In the world of modern business, owners walk a fine line between profitability and loss. Margins are being squeezed, and expenses are increasing. The last thing business owners want to worry about is additional losses caused by network security problems. It's beyond the scope of this book to conduct security expenditure versus threat risk analysis, but it is appropriate to point out that the cost of an attack can affect the profit and loss of a business. This section helps business owners understand what the impact of a security incident in their company might entail. The impact on a business of being attacked could be manifold; such impact includes not only the obvious loss of revenue and cost of cleaning up after an attack, but also several hidden implications and considerations. Tangible CostsTangible costs include things such as loss of revenue and the administrative costs to recover from an attack. The web is ripe with information surrounding tangible costs. Instead of focusing on a single report in this book, you are encouraged to use the web to research the different sites and decide which surveys and studies apply to your business. The general guideline for figuring out the tangible costs of computer security in an enterprise is to assume that an administrator or IT engineer spends approximately fifteen hours per year per desktop on security related issues. This estimate includes operations such as attack forensics, attack clean-up, patch application, operating system upgrade, network device upgrades, syslog processing, event log processing, and antivirus maintenance. Table 1-2 is a simple calculation to show your average expected security costs based on your number of desktops in combination with a range of the average pay for a desktop or security administrator and assumes that you have an average security policy and that you won't be hit with a major attack.
The overall monetary cost to a small or medium-size business (SMB) will vary depending on how well your current security is deployed and the attacks that are successful within your environment. However, remember that when intangible costs are taken into consideration, an attack can cost much more than described in the previous table, which is discussed in the next section. Table 1-2 illustrates that an attack can be costly and that generally the cost of purchasing security hardware and software to prevent such attacks is justified. The following are some suggested websites that are considered to be objective sources for attack and security-relevant information including attack costs:
Intangible CostsIn addition to the traditional and obvious costs incurred during an attack, a business must consider the intangible costs. Intangible costs are those that can't be easily calculated but could represent a significant impact on a company. Some of the common intangible costs include the following:
CAUTION Keep in mind that many business owners see a list like this and respond with, "This can't happen to us, we have a firewall in place." The truth is, a firewall alone cannot stop all attacks sourced from outside or many attacks launched from inside your network! Government Network Security RegulationsBusinesses must understand the legal exposure and liabilities as outlined by some recent government regulations. If you don't have the proper level of security built in to your network and host devices, you might face liability with the U.S. government based on regulations dating from 2003. Governments in Europe and other parts of the world have also recently proposed or approved laws to regulate host and network security for financial and health-care organizations. Currently in the United States, three sets of regulations outline guidelines and liabilities for businesses. The first two regulations apply only if the business is involved in health care or handles financial data for customers. The third regulation was authored by the Office of Homeland Security. This third regulation doesn't involve any legal liability, but all companies should be aware of it. U.S. businesses must adhere to the following regulations:
CAUTION Don't make the mistake of thinking that just because you run a small business that a terrorist would have no interest in gaining access to your computer or a computer in your network. The most common method for an attack is for a hacker to first take over a host in a small network or university and then launch the main attack from that host. This scenario benefits hackers because no forensic data points back at them. The principles of defense in depth (or layer security) described in Chapter 2 help to ensure that a company is compliant with many of the regulations previously described. Some of these regulations might require other technologies not described in this book, such as (but not limited to) server data encryption or audit functions. If you are responsible for finance or patient health data, recommended practice is that you have a specialist in these areas determine your compliance posture. |