As widely reported across the Internet, a woman has died as the result of a ransomware attack. I want to say that this drives home the importance of information security, but the reality is, this isn’t the first time someone’s life was ruined by security breaches. It might be the first time someone has died, but Stuxnet and Equifax and even Target/Home Depot/etc has had a profound impact on the safety and well-being of actual real human lives.
There are no consequences for a major corporation having a major security breach. Target’s stock was trading at $63/share on Dec 31st 2013 (just before they announced the breach). They finished the 2014 year on Dec 31st trading at $75/share, after losing the financial information of 100 million customers. Same thing with Home Depot, on August 29th 2014 they were trading at $93, they announced their breach in September 2014, and in October 2014 their stock was up to $97/share. This, coming on the heels of Home Depot’s executive staff saying they’re only looking for C-level security, indicating they’re not looking for an A or B grade in this class.
In August 2017 Equifax was trading at $142/share. In September they announced they had lost the personal information of around 150 million people. Their stock took a bit longer to recover, but by August 2019 (right after they settled with the US Government) they were back to $146/share, showing that their fine was nowhere near enough to discourage this from happening again. They were fined around $500 million, while Equifax made $3.5 billion the following year.
When do we start taking it seriously?
And now someone has died from a low-rent script kiddie ransomware attack. The kind of attack that happens to your mom or cousin from opening the wrong email or clicking the wrong link on Facebook. Shame on the attackers, and they should absolutely be prosecuted. That’s not a controversial statement by any stretch.
But isn’t it time to start holding organizations accountable for their abysmal security record? Right now, there is zero reason to care at all about security. Your profit isn’t going to take a hit, your reputation isn’t going to take a hit, and the only people who will be impacted are your customers who will continue shopping with you anyway.
It’s not going to change until organizations are punished enough to actually matter. Fines bigger than the cost of doing business. Criminal negligence charges against the CISO. Perp walks, and jail time. That is a controversial statement, and that is where the discussion should start. Maybe it goes too far. Maybe it doesn’t go far enough. But it’s time to have that discussion because people are dying.
But wait there’s more!
Luckily I don’t work at a security vendor anymore so I can say this with relative safety (and even if I did work at a security vendor, these thoughts are my own and do not represent my employer)… what responsibility do security vendors hold? How many millions (billions?) of dollars does a typical corporation spend on security products and consulting and professional services and they’re still getting hacked. Either companies are paying way too much for their products, or the products don’t actually work. Either way, there is a HUGE opening for a new security vendor to come along with an effective product/methodology that either works or at the very least doesn’t cost so much so companies can afford to buy more layers on top.
The security marketplace is decidedly stagnant. I’m going to cover this more in the future (and I’ve covered it a bit in the past) but the security industry (both vendor and consumer) is a complete flat-line. Developers and operations engineers get cool new things like agile and devops and cloud technologies. They’re sprinting through new technology faster than ever before. But in the security space, we have… “on premise equipment… but hosted in someone else’s datacenter!”. I’m looking at Trend Micro Cloud One, I’m looking at QRadar on Cloud, I’m looking at Splunk Cloud. Legacy security technologies with a thin paint job to look “cloud”.
Right now is the worst time to be a security engineer and the best time to be in dev/ops/cloud/full-stack. This is something I want to continue to explore and I encourage everyone reading this to think about it as well (and feel free to drop me a line if you want to chat, check my About Me page).
People are dying now
The information security industry gets paid about $500 billion per year. And not only are security incidents not slowing down, they’re getting worse. People are dying now.
We need to fix this.