This is the final segment in this three-part series where we have looked at the importance of security within an organization; the different types of attacks that could occur and the motivation behind these attacks.
What should one do?
This is obviously a difficult question to answer. The way to go about this is to weigh the risk vs. the cost and find a balance that makes sense. A common pitfall here is when one factors in ROI (Return on Investment). ROI is a very big deal to businesses however in the security context it doesn’t make much sense to consider ROI. Security is not an investment one makes to get a return just like insurance is not one such investment. An organization should not invest in security with the notion that it will provide income because it will not do that per se. So then what’s the point of security?
Security will help the company avoid downtime, precious man hours as well as property, client and reputation loss. With that in mind what one needs to do is not try to find out the ROI on a security investment but rather the costs that security will help avoid. In a nutshell one must, for each risk, calculate the likeliness of that risk and multiply that with how much it will cost if it occurs. After that you need to calculate how much the security you are planning to implement will reduce that risk and how much costs it will avoid. The difference between these two costs is the baseline you should aim for. Spend more and you’re overspending, spend less and you are incurring losses which can be avoided.
Calculating the cost of the risk
As stated previously calculating the value of a risk is a complex matter that varies from case to case. Each risk can have an impact on a number of different items:
- Manpower required to rectify the issue and / or reinstalling systems
- Manpower required to indentify how the breach occurred and securing it
- Downtime and/or loss of productivity
- Value of information lost
- Costs of securing the system
- Legal costs
- Costs from the fallout:
o Customers lost
o Reputation lost
o Media damage mitigation expenses
When calculating the cost it is important to factor in each and every cost/loss resulting from that risk occurring. What this means is if you suffer a breach and you decide to be on the safe side you will format the server and restore a clean backup to get rid of any malware the hacker might have planted. You might calculate that it takes half a day to restore the backup so the loss is a half day’s wage for the administrator. That’s wrong because if you do that, then you can be sure you will be broken into again as the vulnerability the hacker used to infiltrate the system is still there. At the very least you need to factor the analysis and securing of that vulnerability as well. Then you need to consider the value of the data stored in that system and the analysis, if the attacker has also breached any other internal systems once he reached that server.
Determining the likeliness
The final part of the equation is deciding how likely a certain risk is to occur. This is generally very hard to determine especially because some risks such as random attacks are, by nature, purely random. Some risks are also multistage so to speak. Taking random attacks as an example, the first stage of the risk would be targeted, the second stage would then be if the attack succeeds and a third stage would be if the attacker can get access to anything valuable and what he does with it. As one builds security layers the risk factor will also change by some of the risk becoming less likely to occur.
So what’s the conclusion from all this? Do we need security or is it all FUD?
I work in security so my answer will obviously always be yes. If I am talking to someone on the subject who is undecided I will list all the above points in order to convince him he needs security not because I want to scare him into buying products and support the industry, but because I do believe in what I preach. The only thing I can really do objectively is present the facts and the points to consider. The above article explains what one needs to consider in terms of security and to determine roughly what stands to be lost. Once you do that exercise you can understand what an intrusion will mean and you can decide how much money protecting yourself against that event is really worth.