There’s always a lot of discussion on the Internet about how much “security” (by which they usually mean IT security) costs, and whether it’s a good ROI. (Return on Investment – another candidate for Acronym dismemberment.)
There’s a lot of factors to consider, but for small to medium sized businesses or non-profits, here’s some important questions:
What is the financial risk to your company?
Repairs to systems
Reputation – loss of business due to public awareness of your company’s perceived “flaw”
Direct cost of theft
I started thinking about this from a small/medium sized company’s perspective, after reading a commentary in a SANS NewsBite. The commentary (Yes! I’m now commenting on a commentary about a commentary on news. Does this mean I can now be a Certified Commentarian?)
The news commentary (alright, I’ll stop now) article referenced statistics from the FDIC that were provided at the recent RSA conference, most notably:
…small businesses and nonprofits have suffered some relatively large losses — $25 million in the 3rd quarter of 2009. Hackers target small businesses where the security controls are weak.
It’s an interesting article, and summarizes the ACH and wire fraud thefts via Banking Trojans that I’ve talked about previously. The commentary went on to say that in the larger scheme of things, $25 million dollars is a relatively small amount.
My first response was, “Not to me!” Then I began to wonder, how much money could a small/medium company lose and still stay afloat? It’s a question worth asking when costs for IT Security are raised.