Analysis Tech

Why do we suck at cyber security? Part III – Profit

Part III update: we’re not getting any better. You can read part II here.

Public companies have an obligation to their shareholders: increase profits. Guess what doesn’t help profits? Spending money on cyber security. It’s absolutely a risk-versus-reward situation for companies out there. Look at Equifax for example. Back in July 2017 they were breached because they failed to update various vulnerabilities in addition to not segregating sensitive information from systems that had absolutely no reason to have access to that data. What did they do after the breach? Ask for your money to protect you from identity theft. Those of us who were aware of what was going on laughed it off as more failures among the corporate giants, but many people were open to the idea of the company that just got breached protecting their identity and information.

At the end of the day, sure, the brand took a hit, but what did this breach cost them? Most people say not enough. So, does the risk end up being “worth it” from a cost perspective when it costs a company less to pay the fines and offer identity theft protection than it does to employ an effective security program? Personally, I’m concerned.

This problem obviously isn’t unique to public companies, however. Cyber security and IT departments as a whole are traditionally cost centers rather than profit centers. That is to say that it costs the organization money rather than making it. As such, it’s perfectly natural for company leadership to want to minimize these cost centers and dedicate more resources to those that are generating revenue for the firm.

However, it is critical to remember that IT makes up the backbone of any major business these days. Left unattended to and firms risk adding to the dreaded “tech debt”, which is a simple way of saying that falling behind in technology will end up costing significantly to replace or upgrade in the future. Lack of security adds to that tech debt.

What are the problems?

That said, it’s easy to blame companies for not having enough security staff, not purchasing the right security equipment, or not having an effective vulnerability remediation process, but that is not where this conversation ends. Sure, all of those are very important aspects, but there something more simple and likely a larger contributor to the issue at hand — application development. Gone are the days where security was just the responsibility of “those IT guys”; it is everyone’s responsibility starting at the lowest level. For applications, this is where profit comes back into play.

Side note: websites, such as the Equifax platform and Facebook are considered web applications. When we refer to application development, we are talking about these types of websites as well as the software that you would install.

National cyber security awareness month
Ok, so it’s not Cyber Security Awareness Month until October, but this is a good example of efforts to bring everyone into the security conversation.

Personally, I believe the application development process is one of the main reasons that the cyber threat landscape is as bad as it is today. Software (and hardware) developers are constantly being pushed to their limits to get “working” products out the door as soon as possible, with focus resting entirely on satisfying users. “Get the product out the door as quickly and as cheaply as possible”, followed by a “roger that, boss”. It’s hard to argue, until you look at the list of new vulnerabilities discovered this past year (it’s right around 20,000 for those wondering). This profit-based line of thinking forces developers to cut corners and not invest the time and effort into security measures that they damn well should be doing.

The idea of security unfortunately works directly against profit in this sense. Building or adding in security features is not cheap, nor is it quick. To reinforce the application side of things, 20% of the application vulnerabilities discovered were high or critical risk in 2018. Not a fun statistic.

The average time to resolve a discovered vulnerability is 62 days.

Does 62 days sound sustainable from a defensive perspective? I would say no. Depending on severity, it only takes one of these vulnerabilities to allow an attacker full access to the system. Now, while companies aren’t going to release the number of vulnerabilities that they currently have in their environment (nor would I expect them to), I can promise you that it’s at least a seven-digit number for many of the larger companies out there. Note that I’m not speaking of unique vulnerabilities, but just the total number spread across all applications, workstations, servers, and network equipment.

The only way this is going to change is if we all take a stand and demand that cyber security becomes a larger priority. As the consumers, our personal data is at stake. Congress has introduced S.2289, the Data Breach Prevention and Compensation Act of 2018 to attempt to address this concern, but seeing as we’re now in 2019 without getting past the “introduced” stage in the process, I can’t say that I have a lot of faith riding on this one. I’m not saying that this alone would fix the issue, but any measures holding companies more responsible for their own cyber security is a step in the right direction.


Images courtesy of Storyblocks, Pixabay, and the United States Air Force.

Please Login to comment
avatar
  Subscribe  
newest oldest most voted
Notify of
Mason
Member
Mason

Preach it Alex. You hit all the pain points for myself. All the money goes into “expense” application development, vs. hardware/firmware/security software “capital”. I cost the company money, apps make money. However, the pace of application development whether what we do internally, or subscribe too in the cloud is crazy. I remember when applications went through 1 major release a year, with a few patches, now you drop code every 3 months, and patch eternally. Take the entire breadth of cloud services, applications, and in house development, all connecting across the Internet and integrating with each other, while updates/patches drop… Read more »

georgehand
Member

I understand to a degree you IT guys’ pain in your profession, but of course I don’t feel it like yooz guys do. I see IT sec as the biggest cat-and-mouse game on the planet today, and I wonder how many times a person would have to have their saving stolen from their bank before they would resort to burying gold doubloons in their backyards.
thanks for the read, Alex.
geo sends

Mic-Mac
Member
Mic-Mac

There needs to be far greater consequences for the companies that have major consumer information breached. One year of free credit guard just doesn’t cut it when the CEO walks with a pension deal of nearly $20 million. Great article Alex. You guys sure do have a lot of stuff to deal with. I plan to spend my money before the cyber crooks get to it.

Mic-Mac
Member
Mic-Mac

Just today, March 11th I received an alert from LifeLock that a site that I was registered to had been hacked. When I receive such alerts I never click the email links, I always go direct to the Lifelock site. FitnessPal owned ny Under Armour was hacked some number of months ago in 2018 and the list is on the dark web. Under Armour is just now reporting. .

%d bloggers like this: