Let’s face it. Security is a hard sell. The customer buys a strong product, implements and supports it correctly, and if all goes according to plan… nothing happens. The fact that nothing bad happens either is critical, of course, but reporting that there’s no bad news doesn’t exactly instill enthusiasm in the boardroom or generate promotions.
Apple and VTech: A Study in Contrasts
The contrast between the two companies’ stories is interesting. On the one hand, you have a company in Apple that has invested significant effort and resources in order to establish strong controls and privacy through the use of encryption. Then the US government asks for the creation of a backdoor that will undoubtedly weaken security, and diminish the value of Apple’s investments.
On the other hand, you have a company in VTech that by most accounts didn’t invest much in security to begin with, failing to encrypt data and placing weak protections around passwords. Not surprisingly, they get hacked, and their response is to do what they can to protect themselves from any responsibility in the event of future breaches.
Since the FBI found an alternative path to gain access to the iPhone in question, we will have to wait for the FBI to find another high-visibility case to try to set precedence with. However, I’m just as concerned about the precedents that the case of VTech may set. If the company’s new terms and conditions effectively shield it from any recourse of customers whose data gets stolen, what’s the moral of the story for business executives? Why even try and invest time and money in robust security, if you can waive any responsibility for the customer data you’re managing?
VTech and the Economics of Security
Fundamentally, security investments are business decisions. Decision makers have to assign a cost to the business’ risk, and then use that as figure to determine what level of security investment makes financial sense. Organizations like the FAIR Institute and The Open Group have established detailed frameworks for making security investments and decisions based on objective calculations of risk. When calculating risks associated with a data breach, a big part of the costs are associated with the specter of a civil suit, which entails not only a potential judgment or settlement amount, but the significant legal costs and the continued negative publicity associated with a civil case. If businesses can effectively block their exposure to civil suits stemming from data breaches, the risks get reduced. This means investments get reduced, and breaches inevitably will follow in greater number.