Why cutting costs in IT security is a bad policy

Business IT security is a perennially favourite topic of discussion. From SMEs to multi-national corporations (and even in government circles), the security of IT systems is much discussed and yet there is a feeling that maybe it is not always given the consideration it deserves.

At a recent conference, CompTIA CEO Todd Thibodeaux suggested that it would be sensible to allocate 10% of a company’s IT budget to providing security, and yet the evidence suggests that in reality this is often not the case.

For example, a Gartner survey recently found that the industry average spend on IT security is only about five percent. Perhaps even more startling is a report by the Ponemon Institute, Cenzic and Barracuda Networks which found that 88% of companies surveyed indicate they spend more on coffee than they do on securing Web applications!

In my experience this isn’t unusual. If we took a poll across a cross section of small businesses I suspect many would say they either don’t have a specific budgetary allocation for IT security or that it is a minimal amount. So why is there a shortfall between the professionally suggested levels and the reality of IT security within the business world?

Having spoken to and worked with countless IT managers and business owners the anecdotal evidence is that providing IT security is, to many, a task with somewhat intangible benefits. Like buying insurance, investing in IT security doesn’t give an immediate, visible, business benefit in the same way that purchasing a smartphone or company car does.

In fact, very much like insurance, it’s a purchase that will only really remind you of its worth when disaster strikes – and then it will also make it very evident whether you have bought the right or wrong product for your needs.

Whilst failing to find the right level of protection could potentially leave your business open to serious problems, paying over the odds for products you don’t need makes equally bad business sense. So like most business decisions, finding the right balance is vital.

The suggested 10% of budget may be a good guide, but naturally all organisations are different and the appropriate amount will vary depending on a wide range of factors, including the type of business and the potential threats to it.

When considering IT security for a business it is vital to understand the types of threats that could be a problem and the weak points in the organisation that leave it vulnerable. For companies that run an online ordering or sales system this could mean a specific threat to customer’s account or financial details by IT-savvy criminals.

Most businesses hold personal details on their systems and there is a potential risk that these can be hacked remotely without proper protection being in place. At the most basic level, all businesses are open to threats via email viruses or lax security at the organisation’s premises, both on a physical level and also with regards to IT safeguards.

The physical security of premises is a vital, if sometimes overlooked consideration with regards to information security. Allowing unauthorised people to enter the premises opens up the likelihood that a malicious visitor could infiltrate systems and pilfer valuable information or even remove hardware. Despite the ability to remotely hack business systems, physical intruders are still a very real danger.

Businesses often forget the protection they already have through existing IT investments, which may not be fully utilised. Business systems often incorporate a certain degree of security built in, such as password protection which is vital to IT security. A robust policy that ensures employees and the management use unobvious and hard-to-break codes will significantly tighten security, as long as users don’t just keep the details on their desk!

Despite all the planning, in my experience many organisations lapse in their IT security from time to time, often when security software needs upgrading or renewing. Being an ‘out of sight, out of mind’ technology, cash-starved businesses may let this important stage slip and undoubtedly this can be one of the most vulnerable periods for IT security within an organisation.

Much like insurance, IT security is something that will cost a business dearly if it doesn’t consider the potential ramifications of not having the right cover in place. Whilst additional financial outlay is never welcome, IT security should be seen as a necessity much like other critical business expenses such as telephones or an office. After all, you wouldn’t do without fire alarms and fire extinguishers just because you haven’t had a fire!

SHARETweet about this on TwitterShare on LinkedInShare on FacebookShare on Google+Pin on PinterestDigg thisShare on RedditShare on TumblrShare on StumbleUponEmail this to someone

Robert May founded ramsac in 1990. He is responsible for business strategy, technology design and industry partner relations. Prior to ramsac, Robert worked in most sectors of the IT industry, including training, programming, software development, technical support, sales, channel management, network installations and systems consultancy working for Orchard Business Systems, Orchard-ACT, Paxus Professional Systems and Solution 6.