The information that must be protected at any Olympic Games is so valuable that it justifies all efforts to guard it. However, in companies, where the scale of the IT structure is not usually on the level of the Olympic Games, financial investment in security is not always enough to protect information. On the one hand, it is possible that security investment is insufficient, and therefore inefficient. On the other hand, it is just as absurd to leave a system unprotected, as it is to overprotect it, as, in this case, money invested becomes money wasted.
When you evaluate the expenditure to be made on an IT security structure, there are three aspects that must be taken into account. First, you must know the value of the data or systems to be protected. This is probably some of the information most difficult to obtain in a company. How much is a company's know how? Or even more difficult, what is the current value of the project of a new product that is still at the development stage? The number of variables to be considered is endless, and in many cases, impossible to quantify objectively. The best way to obtain this data is through indirect calculation, that is, by measuring not total losses, but financial loss caused by loss of information.
Just imagine, for example, the cost of having your company's network halted for an hour. If you divide your annual turnover by the number of working hours, you will see the cost of having your servers at a standstill for an hour.
The second aspect to be considered is the investment to be made on security systems. Under no circumstance should you have a budget that exceeds the value of the information to be protected. This would be like keeping an old stained rag in a safe, as the cost of the safe is greater than the cloth. A security system like this would be redundant. (Unless of course the rag was stained by Leonardo da Vinci, and called the Mona Lisa, then maybe some additional expenditure on extra security measures might be in order).
Finally, you have to calculate how much it would cost for an attacker to breach security measures and access protected information. This should be very high, that is, to obtain certain information must be far more costly than the information itself. In this way, you are setting up an intangible barrier that is very difficult to get over, since, if it is not worth breaking into a system, almost nobody will try to do it. At least, most attackers will be dissuaded from doing it.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.