The New Zealand Computer Crime and Security Survey 2010 shows that almost two-thirds of businesses spend less than 5% of their total IT expenditure on security, even though the average small scale virus infection, compromised system or lost asset costs companies around $15,000 per incident.Businesses work on the principle of demonstrating good returns on smart investments. So why don’t they invest in protecting themselves from these obvious costs?The primary reason that Return on Investment (ROI) measurements are hard to apply to IT security spending is that there is no easy way to identify the optimal point of expenditure. Spending too much yields no extra return in terms of security, while spending too little is also a waste of money because it doesn’t provide any protection.Another problem is that, particularly with things such as network monitoring, there are no hard assets or data to measure ROI against. If you spend $200,000 on parameter security for your organisation, and your network security team claims it "blocked 3.5 million hack attempts” in the last financial year, do these numbers have any significance? Of the 3.5 million "hack attempts” how many were simple port scans or non-threats? What proportion of these "attacks” may have been prevented by simple common sense?The answers can be hard to find. Even many network security engineers will respond to such questions with a friendly shrug. One solution to the ROI quandary is to consider security spending as insurance for the next financial year rather than the previous financial year.Like calculating insurance for your organisation, IT security can then be measured in terms of risk reduction. How much would a security incident cost your business today? How much in six month’s time? What will be the impact to the organisation if your systems are partially or completely compromised? If you have never had a serious compromise or incident to base these calculations on, how can you work out the estimated loss relating to an event? In modelling simple scenarios (such as a compromise of your organisation’s email systems), you should take the following factors into account:
- Financial loss - raw cash that could be dropped from the bottom line as the result of an incident.
- Reputational damage and subsequent loss of sales – this may not be immediately obvious at the time of an incident, but may be long lasting.
- Impacts on productivity – incidents require significant time and effort to manage and resolve.
- Damage to data – what if your data is unrecoverable or requires significant time and resources to verify its integrity?
- System recovery and rebuild resourcing – bear in mind that lack of documentation and complexity of environments can often lead to unexpectedly long recovery times.
Several less obvious, but equally important, factors to assess are:
- Staff health – security incidents can be very stressful events and are often detrimental to staff health.
- Loss of leadership confidence – boards and shareholders will (appropriately) start questioning leadership within organisations if IT security is shown to be insufficient.
- The cost of additional expertise – a significant amount of contractor time is often required to assist in resolving issues resulting from an incident.
It has been our experience in managing IT security incidents over recent years, that almost all of the organisations affected have failed to take into account many of the above factors. We have also noted that in almost every single case, businesses and organisations had spent little or no budget on the security of their compromised systems beforehand. Subsequently, after an incident budgets are reprioritised and companies spend more on security.This is effectively the same as not taking out any insurance on company assets until after a fire has ripped through your headquarters.For organisations that haven’t invested in IT security to date, a good driver to identifying the costs of a security incident, and building the business case for investing in protection, is to develop incident response guidelines for your organisation and its environments. Incident guidelines are a great thought exercise in considering which systems may be affected, and how it will affect your organisation over time. Taking into consideration all systems, not just those in project scope, goes a long way in understanding this.It is not uncommon in 2011 to spend a significant amount of money on border security. While this is a traditional vector for attacking networks by hackers, they too have come to realise the increased security measures being implemented relating to these systems over the years. Now, more often than not, attacks are not targeted at border networks, but instead other assets such as web servers or endpoint users. This was best illustrated through the recent Aurora attacks, disclosed last year by Google. In investigating the compromise of their environment, Google also found evidence of another 34 organisations including Adobe, Rackspace and Juniper Networks being targeted as part of the same operation. From the outset it was clear the attackers were very successful in their operations. As investigations continued, it became apparent what their successful way of operating involved. In each and every case, the attackers avoided going for border networks and instead targeted user desktops within the organisations. Furthermore, the attackers leveraged legitimate network access services (typically VPN) to gain access to environments, thereby avoiding border security logs entirely.Aurora has taught us a very valuable lesson: When modelling incidents, planning future penetration testing and attempting to identify assets within an organisation requiring security attention, thoughts should be beyond traditional network assets. Care should be taken to ensure ALL systems are taken into account. Simply installing some firewalls, updating some antivirus and conducting testing on newly implement projects no longer takes into account the real world attack surface hackers are targeting. Attackers will aim for all aspects of your environment. A reputable specialist IT security company can help with planning, development of incident response and security polices including technical testing in support of the above challenges. However, organisations need to take the first steps in understanding the value of the information they have. Once you have an understanding of the data’s worth, the ROI can be calculated.