I have a buddy working security in IBM. He says the same thing. It’s not about security but rather how much money is gained/lost from being secure enough. Even when shit hits the fan, the fees imposed on them are less than the cost to pay employees to implement a solution to stop it from ever happening. So they don’t get tasked to prevent it. Just deal with it when it happens.
There doesn’t seem to be any actual legal repercussions for companies that fail to protect customer/patient data in Canada.
I have a buddy working security in IBM. He says the same thing. It’s not about security but rather how much money is gained/lost from being secure enough. Even when shit hits the fan, the fees imposed on them are less than the cost to pay employees to implement a solution to stop it from ever happening. So they don’t get tasked to prevent it. Just deal with it when it happens.