Sunday, 24 January 2010

The false economy of shutting the stable door after the horse has bolted

The bulk of my life at the moment is spent speaking to people about computer security and their current problem(s), usually a result of implementing the cheapest solution to meet minimal requirements. This typically ends up with us being asked to plug the holes that they are focussing on at that moment; very rarely do they stop and look at the entire estate.

Look, I know budgets are tight but surely it makes sense to look at the entire estate and resolve all of your security issues in one hit rather than the on-going cost of fire fighting.

When a company has a security breech there are several things to consider, the first is the tangible cost of resolving the problem. This is what organisations focus on because, as I said, it is tangible.

The second is the intangible cost of the problem, one that is not so readily seen and the effects can take a while to be noticed but by then can be too late and can devastate a business because they were unprepared for them. The intangibles are made up of several factors, reputation damage which affects how much existing business you will retain and how much new business you lose as a result of shoddy security. How many clients will want to do business with an organisation that exposes their details? There is also the cost of damages and making right, for example if the organisation exposes financial details then there is the cost of monitoring accounts for fraudulent transactions which all adds to the costs.

I won’t go into the long list of intangibles because they vary from industry to industry however what I can tell you is that year on year the cost of a data loss has gone up. How do I know? Every year, the Ponemon Institute publishes the average cost of a data breech and it is printed there in black and white. If you want a copy, email me and I will send you a copy of the reports.

There are numerous cases where businesses have gone bust as a direct result of being cheap with computer security.

So when asking those higher up the company food chain for an IT security budget, find out if they have business insurance for fire and theft, I know this sounds a bit off topic but bear with me. Businesses don’t typically burn down that often and whilst we perceive crime to generally be on the up, the instances we deal with are thankfully few and far between (unless you are in the police or insurance game) so why do business bosses feel the need to insure against these things but not insure against data loss? The bottom line is businesses do plan for these possibilities and have mitigation and planning to deal with them, and so you can argue the same case for data security?

So the message for today is to think of computer security as another form of business insurance, because whilst you don’t want to be in a situation where you have to use your insurance, you are bloody glad you’ve got it when you really need it and so will the bosses of the business.

No comments:

Post a Comment