As narrated in Homer's lliad, after many failed attempts to breach the city walls of Troy, the spartans hide themselves in a giant Wooden Horse and befooled the Trojans to sneak inside the city. Even after constructing a strong defensive wall, carelessness cost Trojans dearly and they had to lose their city. In modern age computing we still use the term Trojan Horse or Trojan to designate a malicious computer program which misleads users of its true intent. Most of the times it is difficult to quantify a security breach since it may trail a long term effect. But it always helps to have some numbers in hand which help in prioritising implementations. It pays off to remain vigilant and apply preventive measures against both internal and external factors in the long run.
Study on Cost of data breach conducted by Ponemon Institute and funded by IBM in 2017 reports that in India, for budding services company like ours the cost can run upto $3.4 million annually if no security is in place. And this figure can shoot upwards substantially if the organisation is open to other factors like BYOD, loss/theft of devices, usage of mobile devices, cloud dependency etc.
In the current age sales target, marketing pressure, client's escalations, delivery deadlines many times put the security concerns in oblivion for budding organisations. Even though security measures are made trivial but still no one clamours for a security breach. A breach can cause immense loss, if the concerned organisation is not prepared. Various factors which needs to be considered while calculating the cost of data breach includes:
The unexpected and unplanned loss of customers following a data breach
The size of the breach or the number of records lost or stolen
The time it takes to identify and contain a data breach
The detection and escalation of the data breach incident
Post data breach costs, including the cost to notify victims
An attack by a malicious insider or criminal is costlier than system glitches and negligence (human factor)
Organisations must consider such factors beforehand to make better decisions about how to allocate resources to minimise the financial consequences when the inevitable data breach strikes.
Security implementations should never be considered as a target or a goal, rather an important process in helping achieve future sustainability and growth. To prove this the simplest example is that it pays to keep customer. Clients/customers always have more faith in a secured application than on an application with no fortification.
Security implementations can be built using three pillars – identify, protect, respond. To begin with every organisation should identify their critical assets, if lost or stolen will impact business the most. The next major step is to have a strong protection which in any case will not let the assets fall in wrong hands.
Once the protection fortification is in place, the organisation must regularly review the fortification, check for upgradations and mend any loophole. Last but not the least in case of any untoward incident, the organisation should be prepared to act and respond appropriately. Post data breach response includes help desk activities, inbound communications, special investigative activities, remediation, legal expenditures, product discounts, identity protection services and regulatory interventions.
It is always a good practice to imbibe compliances or processes which help in mitigating security risks. For budding organisations it may appear costly to procure compliant accreditation, which mostly is a genuine case. In such a condition it is never harmful to simply follow the best prescribed practices, indirectly improving the fundamentals of the application architecture and in turn helping the business grow.
A disciplined approach can only be implemented by following a top – down model, and the senior management in the organisation needs to be thoroughly involved with the implementation. Though appointing a Chief Security Officer (CSO) may look expensive for startups, a voluntary CSO role may be assigned to a capable team member. Employees should be trained regularly for the dos and don'ts.
Critical assets should be encrypted and stored away making them accessible to only authorised members. There are many free and open source tools readily available which can be frequently used to scan and report any vulnerability in the IT infrastructure. Using such tools helps in hardening the system. Incident management and reporting plan comes handy if any such eventuality strikes.
Generally it is difficult to foresee any missed scenarios from the perspective of a designer, creator or a manager of the organisation. To protect such loopholes, organisations can outsource help by hiring a security specialist, or launching bug bounty programs.
Security cannot be a onetime process, rather it should be implemented as a discipline and is required to be followed in every step of the software development lifecycle in the company. If a loophole in the fortification or the security implementation of IT solution left unattended, may cost business dearly in the long run, after all “A stitch in time saves nine”.
The author is VP of Technology at Xoxoday. Views are personal.