weak

Time to take a stand on security--again


In the wake of the Zappos.com breach, the New York Times weighed in with an article featuring a woman who had been notified three times this year that she may have been the victim of cybercrimes. The notifications came from eBay, Zappos.com and 6PM. The breaches at the latter two companies, both owned by Amazon, compromised the accounts of more than 24 million.

There are two issues here. One of course is the troubling fact that even big, established companies with massive resources at their disposal cannot seem to keep their customers’ information safe. The other issue is the extent to which companies disclose breaches, an issue we’ve discussed in the context of the RSA breach, the Citi breach and the Sony breach. It would be shocking if the likes of Amazon and other big companies did not have policies and best practices in place as to how to respond when a breach occurs--and they will occur.

We have to assume they do, and we understand the need to not be completely transparent about their defenses. You don’t want to give away the playbook to the bad guys.

But companies need to do a better job understanding the effect of all this on consumers. You don’t want to unwittingly promote the idea that executives consider all this a mere cost of doing business and the consumers will shop online no matter what. (We hope they don’t think that).

One customer posted his view of Zappos.com’s response, which was to direct people to an email. “That’s it? That’s how you respond to a security exposure that may require me to change my password on a large number of other sites to protect myself? That’s how little you think of your customers, just drop this glib little note and wash your hands of the whole affair? You have a legal and moral obligation to protect my information.”

Executives of course don’t want to frustrate their customers like this. And their actions will speak much louder than words this year. Companies collectively need to act. They need to make a statement.

Ten years ago, Microsoft launched what it called its Trusted Computing initiative. Then CEO Bill Gates went out of his way to make safety "the highest priority for all the work we are doing. He wrote: "We must lead the industry to a whole new level of Trustworthiness in computing." Here’s the memo.

Security has been a priority ever since. One could quibble and say we’re hardly secure a decade later, and it’s true that bad guys have made some major gains. But the initiative made security and priority and made clear what the consequences were. We need executives to take a similar stand today. Perhaps in concert with one another. -Jim