How much is your Reputation Worth?

How much is your Reputation Worth?

Sri Rasiah (Finance Director of PentaSafe Security Technologies) highlights the financial damage that can be done to an organisation, if it doesnít invest in ICT security.

Well would you believe it, you turn around twice and October is here again and that means Halloweenís ìtrick or treatî will soon be knocking on the door.

What happens though, if the person trying to get your door open is not a child seeking sweets, but a Hacker(s) who may get his kicks from playing tricks, or may even be seeking to steal your bowl of sweets / financial & commercial secrets?

As a Finance Director, I have a legal duty to ensure that the organisation is financially viable and the Treasurer of a Local Authority has a similar legal duty.

Our financial system(s) enables me to monitor our financial position and even manipulate the data to provide reports and ìWhat Ifî analysis of the figures, but that is secondary to being able to ensure that invoices go out on time and cash flow is monitored.

Everyone thinks that the part they play in an organisation is important and they are right, but letís not forget that ìCash is Kingî.

If we have no money, no one gets paid and the organisation goes into receivership.

What does basic economics have to do with ICT security, you ask?

Well what do you think would be the impact on the finances of an organisation, which could not access its customer database, or had its financial data distorted?

How successful would your product launch be if your presentation was known to your competitors in advance?

It could be a case of front-page headlines for a public sector organisation that was unable to keep personal details safe & secure.

With an ever-increasing service knowledge sector, it is not necessarily what you physically make in a factory that counts, itís what you do with the information you own & produce that brings in the revenue. If you lose control of that data, you lose your business.

The damage may not be immediately visible, nor can you often quantify the loss (you need the computer system to do that), but it will be real, all the same.

The real question is what could the potential damage be :

A drop in your share price,
Loss of customer / client confidence,
Unwillingness for business partners to share confidential information in future.
A reputation for incompetence at best and
A prosecution / fine / legal action at worst.
Inability to identify creditors and debtors.
Loss of business to competitors.

Traditionally when investing in security, intangible benefits (often difficult to measure in financial terms) far outweigh the tangible benefits (easier to measure in terms of cost savings).

This causes Finance Directors difficulties, as they are trained to look for a cost justification prior to committing budget.

Letís face it, how many times has the Head of ICT promised savings from new computer systems that somehow never appear?

Yet here she is again asking for more money to buy something that will not increase production by even one widget.

Typically their focus is on ëfinancial auditsí, revenue growth and cost reduction, plus a fiduciary duty to protect the assets of the company.

The ëfinancial audití is used to provide a company with a clean bill of health i.e. there is a high level of integrity in the primary books and records. However, these audits rarely highlight the potential security threats to a company.

Most internal security audits are ''snapshot audits'' at infrequent intervals, which usually involve an auditor going around with a tick list.

Do you use passwords to restrict access? ñ Yes, oh good another tick, but even if he asks supplementary questions, how do you know that they change them every month, as per the organisations security policy?

What you need, of course, for audits to be effective and add value to a business, is a system that provides a recurrent automated proactive process that provides ''real time'' information to the business. Thus, enabling corrective action to be taken before something goes wrong.

The current volatility in the economy is helping companies move towards higher levels of automation, as investors are no longer only focused on revenue growth but also placing emphasis on the profitability of a business.

The tendency of Finance Directors is to prioritise spend based on justifiable Return on Investment (ROI). This spend must provide direct quantifiable impact in either increasing revenues or containing costs within the business.

So how much budget should you allocate to investing in an automated security system?

Automating business processes via technology is widely used to reduce the cost base of a company.

Automating the security processes that protect your ICT infrastructure would equally demonstrate cost savings.

An illustration would be the rapid ROI that can be gained with password management.

As reported by Gartner, 40% of all help-desk calls are password related, while the Meta Group have estimated the average calls to a help desk are 1.75 calls per user per month at an estimated cost of 27 euros per call.

Thus for a company with a 1,000 employees, the cost to reset passwords for employees who have forgotten theirs, is a staggering 144,000 per year, on its own.

An automated tool that can assist employees in resetting their own passwords, without Help Desk involvement, would show immediate cost savings and increase productivity levels.

Furthermore, in a recent survey conducted by Infosecurity Europe, PentaSafe and humanfirewall.org, 75% of commuters at Victoria Station freely gave out their passwords and 54% said they would download competitive information to take with them to their next job.

This demonstrates how critical it is to instil in staff the importance of protecting company information and also protecting the companyís information from unscrupulous employees.

The only way a company can do this is by ensuring employees are educated on the security policies relevant to their job function within the company.

Without an automated tool to perform this role, it is a logistical nightmare to ensure education on policies. An automated tool can enable employees to read and understand policies, via an internal website, and also enable them to take related quizzes.

The scores attained could be centrally collated to monitor the level of understanding within the company and to identify training needs.

Real life experience has shown the cost for a medium size company to develop a comprehensive set of policies adapted by job function including communication to staff and ensuring their understanding is anywhere in the region of 160,000 to 320,000.

Using an automated policy management tool could reduce this cost by 50% (this would include the cost of an automated tool of 16,000 to 32,000).

The above scenarios only relate to tangible costs. Intangible costs could be anything from disgruntled employees damaging systems to the possible implications of industrial espionage.

It has been estimated that the intangible costs of not having adequate security would be at least 10 times the tangible costs.

It needs to be highlighted that it is not just the Finance Directorís responsibility, but also the responsibility of the entire board to provide adequate security to safeguard the assets of a company / organisation.

Most companies rarely have a separately identified security budget and have an overall IT budget, which is typically spent on tangible Hardware/Software/Telecommunications. Often security tends to get dropped off or fall to the bottom of the list.

It is key that security is given the right focus and an appropriate budget allocated to it.

Donít forget though, I am working on the premise that the budget can be funded, after the initial period of investment, by transferring money from savings on the Help Desk budget, etc.

After all I may understand the benefits & importance of ICT security, but I am still the Finance Director!