Arik Hesseldahl

Recent Posts by Arik Hesseldahl

Still Not Convinced the Cloud Is a Risky Place? Here Are Some Scary Numbers To Ponder.

The myriad of computing service failures during the last week or so have had me thinking back to my conversation in March with Drew Bartkiewicz. We’ve had Amazon Web services fail and bring down much of the Web with it. Add to that the Playstation Network outage, which is still unresolved and is starting to get ugly in a legal and regulatory sense for Sony. And before that there was the breach at the email marketing company Epsilon.

It’s as though this week was tailor-made for Bartkiewicz (pictured), who argues that companies in the cloud business–and their customers, too–are in denial about risk. And by risk I mean not the technological possibility that a service may fail to work as advertised, but in the financial liability sense.

In Amazon’s case, there’s not been any real discussion of financial liability. Even though several companies effectively had to pause operations during the period of its outage last week, the only compensation they seem to be getting, at least for the moment, is a credit on their bill for the time that affected systems were offline and an apology. Apologies and billing credits won’t work for large companies. In a case like that, someone, somewhere has to be on the hook financially in the case of failure.

Handing your data over to someone is in a way comparable to handing goods over to a shipping company who promises to get it safely from one place to the other. Something bad can happen along the way, and often does. Trains derail, ships sink or get attacked by pirates. This is why the insurance industry exists. Yes, data is slightly different because it can be copied, but you get the idea.

Anyway, as if on cue, I found in my in-box today a report from Bartkiewicz’s company, CyberFactors, which specializes in risk analysis related to cloud services. It made for very interesting reading: It has estimated the financial costs associated with the Epsilon breach, and the findings should get your attention. The security breach and release of customer data at the email marketing provider has exposed the company to liabilities that could be as high as $225 million. According to CyberFactor’s research, as many as 75 other companies were involved and the total number of affected email addresses may be as high as 60 million.

Dealing with the repercussions of the breach–informing customers about it, making changes to marketing strategies, and so on–could eventually cost those at the affected companies, which included household names like Best Buy, J.P. Morgan Chase, Citibank, Walgreen’s and the Walt Disney Company, as much as $412 million, pushing the aggregate cost of the incident to $637 million. Think about that. The exposure of an email database could wind up costing more than half a billion dollars.

Yet even that isn’t the worst of it. Once you take into account down-the-line costs, such as fines, forensic audits, litigation and loss of business, the total cost could exceed $3 billion. Roughly half of the total costs to the affected companies will occur in the first year after the breach, and the rest will come in the second and third years. Security breaches have a way of costing long after the incident itself fades from the headlines. Cloud companies, CyberFactors argues, are going to have to start thinking more like banks, insurance companies and hedge funds. The cloud is going to have to grow up.


Latest Video

View all videos »

Search »

I think the NSA has a job to do and we need the NSA. But as (physicist) Robert Oppenheimer said, “When you see something that is technically sweet, you go ahead and do it and argue about what to do about it only after you’ve had your technical success. That is the way it was with the atomic bomb.”

— Phil Zimmerman, PGP inventor and Silent Circle co-founder, in an interview with Om Malik