Identifying priorities in IT security spending

Understanding your business’ priorities in terms of security spending is simple.  It starts and ends with protecting your reputation and therefore your customer data. Identifying what those specific priorities are does, however, take a little more time, but not necessarily investment.

Avoiding a situation where hackers post a file that contains passwords of over six million of your customers to the web (LinkedIn in June 2012) could be classed as priority in terms of security spending. You may suffer a virus attack internally, which whilst it might be somewhat annoying, is largely irrelevant as long as your customer’s data is not compromised – unless of course it affects customer service, which will of course also affect your reputation.

Therefore, it is up to anyone with externally facing systems to determine what and how the information they hold about their customers is protected.  The way to do this is to regularly test your defences with external third-party vulnerability testing. This activity cannot be seen as a project but an on-going process. From this, a business can identify its risks and decide how to tackle them based on their impact to reputation and customer data.

In addition, businesses must also conduct their own internal assessment of all risk. There is of course some necessary spend on the hygiene products to ensure a decent perimeter security system, such as anti-virus and anti-spy ware, but after that, to avoid wasting money, risks have to be prioritised according to your business environment. For example, you can invest in some sophisticated security event logging software which is useful when a security event happens, but you’d rather invest in preventing that event from happening in the first place…first.

There is a perception that security breaches take place where clever hackers find some kind of technical weakness in a company’s systems, which means you have to spend lots on even more clever security software, but largely this is not the case. Most breaches are down to people making mistakes internally. This might be mistakes in how a system is configured or simply carelessness in handling data.  Businesses would be far better off spending time, rather than money looking at avoiding these problems.

Adrian Polley, Director


Tags: , , , ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: