[akira2501]

> Every enterprise IT department is like this.

That's because it's not understood what a liability allowing this to occur is. Perhaps if we fine them based on revenue they would understand that IT is a core part of their company and can no longer live on the edges of the business units.

[jjav]

> That's because it's not understood what a liability allowing this to occur is.

No, it's because they understand what the liability of allowing this is (minimal and inconsequential). So why bother?

[akira2501]

Clearly not everyone agrees with you that it is minimal and inconsequential. Perhaps you are lucky enough to not have anything vital of yours disclosed without your knowledge or consent.

[jjav]

The liability of allowing this. Liability to the company. It is factually minimal and inconsequential.

Look at the stock price hit companies take when they have security breaches. The impact is basically none apart from a short-term dip which recovers soon enough. Or look at the fines companies get for breaches, always a minuscule percentage of their profit.

This is why companies will keep short-changing security, because to them it's just a cost that doesn't really matter. And objectively, it doesn't matter when viewed from the lens of maximizing profit at all cost.

Did crowdstrike go out of business yet as a consequence of their breach? Did tmobile? Did equifax? These all should have, but all are going strong.

So yes, impact is minimal and inconsequential.

Depressing.