I was reading a blog post by Christopher Burgess in SecurityIntelligence “How the Value Outweighs the Cost of Security”. He questioned “what was the cost of security in your organisation?” Burgess noted that businesses without an unlimited budget must determine the most effective strategy to allocate their resources.
What Makes a Secure Organisation?
According to a Ponemon Institute study, the cost of cybercrime depends on the size of the company. The study reported that smaller enterprises experienced a higher proportion of cybercrime costs from web-based attacks, phishing and malware. On the other hand, larger companies experienced higher costs due to malicious insiders, malicious code, denial-of-service (DoS) and stolen devices.
To help enterprises mitigate the cost of security and address these risks, Ponemon identified nine features of innovative and cybersecure organisations:
- Security posture. Evaluate potential security risks and establish that the job security of employees is linked to the company’s security.
- Information management. Determine where your data resides and who has access to it to prevent breaches of sensitive data.
- Information governance. Guard against ransomware by backing up data, isolating those backups, investing in storage and protecting backups by encrypting the data.
- Data protection. Invest in technologies that reduce information loss and enhance security by shifting budgets to application and data layers rather than network layers.
- Application security. Build security into applications and test for vulnerabilities before releasing them to consumers. Ensure all technologies affecting the application are kept up to date, patched and secured.
- Detection and recovery. Invest in technologies to reduce the time between discovery and remediation of attacks.
- Third-party risk. Verify that the vendors and partners that provide doors into your company are protecting your data.
- Insider threat. Host security awareness training and foster self-policing environments.
- Security information and event management (SIEM). Monitor and correlate events in real-time to detect security threats.
Clearly regardless of your size maximising your security budget is critical, but how should you spend it? Should you:
- Protect your key assets, or
- Thinly spread your budget over an array of various assets?
Let's explore the options
OPTION 1 - Protecting your key assets. One school of thought suggests identifying which assets are critical to your business success, competitive advantage and continuing operation and concentrate your efforts on protecting these from cyber criminals. The downside of adopting this approach is that it can leave unsecured assets more vulnerable to attack via assets that you have failed to secure.
For instance, do you know what systems have access to your critical assets such as suppliers and contractors? The UK's CPNI argue that you should “establish a full and accurate picture of the impact on your organisation's reputation, share price or existence if sensitive internal or customer information were to be stolen.” Wherever the data goes, those points need to be protected also.
OPTION 2 - Thinly spreading your budget across many areas, may induce a feeling being more secure. However, the level achieved may be not be sophisticated enough to pick up the more complex security attacks and hacks.
Where to start?
Spend some time mapping out where your assets are and any attack paths. Check whether your data is segregated and isolated properly and see whether they have adequate security controls applied. In the end, whatever option you choose, it all comes down to your risk appetite and what kind of data you’ve got to protect.
Need assistance? Talk to us about our Cyber Rapid Risk Readiness Assessment (CRRRA).