Published on March 6th, 2015 | by admin
Pay Now or Pay Later
I don’t know if the saying, the squeaky wheel gets the grease applies properly, but there is definitely a lot of noise made after a security breach. Just ask Target.
A large majority of companies have to report to shareholders and the number one focus is on profits. Profits equal success, so money is applied to areas of a company that will provide the biggest return on investment (ROI). Unless a company’s deliverables are IT products, IT expenditures are low on the priority list. While recent high-profile security breaches shone more light on the need for better IT security, convincing board directors to fund security improvements can be a hard sell.
Post-breach, estimated at 191 million dollars in losses, Target is all too willing to spend the money to better secure their servers and Point of Sale (POS) systems. However, the monetary losses are only one aspect they are recovering from. Consumer trust is the other area that took a major hit and in many ways it is harder to rebuild. Post-hack, Target is in the process of migrating their credit and debit cards to MasterCard’s “Chip and PIN technology.” A good question to ask Target’s board of directors is: “Why did it take the breach, and subsequent losses, to initiate the security improvements?”
In the past, IT security wasn’t linked to profitability. It was seen as an operating expense, with the mindset of keeping costs as low as possible. Applications that could improve sales got the thumbs up, but IT security not so much. Even as other companies got hacked, it was easy to say, “That won’t happen to us.”
As breaches of systems that hold customer information become more common, consumers are becoming more knowledgeable about the need to protect their identities, and rightfully so. Identity theft is now a big business that includes the involvement of organized crime. While the numbers of compromised identities is still low compared to the large numbers of identities culled from a breach, the number is on the rise aided by better hacking tools.
How does a company fight back? Closing the barn door after the horses get out doesn’t make sense, and when put in that most basic of concepts, seems easy to comprehend. Yet IT departments still have an uphill battle getting the funding needed to provide proper protection. Part of the problem is an IT staff can be their own worst enemy. For years they pushed for bigger budgets and better toys, with very little to boost the bottom line of a company. Now, claiming a need to protect the company from breaches, the requests fall on deaf ears.
IT managers, CISOs and CIOs can use current events to justify the need for better security. While hacking tools have evolved and become ever more devastating to a company’s data, so too have tools for protection advanced. The capabilities to insulate internal data from direct access via the internet have evolved, providing an excellent layer of protection. However, this isn’t a proposition of making a onetime purchase and installation. As hacking tools evolve so too do the means to fight them. The battle is ongoing with no end in sight. Internet searches of terms like Identity Theft and IT Security Breach return a host of vendors providing protection from, or cleanup after, such breaches.
The right approach is to make IT security a major line item in the IT budget. To sell this to non tech-savvy boards requires detailed plans on how the company’s IT infrastructure will evolve and improve the capability of protecting all company data, including customer information.
So then, the question becomes, “Do you spend the money up front for protection, or do you take your chances and pay for the cleanup after?” For all but the smallest of companies, that don’t have proprietary data or customer information stored on their networks, this shouldn’t even be a question. With hindsight being 20/20, I’m sure that Target would agree that they would have been far better off had they instituted their changes and upgrades prior to the attack rather than after.
Even the smallest of IT departments don’t have to go it alone. Companies like SS8 partner with IT departments to understand their current security posture and how to evolve it and keep it current to address the latest threats as soon as they are identified. The tools aren’t just reactionary. Developing a strong security posture isolates proprietary and customer data, both limiting the access to it, and providing additional security layers around it.
So where do you stand? Are you a gambler, betting you won’t be the next target? Unfortunately, in this game the odds are against you. Many of the attacks aren’t company specific, but broader in nature and it only takes one employee misstep, or one operating system vulnerability not addressed, to let the bad guys in. Fortunately, many companies are evolving and coming to this realization, but not fast enough. Which one will be the next media nightmare?
You’re going to have to pay for IT security. The question is: will you pay less up front or more after?