7

7 comments

That number seems a bit low to me.

[–] PMYA [OP] 2 points (+2|-0)

It is, no doubt. A better title may be "26% of Companies Admit They Ignore Security Bugs Because They Don’t Have the Time to Fix Them".

This is the part that stood out to me the most:

35% said that even if they were to hire penetration testing services they were sure the pen-testers wouldn’t expose any new risks or flaws

This is complete bullshit. I bet the rate of success these security companies have at breaking in is in the high nineties.

[–] CDanger 1 points (+1|-0)

Or because they have seen from the numerous breaches and security incompetence that there are no major consequences from their mistakes. Compliance and proper security costs money and most of the time shows no obvious benefit.

Just issue some press releases saying you take security seriously and say you're cooperating with law enforcement to find the responsible parties. In a few weeks/months people will completely forget after they hear about the next breaches.

Security can be solved. Simple make the consequences from breaches too large to ignore. Award $100 every time a customer has data that leaks. I guarantee you security will be taken seriously then. This will never of course be implemented because corporations buy out politicians, and this serves the interests of the people, not them.

[–] PMYA [OP] 1 points (+1|-0)

Award $100 every time a customer has data that leaks

We actually changed our laws in the UK recently regarding this. Companies can be fined up to 4% of their annual profit or up to £17 million (I think that was the figure, can't recall) for user data being leaked or stolen if the company is found to be liable in any way.

[–] CDanger 1 points (+1|-0)

That's a start. Percentage fines or fines that scale by the number of victims (without a cap) seem like the only thing that would actually carry real consequences. 17m quid to company like HSBC is nothing. It has to be an existential threat to the company.

In any case, I'll be curious to see how that works out in the UK.

[–] PMYA [OP] 1 points (+1|-0)

It is nothing to large companies, but as far as I can tell, there is nothing that would stop a company from being fined multiple times for the mishandling of each person's data. I doubt there will ever be a case where a company is fined millions for each person's data being stolen, but it does mean that 17 million is not technically the cap.