A recent article in Belgium’s leading IT magazine Data News highlighted once again the gap between the importance of security for organizations on the one hand and the investments that are being made to secure their infrastructure on the other hand. A survey by Ernst & Young leads to the conclusion that no less than 88% of the Belgian organizations believe that their security infrastructure does not meet the organization’s needs. And about two thirds of the organizations believe that the information security budget should be at least 50% higher than it is today.
I would be lying if I said that it comes as a complete surprise. The percentages are quite high but they confirm the general impression that we get daily when talking to our customers and partners. Companies seem to have difficulties to face the real dangers, in order to avoid having to make the necessary investments that prevent major security breaches from happening. But that also means: ignoring the possible business impact of such security breach.
Huge business impact
But have you ever considered how big this business impact can be? And on how many levels it can occur? Security breaches can have an impact on numerous aspects of the business. It can lead to serious image loss in general, and -more specifically – to a reduced customer trust, which may cause these customers to buy or invest somewhere else. It could be worse still: if your customers have experienced financial or other damage, they may file a complaint and demand a damage compensation, which could lead to expensive lawsuits and even more damage to your company image.
And we haven’t even started to list the operational costs. The cost of unavailability, for instance: how many customers and transactions have you lost by not being available online? Added to this are other costs, such as those related to analyzing, identifying and – last but not least – reporting on the exact nature and impact of the breach(es). Not to mention the fact that you will eventually have to invest in a better security infrastructure anyway.
The problem and the solution
So why don’t organizations acknowledge the huge risk that they are exposed to, and act accordingly? The problem is that many organizations are making decisions on security based on facts from yesterday to prepare for the challenges of tomorrow. This is bound to go wrong because it’s based on a completely outdated reality. Every single organization relies far more heavily on data than a couple of years ago. And almost every organization relies on its ICT infrastructure to become faster and more competitive. But that also means applying a different or higher level on security as you become more dependent on your data and infrastructure.
That is our message to every CEO and board of every organization: it is high time to reassess the importance of ICT and therefore of security for your organization. And it is equally high time to raise IT security (and the CIO) to C-level, so that this type of questions get asked – and answered – systematically, instead of once every two or three years.
We can also provide some advice on what needs to be done most urgently. You should, for instance, aim for a layered connected security strategy. Think about multiple lines of defense – from the end-user over network infrastructure to servers – to properly secure information. And you should have security on the top of your mind from the start whenever you embark on a new ICT project and/or infrastructure.
On a more practical level: ensure an adequate password security and enforce an equally adequate user awareness; make sure you use the latest versions of your security products (vendors are quite responsive in tackling new threats, it would be a waste not to put this to your advantage); patch regularly; and use vulnerability shielding to prevent recently discovered vulnerabilities from being exploited by “the bad guys”.
If you apply all that, you will be better prepared for all the threats that await us in 2016 and beyond. Check them out here.