All too often robust security is put off because the cost of prevention is felt upfront and the cost of breach is to realized at an uncertain future time and mostly by third parties. In the name of saving money, organizations continue to run out of date operating systems, reject appropriate strong encryption systems, fail to deploy sufficient network security, and refuse to employ and empower appropriate security staffs. In the end, security is seen as an expense to be minimized as part of a risk management program. But there is another way.
Security must be seen as a moral imperative. Any person or company that is put into a position of trust with regards to other people’s information, must protect that information even at great expense. If the cost is too great to bear, then it is the moral duty to not ask for the information in the first place. It is not acceptable to put people at risk just for economic gain. An adversary cannot steal data from you that your system does not process.
Fortunately, the cost of security is not always high. The cost of preventing a data breach is most always lower than the cost of a breach itself.