August 21, 2009

Network and Cyber Security Needs TLC

By New Signature
IT Consulting and Support

Many people tend to view technology, and specifically network or cyber security, as a one time event, much like the wiring of a building. The idea being that one would plan out an elegantly designed system, pay a contractor to implement it, and then walk away.   However, when it comes to technology and specifically security, excellent planning, infrastructure and execution aren’t enough. Whether in the physical world or in IT, security is an ever-changing environment that needs to be continually monitored, managed, and updated.

Security procedures need to constantly evolve.  The good news is that the methods used to mitigate risk haven’t changed much over the past several years, even as technology has progressed. When it comes to IT risks, companies can:

a) Accept the risk (ie do nothing)
b) Transfer the risk (purchase insurance)
c) Mitigate the risk (purchase security software and consulting services)
d) Avoid the risk (transfer away the assets involved)

Many companies accept the risk. In their mind, the cost of purchasing up-to-date security exceeds the cost of simply replacing the potential data loss. The downside to this approach in the modern era is that often the loss is more than just data, and can include real financial loss due to financial accounts being illegally accessed, lost employee hours mitigating side effects of an intrusion, consulting fees, and legal fees.

Transferring the risk is often a step most companies aren’t even aware of. Insurance is available for most common security concerns (theft/fire/flood) and can often occupy a great middle ground when the costs of mitigation are too high relative to the data being protected. A site-level disaster, for example, might be incredibly expensive to mitigate. One of the common failures of insurance is that although the compensation may be generous, the time to receive it may not be as quick as a company might like. Smart companies use insurance to bolster existing countermeasures or shore up weaknesses.

Risk mitigation is a security consultant’s bread and butter. Often, many vendors “entice” consultants with special promotions or other offers to get them to pitch their products to customers. Having a neutral, objective review of the assets to be protected as well as multiple mitigation strategies is always in a company’s best interest.

Finally, some companies may avoid the risk altogether by moving the asset entirely. If the cost of protecting and maintaining payroll information is too high, and the function can be outsourced, this would reduce the burden of keeping up with various regulations and reduce the risk to zero.

All of these strategies need to be reviewed on a quarterly basis and policies, procedures and technology must be kept current in as close to real time as possible. Often, changes to a corporate environment will dictate a necessary change in one’s risk exposure, yet no change will be made because the risks will not have been reviewed.

Continuous reviews of potential risks will lead to a better understanding of network and cyber security, as well as foster a culture of proper behavior. In the long-run, corporations who understand the need for continuous security will outlast the ones who invest early and forget to re-evaluate.

Comments are closed.