The first story, as reported by The Register, reports system failure as being the number one reason for the increase in data breach costs. The article reports that seven out of ten firms started using encryption after suffering a data breach and likewise 69 percent of victims strengthened perimeter controls after being compromised. In a separate story also reported by The Register, it appears that InterWorx was storing passwords in plain text in its control panel system and after having its system compromised had to change the system so as to no longer store passwords in plain text.
Both these stories highlight how some companies do not take security seriously until after they fall victim to attacks. And what’s even more tragic is that they seem to think that security is not very important. I came to this conclusion because using encryption to store passwords, and encrypting data doesn’t involve a high cost, if any cost at all.
Having a system storing passwords that are encrypted instead of in plain text might involve a little more work but that too is negligible. So if these basic security needs did not involve an added cost not added inconvenience, then why were they discarded? The only answer I could think of was they were deemed to be unnecessary.
InterWorx, for example, claim that the attack they suffered happened between February 28 and March 5. The incident was reported on March 10 by which time the company claimed that their system no longer stored passwords in plain text. So they were able to secure their system in less than 5 days; tragically only after the damage was done however.
There seems to be a prevailing philosophy that security breaches will not happen to us and therefore it’s not worth the effort to protect ourselves by preventing security breaches. Obviously this philosophy changes the second we are hit, as we then hurry to fix these minor issues and try to reassure our customers that they can rest easy and that the problem will not happen again.
As a customer what do you think? Is that enough? Or is that too little, too late?