Network Security Compliance: The ROI of Risk Prevention
The old concept of network boundaries has given way to open access. Though it has improved productivity, it has also increased vulnerability. The explosive growth in mobile devices has put added stress on IT to protect business and personal information.
With increased vulnerability comes increased losses. The Ponemon Institute 2015 Cost of Data Breach Study determined the cost for each lost or stolen record containing sensitive or confidential data increased by 11%. Some of those costs were due to lost clients particularly in healthcare, pharmaceuticals, and financial services where customer trust is vital to maintaining a competitive edge. The study was based on larger firms that are staffed with a Chief Security Officer and cyber teams organized to prevent network hacking.
Small and medium-sized businesses with limited IT resources can be even more susceptible. Research of this sector has concluded that approximately 60% of all attacks were directed at smaller enterprises. These firms are seeing a growth in “ransomware” where the hacker locks down their network until a sum is paid to free the system in some cases causing business failures.
Needless to say the necessity to protect privacy and prevent lost business will continue to stress IT today and long into the future. Each entity must grapple with the question of “how much security do we need and how much can we afford?” The following paragraphs demonstrate a proven thought process regarding how to assess risk, determine costs, and develop solutions that can go a long way towards preventing such a debacle.
Risk Assessment or Audit
Investment strategy begins with a review of the current applications and infrastructure. An audit should take note of potential areas of risk such as customer data and employee access. The question is “how secure is the system?” If warranted, an experienced consultant with cyber expertise could perform threat analysis by testing for weaknesses. And to ensure adherence to Industry certifications standards for digital security such as those presented by HIPAA/HITECH, GLBA/FFIEC, Sarbanes, and PCI, a thorough network risk assessment is indeed mandatory. (Failure to meet rules and guidelines set by network security compliance standards could lead to fines or other penalties.)
Determine Costs of a Potential Loss
In order to ascertain ROI on the damage that might occur use the classic method of Annualized Loss Expectancy (ALE): potential $ damage from an incident = the risk of the incident happening (%) X the loss created by the incident ($) if it were to occur. For example, if there is a 10% chance a company could turn over 1,000 customers due to loss of trust at $50 each the potential damage or ALE is $50,000. This helps to put, for example, an investment of $25,000/year in a remote anti-virus and patch management solution in perspective.
Establish and communicate security policies
Having up-to-date security policies that are understandable to employees is crucial. IT must also be equally vigilant about protecting systems and data from internal threats and external attacks. As a minimum, policies should cover the creation, transmission, transport and retention of information; when and how information can be disposed of or removed from corporate servers/storage; remote, wireless, electronic and physical access to the corporate network; and security precautions to use while traveling.
Update antivirus software, add firewalls, strengthen passwords, and educate employees on how to recognize different phishing methods. An alternative is store data with a cloud service partner that has excellent validation processes.
To avoid the potential theft of data from mobile workers, provide travel laptops and create specific information security policies to protect the network from cyber attacks. Travel laptops fully capable of executing vital business functions but stripped of proprietary, sensitive or secure information can reduce the risk of infiltration.
Monitor for breaches
Maintain vigilance by constantly monitoring for data breaches. The quicker an incident can be found and isolated, the less the damage. Error prone workstations or mobile devices can be quarantined until infections are cured. Rely on automated tools to do this, and make sure devices are patched with updates as soon as possible.
No one thing will protect a company entirely regardless of size, but a combination of different measures can reduce the probability of attack. The bottom line remains how costly is the loss of customer trust and ultimately of the customer?