Blog / Cyber Security is Not a “Cost” … However, You Still Need to Pay.
I’ve heard Cyber Security referred to in many ways during my time working with computers. Some of the descriptions I’ve heard include statements such as:
- “Cyber Security is a cost of doing business.”
- “Cyber Security is a necessary evil.”
It wouldn’t surprise me in the least if most people reading this newsletter have similar opinions. To be perfectly honest, I used to have the very same opinion. The problem with that sort of thinking is simple:
IT IS DANGEROUSLY FLAWED!
Now then, I know that using all capital and bold letters is something that went out when AOL died (remember CD’s?), but I really can’t stress quite hard enough just how wrong that line of thinking is.
I got on this train of thought while reading an article about the EQUIFAX Breach. So far it has cost them $1.5 Billion and could easily cost them that much all over again in the future. I started to wonder about the sort of mindset that would lead to something like this. That’s when I started thinking about the attitude towards Security that I’ve seen from most of the organizations I’ve performed audits on.
Most of them approached Cyber Security like it was an expense; just another cost of doing business. The trouble with that approach is elementary. The purpose of any business is to make money. A government organization isn’t quite the same, but they still need to do as much as possible with the money they are given, so costs still need to be reduced.
In both cases, the response to expenses are the same: they need to be minimized. However, Security is an area where you just can’t cut costs without any additional considerations.
As a simple example, if you want to cut costs in Cyber Security, you would assume that one firewall is just as good as any other, right? Wrong!! A good firewall for a large company can cost thousands of dollars. Why pay so much when one worth only a few hundred could handle the passing traffic? That is the sort of thinking that will lead to your network being compromised.
It goes without saying that Security doesn’t happen by itself, for free. It takes effort and often money to improve Security. At the same time, money doesn’t make itself. It doesn’t matter if you’re a government or a business; the amount of money available is not unlimited. The problem you have is two competing ideals:
- Security needs to be paid for in time and money.
- You don’t have unlimited money or unlimited time.
The question is “Which one is more important?” Nobody wants to be less secure, but the truth of the matter is that if money is more important, that means you are willing to sacrifice your Security and pay less for a solution that doesn’t fully address the situation.
Instead of approaching Cyber Security as an expense, look at is as an investment. The payoff is hopefully you will never face a massive bill that you’ll be forced to pay (such as EQUIFAX.) If it’s an investment, then money becomes a secondary consideration. It becomes more important to contemplate effectiveness.
When it comes to Cyber Security, I’m not saying go out and buy the most expensive things you can. It means you need to keep your attention on the actual problem you’re trying to solve. Then go looking for solutions that will fit your budget. Keep in mind that some solutions require more man hours than others. That should be considered a cost. While you’re spending time working with the solution that solves a specific problem, you are tied-up and unable to perform other duties you may have.
It’s a delicate balancing act. Depending on the management’s attitude, it can be made much harder than necessary. It’s not simply a problem that can be solved by throwing money at it. You also need to have proper policies and procedures in place that help enforce Security by practice in your organization. There also need to be checks along the way to make sure that these are being followed.
EQUIFAX had policies and procedures in place that would have prevented them from being hacked. However, they were not enforced. Management knew this was happening, since it had been reported directly to them in multiple audits over the years; yet did nothing about it. Learn from their example and provide the proper resources and support to ensure that your organization is protected.
If you have any questions about Effective Security, you can always reach out to your TRINUS Account Manager for some stress-free IT.
Courtesy of your Friendly Neighbourhood Cyberman.