What are a few days of your business operating normally worth to you? How much would it cost your business to get shut down for days or weeks at a time? Then, compare that with the cost of being proactive about security.
Having been in the industry for 14 years now, we have verified that the cost of fixing the problem after a breach is at least four times the cost of doing something before it happens – and that’s before you factor in the lawyers.
Reaching out and listening to my customers everyday, I've been receiving some common messages. Unless you’ve been living under a rock the last six months, you probably already know. In this economy, everyone is looking to retrench and consolidate. CEOs have tightened the purse strings, and stuck a roll of duct tape over the top for good measure.
So what is the response of the savvy IT manager who needs to make the case to his CEO and CFO? "Last year, I have already saved you 6 or 8 times from have to close up shop. During these times where we need to keep all the existing customers we have can we really afford not to continue to be proactive about security?" It usually doesn’t take long for the truth to hit home: the cost of doing nothing now will cost you way more next week, next month, or next quarter, than doing something now to prevent it.
Let’s imagine a web security breach occurs. Before we even get into the cost of remediation, how much would an organization lose if you had to shut down even for a day? Since a security breach impacts whole organizations, not just the IT department, based on our observations of client behavior, a day is an absolute minimum to resolve a security breach. The cost will be unique for every organization but every CEO should have an idea of the impact.
A day-long shut down assumes that once a problem is discovered, it can be isolated, fixed and that the problem goes away. But we’ve found amongst our clients that once a breach occurs, the issues aren't necessarily simple and straightforward. A hacked website problem suddenly morphs into a database problem and a backup and recovery issue affecting multiple systems.
For more information on ROI for web security, take a look at our white paper, Calculating Return on Investment (ROI) For Web Application Security. We found that according to Darwin Insurance Underwriters’ figure of an average-sized security breach (exposing 99,000 records), the cost to the company could be from about $9 million to over $14 million. Even a breach on a much smaller scale could put many companies out of business.
After-the-breach remediation, fines and civil litigation don’t have to eat into your budget. A simple bottom line analysis shows that being proactive about security is the cost of doing business. Bottom line? What is the cost of your reputation and customer trust despite economic circumstance?
Contributed by Steven Smith, PCIS / Boonbox Sales
Vaclav Vincalek March 16th, 2009 05:34:39 PM