do many organizations lack adequate security?
security breaches cause over U.S. 15 billion dollars of damage worldwide
annually, many organizations implement security solutions that are inadequate.
Very often these organizations ARE spending "enough" money
on security, but spending it in the wrong places or otherwise inappropriately.
Oftentimes they don't remotely understand how much money, including
"hidden dollars," they are spending. There are several reasons
Failure to understand the business needs for security
In spite of efforts to implement some sort of security measures, many
companies find that the solutions they implement are simply inadequate.
This occurs for two principle reasons: they do not understand what security
risks are associated with their business strategies, and they do not
have a systematic way to intelligently secure their entire enterprise.
Throwing money at security issues almost never works - a systematic
plan is required, which starts with a Risk Analysis.
Lack of Risk Analysis
Many organizations have never conducted a Risk Analysis and have little
or no idea of the costs associated with an electronic break-in or other
security breach. They have not quantified the value of their electronic
data and do not understand the extent to which damage can be done should
a break-in occur. They do not understand how expensive the loss of access
to key IT resources can be. They often have not considered how intangibles
can be impacted, for example a companies reputation. If your website
is down for three hours, will you lose $10,000, $100,000, $1,000,000
or more? How about your internal Customer Relationship Management solution?
What about your Inventory Management software - will you even be able
to ship products, or take orders?
What about your organization's reputation?
Extortionists regularly target organization's reputations, and extortion
is a major growth area in cybercrime. After an organization's information
assets have been compromised, for example customer lists with credit
card information stolen, the organization is contacted by a "security
consultant." They have found certain security holes and can fix
them for $X. These thinly veiled extortion attempts are very common.
How much would it be worth to keep your information secure, your customer
goodwill intact, and your companies new troubles off the front page
of the newspaper?? But the damage is already done - and paying extortionists
doesn't make them go away, at least for long (hint: call the authorities
- the FBI if you're in the USA). If you don't know how valuable your
resources are, it is impossible to determine how to adequately protect
Many executives still believe that security problems are solved by technology
or products alone, for example by installing a “box” such
as a firewall or intrusion detection device. Many decision makers remember
when not too long ago they were told (often times literally) “a
firewall will solve all your security problems.” They remember
when not long ago they were told, “you also need an Intrusion
Detection System – it will solve all your security problems”
and perhaps “what you really need is Virus Protection.”
They are understandably reticent when it comes to spending on security,
especially since many don’t understand the business value.
Technologies or products alone are not a security solution, but only
part of a security solution. Security is a process. It includes technologies/products,
policies, and procedures.
Security Policy is documentation that describes how
an organization manages, protects and enforces its security infrastructure.
It defines appropriate behavior and typically has several parts.
Examples include firewall policy, password policy, acceptable use policies,
etc. A security policy provides a foundation for all your subsequent
actions, and it allows you to establish procedures. For example a virus
protection policy might state that virus protection software needs to
be updated daily, and the related procedure will explain how it is updated.
Having a security policy in place does not guarantee that intrusions
or loss of information will be eliminated. Effective Security policies
must include being vigilant and constantly updating technologies as
well as procedures to deal with new threats. And it is important to
realize that nothing usable is 100% secure. Even Fort Knox could theoretically
be robbed, although the likelihood is extremely small.
A separation of Security and Networking Solutions
A very big problem many organizations have is that they have separated
their security organization from their networking organization. The
two groups have very different goals and agendas and often clash. A
network group’s goal is providing network access, while a security
group’s goal is to provide an appropriate level of security for
the organization, which often involves restricting network access. In
many organizations, the network and security personnel are not harmonized
and do not work well together – sometimes they are outwardly hostile
towards each other (in a recent IT Assessment project, the term "hate"
was often used). Satisfying the goals of each group can be challenging
if they are not synchronized. And trying to implement an appropriate
security solution can be essentially impossible.
Failure to understand that many “hidden” dollars
are already spent on security
Effort spent fighting viruses, worms, re-imaging workstations, etc.,
IS time and money spent on security. And it very likely may be spent
more effectively elsewhere – spent proactively instead of reactively.
For example avoiding a worm infestation, instead of cleaning up after
a worm infestation. Far too often I hear "we don't have any more
money in the budget for security." Oh yah?? And do you have money
budgeted for the next worm or virus that hits you?