JobStreet.com - Malaysia


 
Space
Articles
Space
  Training
Space
  Further Education
Space
  Interview
Space
  Others
Space
Others << Back to list of Others

Safe and financially sound
by Sri Rasiah

How much is your reputation worth? The following article highlights the financial damage that can be done to an organisation that does not protect its information and knowledge with security tools.

What would be the financial impact on an organisation that couldn’t access its customer database or had its financial data distorted? How successful would your product launch be if your presentation were known to your competitors in advance? How damaging would it be for a public-sector organisation to hit the headlines because it has been unable to keep people’s personal details secure?

It’s not necessarily what you make in a factory that counts; it’s what you do with the information you own that brings in the revenue. If you lose control of that data, you lose your business. The damage may not be instantly visible, and you won’t be able to quantify the loss without an adequate computer system, but it will be real all the same.

The potential damage could be:
  • a reduction in share price;
  • a loss of customer confidence;
  • an unwillingness among business partners to share confidential information in future;
  • a reputation for incompetence;
  • a prosecution;
  • an inability to identify creditors and debtors;
  • a loss of business to competitors.
Traditionally, when investing in security, intangible benefits far outweigh the tangible benefits. The finance department usually wants to see a cost justification before committing to a budget. Typically, the finance director’s focus is on financial audits, revenue growth and cost cutting, plus a fiduciary duty to protect the assets of the company. But audits rarely highlight potential security threats to a business. Most internal security audits are snapshot audits at infrequent intervals and involve an auditor going around with a tick-list.

For example, do you use passwords to restrict access? Yes – tick. But auditors rarely check whether users change their passwords every month, even if this is part of the organisation’s security policy. For audits to be effective and add value to a business, companies need a system that provides a recurrent automated proactive process that provides real-time information. This would allow them to take corrective action before things go seriously wrong. The current volatility in the economy is encouraging companies to move towards higher levels of automation, as investors focus on the profitability of a business instead of looking at its revenue growth alone.

Most finance departments base their spending priorities on justifiable return on investment. Any new allocation must provide a direct, quantifiable impact on either increasing revenues or reducing costs. So how much budget should you allocate to investing in an automated security system? Automating business processes is widely used to reduce the cost base of a company. Automating the security processes that protect your information and communications technology (ICT) infrastructure can equally demonstrate cost savings.

One example of this is the rapid return on investment that can be gained by improving password management. Gartner in the United Kingdom has reported that 40 per cent of all helpdesk calls concern passwords, while the Meta Group has estimated the average number of password-related calls to a helpdesk is 1.75 calls per user per month at an estimated cost of 27 euros per call. A company with 1,000 employees therefore spends £144,000 every year simply to reset passwords for employees who have forgotten them. An automated tool that can help employees to reset their own passwords without calling the helpdesk would show immediate cost savings and raise productivity levels.

Furthermore, a survey conducted by Infosecurity Europe, PentaSafe and humanfirewall.org showed that three quarters of commuters polled at London’s Victoria Station freely gave out their passwords and 54 per cent said they would download competitive information to take to their next job. This shows how critical it is to instil in staff the importance of protecting information.

The only way to do this is to ensure that employees are educated about the security policies that are relevant to their jobs. This can be a logistical nightmare, but an automated tool can enable employees to read policies on an internal website and to test their knowledge with related quizzes. The scores attained here can be used to monitor levels of understanding and identify training needs.

The cost for a medium-sized company to develop a comprehensive set of policies adapted by job function, including communication to staff and ensuring their understanding, can be anywhere from £160,000 to £320,000. An automated policy management tool could reduce this by 50 per cent (this includes buying the tool for £16,000 to £32,000)

These are all tangible cost. It has been estimated that the intangible costs of inadequate security – anything from disgruntled staff damaging systems to industrial espionage – can be at least 10 times more.

It is the responsibility of the board to safeguard the assets of the organisation. Firms rarely have a separate security budget, and their IT budget is typically spent on tangible hardware, software or telecommunications. Security tends to be dropped off the bottom of the list.

But it is not enough to say that it’s crucial that security is given an appropriate budget. It’s also important that the budget can be funded, after the initial investment, by transferring money from savings on areas such as the helpdesk budget.

Sri Rasiah is Finance Director of NetIQ, United Kingdom. This article is contributed by CIMA, The Chartered Institute of Management Accountants, and it first appeared in its monthly magazine, Financial Management, for CIMA members.



<< Back to list of Others