a thoughtful web.
commentspostsbadges
Good ideas and conversation. No ads, no tracking.   Login or Take a Tour!
comment
user-inactivated  ·  3070 days ago  ·  link  ·    ·  parent  ·  post: 9.3M Patient Records Hacked

I had to take a few hours to understand your point, possibly because my coffee hadn't kicked in yet.

You claim that I'm assigning blame, but really I'm just pointing out faults in systems. I'm not saying "Fire Bill Johnson!" To me, I feel like I'm arguing that the assigning blame is the problem itself. For instance, you have said the exact real truth, the real blame should be on the attacker. The problem with doing this is that you then absolve yourself of any stress for any problems before the hack.

Yet that doesn't change the fact that these SSNs are or will be out there, and that these people are now victims of a crime that can't be really resolved (SSN theft is pretty much the end of your credit, even with the best protection services).

But with the insurance if you get hacked, it was someone else's fault, therefore everything is perfectly fine inside your company because you haven't been targeted yet. It means you can reduce security expenditures, reduce cares and your employees won't care as much either. It's an overall feeling that takes over the organization, not an individual or series of individuals to blame.

I've worked in both environments before, and when I worked in an environment with the data insurance protection I definitely personally felt that alleviation of stress. I still tried to secure things as best as I could, but when arguing for upgrades in similar situations, even the decision making processes were delayed on upgrading. The meetings were more sparse around the discussions and the urgency was lifted. Coworkers didn't feel the level of security responsibility that I did, and I was often cleaning up after their security messes even though they knew better and were good developers.

Yet when I worked without it, I felt that stress and I felt the urgency for patching and fixing things. I can definitely say that the systems I was working on were more secure as a result of everyone being unified in the security goals across the company.

I'm not necessarily saying that data breach insurance is a bad thing, just that it also has bad things that come with the good. I would argue that a company should get that insurance and it's a bad idea not to since it's impossible to get a 100% secure system and hackers are everywhere. You'll end up bankrupting the company if you are small enough and have to deal with legal and/or restitution expenses.

Actually it would be interesting if a company got the insurance and just didn't tell their IT staff, that would be interesting.


markup tips  ·  0


about
tutorial
faq
rss
tmi
random
privacy & terms
weather
donate
login