Companies apparently don’t understand the risks involved in lax online security, or even worse, decide to take their chances.
Dr. Gene Spafford, an expert in electronic security and a professor in computer science at Indiana’s Purdue University, says that Sony may not only have been using outdated security software when hackers attacked PSN, but that it also knew it had a problem months before the intrusion happened.
Speaking at a Congressional hearing about the “The Threat of Data Theft to American Consumers” – the very same hearing that Sony declined to attend – Spafford said that he had seen discussions on some of the security mailing lists he read, where people who had worked on PSN had found that the servers were running old, unpatched software, without a firewall installed. He said that these people had notified Sony of the potential risk two to three months before the attack, but had seen no response, nor any update to the software. However, he made it clear that this information was just what he had seen reported and stressed that he personally didn’t have any firm details on Sony’s security measures.
Spafford said that companies and corporations often didn’t want to invest in online security as they didn’t understand the risks and costs involved in not doing so. For each compromised record, he said, a company incurred over $200 worth of costs, but added that even companies that did understand the risks involved seemed willing to play the odds. “Security is not something that returns a value,” he explained. “It’s not something that adds to the bottom line.”
While it’s true that Spafford’s comments are based on hearsay rather than any provable facts, it’s also true that it’s hearsay that he was willing to bring up in front a Congressional hearing. That might say more about Spafford than it does about the information, but it’s hard to believe that a security expert would just believe everything that he read. If what Spafford says is true, it would be mean that Sony was one of the companies that decided to play the odds. Unfortunately, Sony lost, and now we all have to deal with the fallout.