.

But once effectively unlimited money can be stored and transmitted anonymously, the nature and scale of crime will change. As Gibson points out, now that massive data breaches are commonplace, the only thing stopping massive, company destroying fraud is that it's not money that hackers steal. It's credit card details.

Credit cards can be cancelled, and money transfers can be tracked. Currently, hackers generally sell credit card numbers in blocks to criminals who use those card numbers to make small transactions, like buying electronic goods, or store gift cards. Small time criminals buy relatively cheap goods that have a resale value, and then resell those goods for cash. Criminals never make real money that way.

But when a data breach is no longer a credit card breach, then hackers will target systems and companies that hold digital currency. Because in a world of instant payments, all of our money, and our customers' money, can be instantly and irretrievably stolen. Taking us and our customers with us. Hackers will be able to access company systems because of existing lax company security standards. And hackers will be able to steal vast amounts of money as soon as anonymous digital currencies become mainstream.

We will soon see this play out in reality. And as implementing secure systems takes time, companies that have not invested in security may not survive.


This post originally appeared at iainmclaren.com. These opinions are mine. They are not necessarily those of my employer.