Is it really cheaper to get hacked?
A few days ago, Iain Thomson published Sad reality: It's cheaper to get hacked than build strong IT defenses on The Register, which explains why it's cheaper to get hacked and accept the consequences rather than invest in information security based on a study by the RAND Corporation published in the Journal of Cybersecurity. This article triggers a reflection among security professionals on whether security is still relevant, as its return on investment seems to be negative. However, it turns out that security is still very relevant because data breaches that leak customer data are only one part of the larger security picture.
While it's true that, so far, hacks have barely affected the stock value of companies, as Elena Kvochko and Rajiv Pant explained in their article on Harvard Business Review and as observed in the image below since Yahoo's publication on their data breach that leaked more than 500 million accounts, the biggest known data breach in history, data breaches have varying impacts beyond stock price fluctuations, as discussed in this article.
Figure 1: Yahoo Stock from Yahoo Finance between August 30th and September 28th. The publication regarding the hack was on September 22nd, which caused a slight dip in stock value, but it returned to its previous level within one week.
One example is the dating website Ashley Madison, whose slogan is "Life is short. Have an affair." It experienced an epic data breach. The breached data included not only customer data but also source code repositories, emails, and financial records, as claimed by the hacker(s) in the message left on the article. The most significant revelation from this breach was the scam uncovered during the data analysis.
Ashley Madison used chatbots to lure cheaters and then threatened to expose them when they complained, and it had very few registered women. According to Business Insider, "(...) only 1,492 of the women in the database had ever opened their inboxes to check their messages on the site. That's compared with more than 20 million men (...)".
The point of this example is that it's fundamentally different to have your data stolen than to realize that you were scammed. People seem to tolerate data breaches (Twitter and LinkedIn were breached, yet users are still using their services), but when they feel betrayed, it's a different story.
In this case, I could argue that the "source code" and everything related to the website's "inner workings" should be classified as more sensitive than customer data, as the breach impact is greater. Therefore, when we talk about a data breach, it really depends on the type of data that was leaked.
However, despite this betrayal from a customer perspective, Ashley Madison is confident in its comeback and claims that more users have signed up even after the scandal. Without independent confirmation, it's hard to ascertain whether this is a genuine marketing announcement to protect the brand. According to Marketing Week's post, they are also pivoting their business model.
Without delving into the ramifications of the hack, including the resignation of the CEO, bad news, and more, there is no denying that cyberattacks have a cost. The key is to adapt your defenses to a level lower than this cost, which may vary depending on the type of data. This concept is known as "Risk Acceptance," which security professionals are taught and, when aligned with senior management, is used to define the organization's risk appetite.
In conclusion, regarding the RAND Corporation publication, Bruce Schneier commented as follows:
(...) The way to look at this is not to conclude that cybersecurity isn't really a problem, but instead that there is a significant market failure that governments need to address.