Preventing damage from malicious attackers, stopping the infestation of malware, and preventing theft and fraud is not cheap. But failing to erect adequate protections for your organization's level of known threat is not a cost-saving measure; it is simply a deferment of the cost until a later date. Often, that date arrives sooner than expected, and the bill is much higher than imagined. Saving money on security is about making sound decisions on the right products that provide the best security for their cost.
Security is expensive. Many small- or medium-sized organizations are struggling to deploy sufficient security defenses on a shoestring budget. This white paper discusses several techniques, methods, and tools that may help you reduce your security budget while maintaining or increasing your actual defenses. No security defense is perfect, and you often get what you pay for. However, just because something is expensive does not mean it is great; likewise, just because something is cheap or free does not mean it is worthless. With these suggestions, you may be able to improve your security without breaking the IT budget.
In these troubled times, many are looking for ways save money, cut costs, and make a greater return on their investments. This applies to groceries and travel, as well as security. The concept of saving money is really nothing new; we should always be looking for ways to "save more, spend less, and avoid getting ripped off;" to borrow a phrase from Clark Howard. However, just because we perceive that the country's economy or our own personal economy is in peril, this is not really a special reason to look to cut costs. In fact, if we are doing our job correctly at work and at home, "generic" troubled times really shouldn't affect us.
What I mean by this is that security is not an area of business that can be cut or trimmed just to save a few dollars. In fact, security is an essential element of being an organization. Attempting to cut corners in regards to security will often result in compromises that cost more to repair and restore than the protections sacrificed for the perceived "savings." Security should be as important to your organization as the facility where you work, the utilities needed to run the equipment, and the paychecks of your workers. Security should be seen as the last place for funding cuts and then only when all other avenues have been exhausted and without such cuts the company is going under anyway.
Why do I make such a bold claim? Mainly, because as organizations become more and more information-focused, and we increasingly rely upon networking and the Internet, the threats to our IT infrastructure increase. Today, anyone with basic computer skills is able to perform very damaging attacks. Our IT networks face an ever growing threat from both exterior, malicious entities as well as our own internal personnel. FBI studies in the last few years have shown that around 80% of company security policy violations are caused by their own personnel. These violations are often out of ignorance or negligence, but increasingly they are also out of malice or spite. As we face downturns and belt tightening, our own employees could turn on us and cause severe damage from the inside.
I don't want to paint the picture that all employees are evil, and their only goal is to harvest the organization's internals for personal gain, but it is a real risk that must be addressed in a realistic risk assessment and security policy. My point is if there are already malicious people within the organization, and the company chooses to cut back on security, it will make their attacks easier, may make detection more difficult, and will cause the repair and recovery to be more expensive.
So, with a standing policy not to cut security in times of need, we need to establish cost-effective security as a standard practice. This should be a long-term goal, not just one inspired by a tough economy. If this is not already your IT department's goal, there is no better time to start than now. Ultimately, what you should strive to accomplish is the most reliable preventative and detective security system possible with the least amount of capital expenditure.
In the following sections, I explore several ideas regarding saving money on company security. Some of these ideas might be blatantly obvious, while others may be completely revolutionary. I challenge you to read each and see if your organization already employs each concept or if you can put it into effect in new and interesting ways.
There is this notion in the security field that when you discover a new risk or threat you have to purchase a new countermeasure to safeguard against the new problem. I think this notion itself reveals a key philosophy of security that is not always the best. Improving security is not always the addition of new layers of protection; instead it can often mean the adjustment of components already deployed or even the removal of elements no longer essential to a business function.
No comments:
Post a Comment