Similarly, Yelp isn't in the accounting business, so they have no obligation to pay taxes or payroll. (If employees don't like it, they shouldn't work there.)

By having a security policy, they are in the security business, and they're doing it wrong.

>By having a security policy, they are in the security business

This is not true. A company should only be considered to be in the security business if their profit is driven or at least depends upon offering security to others.

By the logic of your post, any company that has computers that they have to manage would be in the 'IT' business.

The reality is that to run a company, a variety of things must be done to allow it to exist that do not define the business of the company.

This is absolute pedantry. Nobody claimed that Yelp is offering services within the security industry. They are "in the business" in the sense that they are concerning themselves with security to such an extent that they have a policy and are kicking people out of events based on a blacklist (after the fashion of an authoritarian government).

Since they are doing it they should be concerned with doing it right.

If computers are critically important to a company (as they are for many web companies) then they are expected to manage them in an intelligent way. That doesn't mean that web companies are all acting as ISPs, but it is absolutely routine and expected for them to take various measures to maintain their computing infrastructure correctly. It's irrelevant that they are not selling computers.

It is totally irrelevant that Yelp is not selling security services to other companies.

So if you're not in the IT business, does that mean you don't have to do backups? Or does it mean that if you have computers, you damn well better understand the IT business and do it the same way the professionals do?

In this case, Yelp's security policies are stupid. They're not making money from security, but that doesn't mean they get to be stupid.