A question I often get is how much should I budget towards security for my IT systems. Most companies tend to think of this in terms of defending themselves against certain attacks or breach outcomes such as cryptolockers, wire transfer fraud or data breaches. Or, the conversation is driven purely by the cost concerns. I’ve always thought this is not the correct way to evaluate your needs.
Security systems should be looked at in the same way as insurance. When buying insurance, the first thing to evaluate is your risk. The second is the confidence in your insurance company to actually be there when needed and the third is the cost. If you purchase too much insurance, you have wasted your money for no benefit. If you buy too little, you have not addressed your risk and could have a catastrophic outcome if the event you are insuring against happens.
With security, first evaluate your risk. Do you have a regulatory burden that must be met? Do you have data that would trigger a regulatory response? Do you have data that could be used to extort your company if it breached? If your systems were knocked offline for an extended time, can your business still operate? Second, evaluate the people controlling your risk. Do you trust them to keep you safe? Third, shop for the best solution for your budget that will successfully lower your risk.
Let’s consider two examples. First is an example of a high risk client. Let’s say you run a law firm that specializes in sensitive matters, and you have a large volume of case files that if they leaked would cause a potentially business ending PR disaster. In this case, the ability to restore the systems is not the biggest issue. The fallout from the breach is the largest concern. This cannot be addressed through cyber liability insurance or backups. The only answer here is to reduce risk by increasing security. This company would need sophisticated systems to control this risk and would want to have a budgeted spend set aside to control that risk. The second example would be a small business that has no files on its customers other than basic publicly known information. It does not store any financial info and does not have to depend on its computers functioning to conduct business. This company could simply go to an electronics store and buy another computer if something happened. The only real concern would be social media accounts and email. A small investment in security or even a simple change in online behavior would control the risk.
What’s the right answer for you? Without considering your risks and talking through what would happen to you if you suffer a security event, how could you know? Give us a call and we can have that talk.