Security is like insurance

Insurance and cybersecurity, the parallels are clear

shaane syed / 10.31.17

It’d be awfully nice not to need car insurance. Or homeowners insurance. Or fire insurance. These added expenses don’t increase the value of your car or home, and there’s a good chance you’ll never use them. The money you pour into insurance is arguably even being frittered away, of better used spent on investments or property improvements. You haven’t been in a car accident in ten years. Wouldn’t it have been better to put that money towards something else?

That question is clearly ludicrous. Insurance is a necessity you hope is never actually necessary since its use arises from an accident or catastrophe. The potential for crippling financial burden that you’d face minus insurance makes paying for it worthwhile. The minute you cancel your car insurance you could find yourself in an accident whose costs dwarf the total amount of money you’ve previously put in. The risk is too great.

Information security is similar to insurance in that having no (or weak) security is an incredible risk. Considering the massive damage that could hit your company following a data breach, it’s always worth investing resources in ensuring you never face one. But since security doesn’t seem all that valuable until the moment you’re breached, it can be tempting to invest security expenditures elsewhere.

For that reason, maybe you disagree about how severely your company would be harmed by a breach. If so, you wouldn’t be alone. Back in 2014, Home Depot was hit by a huge breach that cost them close to $200 million just in settlement payouts to consumers and credit card providers.

This breach didn’t come out of nowhere, though. In the year before, Home Depot was hit with two smaller breaches exposing issues that, had they been dealt with, would likely have enabled them to avoid the larger breach altogether. But it’s not like they were previously ignoring security concerns out of malice– there were almost certainly just other things in the company that received precedent due to their perceived value versus making improvements to security. Home Depot was just one of many companies that were aware of the inherent security flaws found in POS systems while doing nothing about them because of the added cost to do so.

Of course, it’s possible to view all of this through the lens of moral hazard. If you lose customer credit card numbers or other sensitive data, it’s ultimately their problem. They’ll cancel their cards, spend a couple of hours on the phone jumping through hoops with their provider to get fraudulent charges removed, but your company will be fine, ultimately. It’ll cost you some money, force you to fire a few people for PR purposes, bring down profits for the year, give your lawyers something to do to justify their cost, and cause your support staff to break down crying, but that’s the cost of doing business and everything will return to normal after a bit.

And occasionally that might even be true. A company whose customers already hold them in fairly high esteem can recover quickly. Target’s breach in 2014 cost them $175 million and a quick drop in revenue, but less than a year later business had pretty much returned to normal. Terrible, but not catastrophic in the long term.

Target is unique, though, in that they have an established brand identity and a broad, loyal customer base. As a rule, 64% of customers say they’re less likely to do business with a company that lost some of their sensitive data. 50% of customers say they’re less likely even if the lost data is non-sensitive. There’s a reason why one of the only activities that brings both sides of Congress together is publicly grilling and condemning CEOs whose companies incurred massive data breaches.

Being cavalier with your data is essentially the same as being cavalier with your company, just as being cavalier with your insurance is essentially being cavalier with your life. If you didn’t have car insurance, you’d likely get through a major accident, but the damage would be felt for years after. You wouldn’t take that risk in your daily life, so don’t take that risk with your business.