Determining E-mail Security ROIWhen attempting to extract meaningful hard-cost data to evaluate e-mail security ROI, damages can be broken into two categories: Ongoing or Catastrophic. Ongoing costs tend to occur continually and increase in scale. For instance, a 10% increase in spam volume will result in 10% higher costs. Catastrophic costs, on the other hand, are "one-and-done" losses that are intermittent but categorically high when they occur. An example of a catastrophic cost would be a single security breach that allowed theft of proprietary intellectual property, causing millions of dollars in losses. In general, failure to prevent e-mail intrusions will result in expenditures that qualify as catastrophic. LiabilityLast week's IronMail Insider discussed the costs associated with allowing inappropriate material to cross the enterprise gateway or pass between workstations. The lawsuits resulting from companies failing to enforce e-mail policy and being held responsible for the messages crossing their networks all resulted in catastrophic costs to the enterprise.As with policy enforcement (and encryption, the topic of next week's newsletter), intrusion prevention is paramount to a company's efforts to comply with legislation regarding customer, financial and patient information security. Federal legislation such as HIPAA, Sarbanes-Oxley and GLBA provides for steep financial penalties for corporations which fail to take the necessary steps to ensure information security (up to $250,000 per incident). In addition, potential arrests and criminal charges for company officers, and costly lawsuits from customers and patients should provide all the incentive necessary for companies to do anything possible to protect classified information.A terrifying example of the liability faced by an organization which fails to prevent intrusions happened very recently. On August 1, 2004, a database intrusion occurred through one unsecured computer at the University of California - Berkeley. The intrusion wasn't discovered until August 30, meaning the hackers had a full month of unfettered access to the personal information of as many as 1.4 million disabled and elderly Californians, opening the door to a potentially devastating class action suit by those affected. This incident serves as a disturbing reminder that a single workstation can sacrifice the identities of millions.Reputation Loss of trust from partners and customers due to a company's failure to prevent hackers from accessing their network can be just as destructive as any lawsuit. Failure to prevent intrusions into an e-mail system will leave administrators with few, if any, options after the damage is done. Business partners will be understandably reluctant to share any of their proprietary information, and customers will likely look to your competitors to ensure that their private data is safe. Not surprisingly, most companies will go to great lengths to hide the fact that their systems have been compromised. Over 50% of respondents to the 2004 Computer Crime and Security Survey by the FBI and Computer Security Institute indicated that they did not report system intrusions to law enforcement or legal council because of fear of negative publicity. Of course, if they'd had effective intrusion prevention in the first place, there wouldn't be anything to report.Ass
0 Comments:
Post a Comment
<< Home