What seems like a million years ago, when Sony Pictures got breached, some pundits were predicting that was the end of the company. I always thought that was hyperbole, but I have to admit I never went to the extreme of saying breaches are nearly harmless, which seems to be the current popular thinking.
Indeed, a financial analyst went on the Down the Security Rabbit Hole podcast and said breaches are an investment opportunity. Just buy the dip.
So, since some people are stopping just short of arguing that breaches are good for you, why should a company care? Why spend a dime on security appliances and security software and software upgrades when that money could go towards financing another share buyback instead?
I have an answer on two fronts.
On one front, I noticed something disturbing in the Fortune article I linked above: Breaches are tax-deductible. I can’t imagine that’s going to last, given that a component of breaches is often sloppy maintenance.
I know about sloppy maintenance. I own a Honda that lets me get away with sloppy maintenance most of the time. But not always. Last year I put off getting an oil change. And then I kept putting it off and putting it off, because I’m busy, you know. Then one really cold day, I was driving home from work, and I pulled into the express lanes on the Interstate and a light came on. It wasn’t my oil light–it was my check engine light. So I limped to the garage to get it checked out, and I found out the check engine light was because the car had less than a quart of oil left in it. I kept putting off a $50 problem, and it turned into a $500 problem.
I don’t get a tax deduction for my negligence, and I suspect Washington might not like giving corporations tax deductions for negligence for much longer. Taking away that tax deduction would be politically popular, and either party could find things to spend that money on rather easily. Legal requirements for companies to protect their data aren’t working, so perhaps financial incentives would work more effectively. And if they don’t, at least the victims would have something to show for it, whether it’s highways with fewer potholes or a beefed-up national defense.
The second front has everything to do with trade secrets.
Unlike some security professionals, I’ve run my own businesses. To date, I’ve never had an unprofitable year, either, while I’ve seen my competitors come and go. The reason is twofold: I know at least one thing none of them know, and I do at least one thing better than any of the rest of them do. My successful competitors can say the same thing of me, but I’m better than a lot of them at protecting my trade secrets, to the point where sometimes I can practice them right in front of them and still conceal what it is that I know that they don’t.
Finding trade secrets inside a corporate network is easy these days–just scan servers for stuff conveniently marked “Confidential.” In sufficiently advanced companies, it’s right in the metadata of Microsoft Office documents. In one limited red team engagement I participated in, I found all the confidential data on a server in a few minutes using a metadata search tool.
But there’s good stuff in e-mail too–details about forthcoming deals and stuff. That kind of information would be very valuable to sell to speculators, or, perhaps, competitors, who could then try to angle in on the action.
Right now it’s safer to steal customer data, but as it becomes more difficult to do things like file fake tax returns, inevitably the crooks will eventually go towards the trade secrets. The crooks are like anyone else–they’ll go for the safest, easiest money.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.