Kathy Gibson at the IDC CIO Summit, Sandton – There’s no quick answer to the question of how much companies should spend to keep their data safe.
There are best practices to making these calculations, determining the value of data, the potential cost of a breach and how to get the most out of security.
Nada Henien, regional director: advanced security solutions: advisory division at BlackBerry
By 2020 the value of data across Europe will reach $500-billion.
There is tunnel vision in this arena, though: IT is talked with the storage and protection of information; while business is tasked with using the information to generate revenue.
To determine how much to spend on security has to be predicated on the value of that information, Henien says, so an insurance model could be the answer.
And data is set to explode, with 99% of everything we make set to connect to the Internet – and feed data back.
As more businesses become digital, the wealth concentration will shift from the traditional to large data stores. In fact, data stores have grown eight-fold in South Africa in the last five years.
The return on security investment (ROSI) calculation can be based on the Gordon-Loeb model – but the bottom line is that companies should never spend more than 37% of their expected loss without security investment.
Even ensuring that your company is compliant with regulations is just a start, Henien says; companies need to go way beyond the accepted norms.
Over the course of last year there was a total 1 541 data breach incidents reported. Out of these, there was just over 1-billion records lost, most of it in the form of identity theft.
However, just one breach – Target – saw 40-million credit and debit cards lost, 70-million customer records compromised; 475 employees lost and 700 positions unfilled. Of the $200-million requested from insurance, only $38-million has been covered. Profit fell 46%, stock plummeted, there are still regulatory fines to come and 140 lawsuits pending. And this all happened within a few days.
Henien outlines four steps to better security include: audit; divide and diversify to protect smaller targets and use more than one vendor; conduct breach bootcamps; and speak in terms of numbers and business strategy.
He reiterates that the three questions worth asking are:
* How much is your data worth?
* How much should you invest to protect this information?
* Where should you invest?