The Cost of Security
PERFORMING A RISK ASSESSMENT AND KNOWING HOW MUCH TO INVEST
We live in a world where more and more business is
conducted over the Internet. Whether it is online
banking, shopping and paying for what you buy
online and a host of other things, it is clear that
doing business has changed and that means security has to change
as well. Today, unfortunately, cybersecurity breaches have become
a cost of doing business. It’s one of the negatives that come with
the convenience of online living, and it’s a big negative.
The question business owners and managers have to ask is this:
How much should we invest to properly defend against an intru-sion?
A defence against every kind of attack can be very expensive
– up to several million dollars – depending on the organization.
Cyber attackers continually find new ways to break into systems
and it is hard to keep up with the new malicious efforts that are
developed daily. The solution for any organization is to, first,
establish criteria for what information is important and, second,
focus on being able to recover as quickly as possible from the dam-age
of any attack.
In 2017, the Ponemon Institute did a survey and determined
that the average cost of an intrusion to an organization was
US$2.6 million, and that the average length of time required to
resolve the damage of a malicious attack was 55 days. Clearly, a lot
can happen in a two-month time period and in some cases, it can
even be fatal.
Costs incurred from this type of attack can include not only
the cost of repairing systems and processes, but the loss of reputa-tion
and with that the subsequent loss of customers. So, what do
businesses do? Obviously, there is a balance to be struck between
accepted risk and the cost of doing business, and that will vary
from organization to organization.
The first task in addressing cybersecurity is an internal evalua-tion
of all the risks. This is usually conducted by an independent
team that will explore all processes that may be vulnerable to
cyberattack. The objective here is to determine what can be put
in place to mitigate the risk of attack. Here are some questions to
consider in assessing the risk:
■■ What would be the impact of a breach in customer data? Apart
from the embarrassment of informing customers, could this
cause those customers to take their business elsewhere? Could
it impact the long-term growth objectives of the business?
■■ What information would be useful to competitors and could it
be used to take away company business? Proprietary intellectual
property and know-how are prominent targets; however,
identification of key personnel and long-term strategies may
also be of interest to competitors.
By Bill Ross
THE DEGREE OF RISK AN
ORGANIZATION IS WILLING TO ACCEPT
WILL LARGELY DICTATE THE KEY STEPS
IT MUST TAKE TO DEFEND ITSELF.
phive2015 / 123RF Stock Photo
HRPROFESSIONALNOW.CA ❚ AUGUST 2018 ❚ 25