Over 80% of the market value of Fortune 500 companies is based on their intangible assets. That is an amazing figure. So the value of spend of information security should be measured in terms of the potential company value loss in the event of a breach.
As smaller businesses, we do not have the massive multipliers of value that the Fortune 500 companies do, but we also do not have the deep pockets that can be required to fund the clean-up and recovery of compromised systems. Whether it is asset value or cash flow risk that motivates us to protect our business systems the steps are the same for any scale of business at a strategic level.
- Estimate the impact to the business of a security breach or loss of access to data
- Anticipate the potential points of failure or breach
- Estimate the cost of mitigating the risks
- Perform a cost-based analysis of which risks to mitigate and set priorities
- Perform the mitigation activities for the highest risks until the budget is exhausted
- Hope you have done enough to outrun the next business.
That last point goes back to the old adage that if you are walking in the woods with friends and your group is attacked by a hungry bear, you do not have to outrun the bear, you just have to outrun the slowest of your friends.
In shocking news last week, an individual published a list of ten million usernames and passwords to show us all just how vulnerable we all are. He kindly left out domain names and details of where the usernames were to be applied, but the comment was that these were a subset of the billion sets of account details he was able to find in plain text on the internet.
We do not have the luxury of endless IT budgets for defence against cyber-crime, but we do need to heed the risks we are taking and take some action to isolate and protect our systems. I have written about the risks previously with hackers and viruses and Trojans and crypto locks and so forth but the risks are escalating while the defences in small businesses are not keeping pace with the threats.
The key to staying ahead of the game in 2015 is going to be the strength of the team you have working on defence. It need not be a full-time occupation for a small company.
Leaning on assistance from experts who are working with multiple businesses will spread the cost of research and learning and offer your business better protection than relying on your internal IT resources to keep up with what is going on in this arena.
A busy support person lacks the time to keep up with security implications and solutions across the range of technologies you have deployed in your business today, so make sure you take a strategic team based approach to maintaining a secure IT environment.
David Markus is the founder of Combo – the IT services company that is known for solving business problems with IT. How can we help?