One could argue that life is all a series of risks. Sometimes we remain in a state of ignorant bliss. Other times, we are aware of risks and take measures to mitigate it. But sometimes we choose to accept the risk.
Accepting risk is not a bad thing. Quite the opposite. Without risk acceptance, there would be no innovation. The reservoir of great ideas would dry up and bankers would have to make do make ends meet with mere six figure bonuses. Risk acceptance is the grown up thing to do. “We understand the risk, and chose to accept it. It’s the cost of doing business.”
But the question is whether some of the risks businesses accept are “unreasonable”. Like creating a toy that captures children’s information. Such as their name, address, birthday, photo, parents details, and allergies – then taking this information and putting it on an insecure website. We don’t mean a website that is accessible over HTTP minus the S. But a website so insecure that it makes OWASP training websites look ‘military grade secure’ by comparison.
Thankfully though, whenever a company is breached and millions of customer records are exposed – a company can merely shrug and say sorry. All the time while assuring they ‘take security seriously’. Customers don’t like it. Troy Hunt will upload the data to haveibeenpwned.com and the world will grit their teeth and take it. This is the seedy world of corporate risk acceptance. The terrifying underbelly of cyber-actuarial tables (if such a thing exists).
The point is that you can’t innovate and deliver new functionality to customers by building a secure website. Or waste precious time ensuring your hardware is hacker-proof. If you do, your competitors will have leapfrogged you. Not to mention, no customer would want to pay a premium on your offering just because you say it’s more secure than the others.
Or maybe the real question is “how secure do I need it to be?”.
(Cross-posted from HostUnknown.tv)