While businesses have invested in technologies such as firewalls, intrusion detection, and now intrusion prevention, we are all too familiar with FUD (Fear, Uncertainty, and Doubt). How many presentations have you attended in the last six months where a security service provider discusses “Code Red”, “Nimda” or “Slammer”? The most recent of these is now two years old. So why are we still discussing them? One word, “fear”.
Fear of what exactly? Some might respond with, “Distributed Denial of Service (DDoS) attacks, Identity Theft, or the theft of intellectual property”. All of which occur. What are the odds of it happening to your company? Better than 60% of all US businesses face civil litigation at least once in the course of their operation. According to the FBI, approximately 85% of businesses surveyed in the United States last year reported a financial loss attributed to computer/cyber attacks. With decision maker’s core focus revolving around the types of attacks and if they originated from the outside or from within, perhaps you should turn your focus on the ramifications after the attack rather than the attack itself.
It seems almost daily that a news report highlights some form of a security breach. This barrage of reports helps the FUD factor. So, is the FUD factor justified? To an extent, yes. However, is our focus in the correct area? No! If you take vendor bias out of the equation, the one common denominator in preventing potentially negligent action is understanding “what” you do is more important than “how much” you spend. Obviously a cost is associated with security. Since security usually falls under the scope of risk management, the transference or acceptance of risk is more commonly understood than the ramifications of these same risks acting as the catalyst for civil litigation.
A common complaint from middle level management is not enough buy in from upper level managers. Even with the FUD factor in play, many maintain since court cases are not plastered all over FOX or CNN, that lawsuits in this area do not take place and therefore, the actual risk is more qualified than quantified. What any experienced attorney will concur with is that non-disclosure is commonly used in the terms of settling a lawsuit. This protocol is what keeps a lawsuit out of the public eye, not the lack of occurrence.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.