A business is subject to legal requirements mandating specific measures to safeguard the confidentiality, integrity, and availability of data. Lack of compliance can lead to fines and civil, and sometimes criminal, penalties. But it seems that data breaches cost companies a lot less than we thought. Benjamin Dean is a Fellow for Internet Governance and Cyber-security, School of International and Public Affairs at Columbia University. Business managers listened when he wrote a column in March 2015 on
"When we examine the evidence, though, the actual expenses from the recent breaches at Sony, Target and Home Depot amount to less than 1% of each company's annual revenues. after reimbursements from insurance and minus tax deductions, the losses are even less."
This means that a company is willing to accept risk because someone else pays for consequences of a threat becoming a reality. Consider the following:
So there isn’t a huge incentive for businesses to invest in security measures to protect against data breaches. These kinds of losses may not affect organizations like Target or Sony but for small and medium sized businesses such losses combined with the loss of good will can have serious consequences and are often detrimental to the survival of the business. It’s vital for SMBs to ensure everything possible is done to secure their network.
According to Gartner, the average company allocates about five per cent of its annual IT budget to security. Overall, business has tended to increase funding for security each year. You might expect this trend to continue in order to combat the ever-increasing security threats.
But don’t get too comfortable. Yes, managers are acutely aware of well-publicized data breaches and want to avoid such events on their watch. But let’s take a look at the facts from the perspective of a manager:
Managers employ risk analysis to determine the benefits of protecting against threats. Spending money on security can be compared to paying an insurance premium. Businesses are in the habit of paying for insurance policies against risks such as fire. The cost of the insurance is weighed against the cost of whatever you are insuring against. It shouldn’t be surprising that some elements of the security budget may not pass this risk-versus-reward test.
Risk management looks at each security threat separately. First, it assigns an annualized rate of occurrence (ARO) to the threat - the likelihood that it occurs within a year. The risk is the monetary loss expected from the threat occurring. This is called the single loss expectancy (SLE). Multiplying the ARO and the SLE yields the annual loss expectancy (ALE) for each threat. Given this figure, management can decide to do one or a combination of the following to handle the associated risk:
At this point, the cost/benefit analysis for each threat is rolled up into total figures for protecting against data breaches. Managers coordinate with a large number of parties in formulating budgets. The security professional should be one of those parties. You can be an invaluable asset to management by developing your company’s version of risk analysis for your area of expertise.
Sign-up for email updates...