The Uncounted Costs of Insecurity

A world that runs on software is a dangerous place.

If you’re Microsoft, it’s no small matter when even a subset of the source code of your widely used operating system becomes openly available. It’s a potential hacker’s delight. That, in turn, can undermine your position in the marketplace. At some point, your best customers will just decide they can’t take the risk anymore, and they’ll become someone else’s customers (Topline).

If you’re Bank of America or another financial-services firm, you pray every day that none of your employees opens an attachment that seems to contain useful information, but instead carries a quickly spreading virus that takes down your ATM network or worse.

And if you’re not intimately familiar with your software, the risks to you as an individual can be overwhelming. Ask the Panamanian physicists now being prosecuted for manslaughter (Case Dissection). Their alleged crime? Using software in a way that was supposed to benefit their cancer patients, but wound up killing some of them instead.

To help, the Ziff Davis Media Enterprise Group has published a Special Report that appears this month in Baseline, CIO Insight and eWeek. The report provides advice on how to protect data on your network; the costs of setting up infrastructure for safely sharing information; and input from your peers on today’s most critical security issues.

Still, the true cost has gone largely uncovered, here and elsewhere. Not the basic cost of bringing your hardware, software and network connections back up after they go down; not the relatively simple calculation of the revenue you lost while your electronic systems weren’t working; not even the lost productivity of your workforce.

The most significant costs are hard to quantify: the loss of confidence in your company on the part of customers or employees, and the lingering damage to your applications and systems—costs you don’t even know about until they rear up to bite you. These are the uncounted costs of insecurity.

Take the financial-services industry, where an uncontrolled change to almost any calculation can come back to haunt a firm. When changing the calculation of interest on interest-bearing checking accounts, for example, customers will react—vigorously—if the new formula even appears to be shaving cents off their dollars. Are you then going to count as a cost the resulting demands on your call center? Or the expenses that get added to your marketing budget to replace lost accounts? Or your own lost paycheck, if you have to explain this to your board of directors?

Indeed, in dealing with money, the most damage is often self-inflicted, says Frank S. Smith, vice president of network and infrastructure services for consultancy Cap Gemini Ernst & Young. In the ’80s, one Texas bank tested a large batch of its automated checks to make sure the preprinted signatures were appearing precisely where they ought to. When the test was done, the checks were to be shredded, as Smith tells it. Instead, they made their way to a loading dock. A wind, not unusual for that state, started blowing the checks out onto the street. Not a good turn of events, since these were negotiable instruments.

The point: Aftereffects of disruptions to your systems are felt way downstream, in ways you can’t possibly anticipate. If you’re taking a simple restore-the-service approach to maintenance and security, you’re going to be particularly vulnerable, not just to malicious outsiders but to clueless insiders as well. You have to outthink not just brainy cretins but dumb-as-potatoes folk on your payroll—even ones you tend to call “sir” or “madam.”

Checks blowing out on the street, though, aren’t going to bring many organizations grief. What you really should be worried about are vandals who will disrupt your data and leave no trace. Or changes to your system that go undocumented. Or errors introduced into your data when hardware crashes. Or performance that inexplicably degrades.

Because then the real costs set in. If your systems don’t work right or work slowly or don’t work at all, after a while your customers—and your best workers—are going to just walk away. You will pretend not to know why. When you finally admit you do, it will be too late.