Why do companies that have invested heavily in information security still suffer security breaches?
There could be any number of reasons for a company suffering a breach, but when security measures are implemented at random, the consequences can be almost as dire as having no security at all.
The reasons are simple. First, employees often see security as an impediment, and presume that the larger that impediment, the more secure the company must be. This assumption can cause employees to lower their guards, thereby creating weaknesses in the very structure that the company is trying to secure.
Throwing money at the problem
Moreover, the more expensive an information security scheme is, the more its proponents tend to boast about how impressively secure it is.
This threat of complacency is a serious one. Breaches often happen because security personnel and their executives become complacent, and rules, policies and procedures aren’t followed.
Another point to make is that when the cost of security outweighs the benefit received, then the company has employed too much security.
Even though many companies are quick to point out that they plan to increase their information security spend, studies have shown that companies fail to evaluate the return on this investment.
Measure and assess
It is widely recognised that when companies don’t measure their information security expenditure, they often deploy complex layers of security on top of one another, creating a huge administrative burden for those responsible for managing disparate systems and software. As companies squander their budget on ‘better security’, they often fail to invest an equivalent amount into human resources to manage and maintain these systems.
Security resources can only be effective if they are properly applied, which means considering the risks that really need mitigating and allocating budgetary resources accordingly.
How risk assessments help
This can often be done by conducting an information security risk assessment. A risk assessment will uncover the problems that expose your enterprise to risk. It identifies which policies are necessary and how well you are complying with those policies. The risk assessment will also identify your company’s policy and process requirements, help to calculate the cost of improving security and estimate the benefits of implementing those solutions.
One of the key challenges of any information security regime is to evaluate and communicate the business benefits of investing in security controls.
Throwing money at the problem does not make security problems go away – in fact, it can create more problems than solutions.
Too many/ irrelevant controls
Many organisations tend to implement controls as a knee-jerk response to a breach. A risk assessment provides a structured approach to ensuring that that each control– and any additional ones required – are deployed to cover as many risks as possible.
At the same time, a risk assessment can uncover controls that are already in place, but which are no longer required or which could be replaced with more effective controls – and the funds released from unneeded controls can contribute to the cost-effectiveness of the ISMS
The risk assessment provides critical information about the health of the organisation’s information security regime, and provides reliable data to inform management about the current security posture and what needs to be done to mitigate risks.
Find out how vsRisk can help you conduct a risk assessment successfully without breaking the bank.