Well, sometimes they're right. The hit company will likely call in some consultancy to institute a bunch of newer and better security protocols, then call it a day. If they really aren't hit again for another decade and staffing a department would cost $500k a year or more, were they wrong?
It's a gamble. It's easy to point fingers at the company that was caught out, but for the hundreds or thousands that aren't ransomed and aren't paying the extra money for security, they took that gamble and so far they've come out ahead not having spent all that money on prevention.
I'm not advocating that these companies to have less security or not do better on security, but the fact is a lot of them have made the objectively correct decision for themselves, which will continue to be correct right up until they're hit, if they ever are. The whole situation is analogous to health insurance in a way, and the same incentives are at play, along with similar consequences for individual companies and all of us as a whole, as providing easy targets for these groups allows them to thrive and grow and target others.
They paid $5 million, if "it was cheaper for them," that's solid math that ignores some really important stuff though, LOL. What is the externalized cost of this crisis on the entire country? The $5 million dollar ransom is a worse deal if you can convince your board to consider that externality.
The criminal penalties for executives in leadership and board positions (and I'm not saying this is my preferred approach) would certainly go a long way toward changing the calculus of this exchange.
> What is the externalized cost of this crisis on the entire country?
One natural solution would be to subsidize cyberdefense. The political difficulty is that a rational subsidy would be proportional to the harm of an attack, which would mean giving the most money to the biggest corporations.
The best solution would be for the firm to raise their prices the very small amount necessary to cover the expense, and for consumers to tolerate the expense because they know it's worth it. But a pipeline is a natural monopoly, presumably charging a monopoly-optimal price that (correctly) assumes a populace ignorant of such concerns until it's too late.
> If a business externalizes the cost, does it matter to them?
I mean, yes? Maybe not before next quarter's revenue statement, but eventually it will have to start to matter?
If your dog goes and craps in the yard every day, you eventually have to clean it up or you will get flies in the yard, and if you have to open the door or leave the house at all then sooner or later you will have flies in the house, it matters, yes. It's really not any more complicated than that.
If you are responsible for dumping toxic waste out the back door of your factory, it's only a matter of time before it's in your drinking water at your house, a couple of miles down the road. Externalizing a problem doesn't really get rid of it, just makes it someone else's problem (for now at least.) Those other people are real people, and they will find you.
But if you're a monopoly (a competing pipeline isn't likely to spring into existence any time soon) and the courts aren't inclined to impose particularly harsh penalties, business as usual will remain your optimal moneymaking strategy.
SOX. SOX mandates that you have reasonable controls to secure financial information and it appears they didn't. Every SOX audit I've been through has a IT security portion.
It's a gamble. It's easy to point fingers at the company that was caught out, but for the hundreds or thousands that aren't ransomed and aren't paying the extra money for security, they took that gamble and so far they've come out ahead not having spent all that money on prevention.
I'm not advocating that these companies to have less security or not do better on security, but the fact is a lot of them have made the objectively correct decision for themselves, which will continue to be correct right up until they're hit, if they ever are. The whole situation is analogous to health insurance in a way, and the same incentives are at play, along with similar consequences for individual companies and all of us as a whole, as providing easy targets for these groups allows them to thrive and grow and target others.