Size matters when it comes to network security! The smaller the business, the larger the threat.

Posted by Geraldine Hunt on Tue, May 19th, 2015

A business is subject to legal requirements mandating specific measures to safeguard the confidentiality, integrity, and availability of data. Lack of compliance can lead to fines and civil, and sometimes criminal, penalties. But it seems that data breaches cost companies a lot less than we thought. Benjamin Dean is a Fellow for Internet Governance and Cyber-security, School of International and Public Affairs at Columbia University. Business managers listened when he wrote a column in March 2015 on

The Conversation:

"When we examine the evidence, though, the actual expenses from the recent breaches at Sony, Target and Home Depot amount to less than 1% of each company's annual revenues. after reimbursements from insurance and minus tax deductions, the losses are even less."

Then there is the concept of “moral hazard”. 

This means that a company is willing to accept risk because someone else pays for consequences of a threat becoming a reality.  Consider the following:

• If a customer experiences identity theft because of a data breach, Sony is not financially responsible. The customer is. The customer will be angry at Sony; the company will lose some “goodwill”. And, yes, companies do care about their good names. But the more data breaches occur, the less likely it is that the customer can pinpoint the cause for the identity theft. Was it his PlayStation account or his Target credit card that led to the problem?
• Other companies often bear the cost of data breaches as well. Dean explains that in the case of Home Depot, credit- and debit-card providers were hit: "Credit unions claim to have spent $60 million in September 2014 alone replacing compromised cards." http://www.techrepublic.com/article/data-breaches-may-cost-less-than-the-security-to-prevent-them

Data breaches cost large organizations shockingly little so what’s the point of fixing cybersecurity!

So there isn’t a huge incentive for businesses to invest in security measures to protect against data breaches. These kinds of losses may not affect organizations like Target or Sony but for small and medium sized businesses such losses combined with the loss of good will can have serious consequences and are often detrimental to the survival of the business. It’s vital for SMBs to ensure everything possible is done to secure their network.

According to Gartner, the average company allocates about five per cent of its annual IT budget to security.  Overall, business has tended to increase funding for security each year. You might expect this trend to continue in order to combat the ever-increasing security threats.

But don’t get too comfortable. Yes, managers are acutely aware of well-publicized data breaches and want to avoid such events on their watch. But let’s take a look at the facts from the perspective of a manager:

• More sophisticated attacks lead to even more sophisticated defenses. Businesses need to buy increasingly more expensive software, hardware, and services to maintain defensive posture.
• As security spending increases, it becomes more of a target for budget cuts. The larger the budget, the more it is subject to scrutiny.

Managers employ risk analysis to determine the benefits of protecting against threats. Spending money on security can be compared to paying an insurance premium. Businesses are in the habit of paying for insurance policies against risks such as fire. The cost of the insurance is weighed against the cost of whatever you are insuring against. It shouldn’t be surprising that some elements of the security budget may not pass this risk-versus-reward test.

Analyzing risk - develop your company’s version of risk analysis

Risk management looks at each security threat separately. First, it assigns an annualized rate of occurrence (ARO) to the threat - the likelihood that it occurs within a year. The risk is the monetary loss expected from the threat occurring. This is called the single loss expectancy (SLE). Multiplying the ARO and the SLE yields the annual loss expectancy (ALE) for each threat. Given this figure, management can decide to do one or a combination of the following to handle the associated risk:

1. Risk avoidance – Policy precludes any activities that lead to the threat. Most threats are not easily avoided. For example, barring access to your website would instantly increase your security posture, but no web presence is simply not an option in today’s business world.
2. Risk transference – You can share some of the burden of the risk with someone else such as an insurance company.
3. Risk mitigation - This is by far the largest category. It includes most of the measures that we think of as “up-front security”, including firewalls, spam filtering, antivirus software, and educating users about possible threats.
4. Risk deterrence – An example of this are the legal disclaimers on login banners that promise prosecution if access is not appropriate.
5. Risk acceptance –This category cannot include a risk that the management does not know exists; it has to be an identified risk for which those involved understand the potential cost/damage and agree to accept.

At this point, the cost/benefit analysis for each threat is rolled up into total figures for protecting against data breaches. Managers coordinate with a large number of parties in formulating budgets. The security professional should be one of those parties. You can be an invaluable asset to management by developing your company’s version of risk analysis for your area of expertise.