Financial Penalties for Security Breaches Will Promote Change

Washington Bureau Chief Allan Holmes’s “Mid-Market Companies Increasingly Attacked by Online Crooks” is a creepy story about how the bad guys increasingly are targeting resource-strapped mid-market companies for their hacks and scams. In other words, the view from the security window is growing darker for every enterprise, big, small and in-between.

This won’t come as a surprise to anyone who pays even the slightest attention to security issues. When has there ever been any good news? When have you ever read that the forces of evil are on the run, that the good guys are gaining the upper hand, that the Internet is becoming a more, not less, secure place to do business?

Holmes points out that the situation is particularly dire in the mid-market where, citing our 2006 “Global State of Information Security” survey (www.cio.com/091506), he notes that “about 43 percent of mid-market companies have annual security budgets below $100,000,” which ain’t, all things considered, a lot. His story goes on to offer tips on what mid-market CIOs can do to shore up security given their limited budgets.

But the truth, as evidenced by January’s revelation that big-market retailer TJX was hacked, is that the security situation is dire everywhere. As Holmes reports in CIO’s “Information Collective” blog (blogs.cio.com), “more than 100 million identities have been stolen or exposed since February 2005.”

So is there any good news on the horizon, any indication that this endless parade of breaches can be halted or even slowed?

Ironically, the TJX hack is the good news. Several Massachusetts banks have been able to link fraudulent credit card purchases directly to the TJX breach—the first time this has happened. And why is that good? Because once losses can be linked to specific breaches, lawsuits can be filed claiming damages. And once lawsuits are filed, the ROI of investing in security suddenly becomes blindingly obvious.

It’s like in the NBA. In order for a team to improve, first it has to get really bad so that it gets a shot at a game-changing draft pick. In order for security to improve, business has to suffer.

Several years ago, CSO Senior Editor Scott Berinato wrote a story, “Finally, a Real Return on Security Spending” (www.cio.com/021502), in which he suggested that “the insurance industry in all likelihood will be the engine that drives the technology of security. Software vendors will be forced to fix the holes in their products in order to benefit from lower premiums.”

As long as a business feels it’s done all it can by advising customers (as TJX did) to check their credit card statements, nothing will change.But a punch in the wallet: Now that ought to focus an enterprise’s attention.