I was listening to my brother and a family friend, both of whom are software developers, on New Year’s day talk about the digital security aspects and policies of their companies. It was enlightening, and a bit frightening.
They spoke about how when a severe data security breech occurs, there is a bunch of scrambling to plug to security hole, there may an attempt at data recovery, and whomever is the Director or head of Security loses their job. Someone is promoted into that position, and immediately no longer has job security. They talked about how and why the Directory, VP, or head of Security at tech companies do not last long in their positions, which was why my brother did NOT want to be promoted to it. My brother cited the Ashley Madison data breech of 2015. The two concluded the results of that, while harmful to the site’s users whose accounts had been compromised, did not significantly impact the company. People still continue to use it now, and other sites like it. Those who signed up after the breech do not seem concerned about the site’s security or it’s obviously negative security track record. I asked about the Equifax data breech from last Fall. Same type of response. Though in this case the fact that there isn’t a choice but to use Equifax sometimes could be part of the equation.
My brother and our family friend came to the conclusion that the internet using population at large does not care about internet security breaches. An individual person may care, and may even sue, but that’s just a blip in the company history. A company simply fires the head of its security department and offers a public apology, perhaps makes a payout from a pre-funded legal fund for such things, then continues on with business as usual, and people continue to use the company or sign up new accounts!
Since the general population does not act concerned about internet security breaches, I expect the internet security landscape is not going to change at all in the next 5 years. Based on the response to the Equifax breach, I think internet security could even get worse instead of better. Why would companies invest in advancing their data security when they could just set aside some money in case of a breach requiring litigation, and instead focus their efforts on their actual products?