Security investments come under scrutiny

Making security pay is a matter of understanding potential risk exposures. Businesses need to invest accordingly and follow best practices to achieve a return on investment.

  • E-Mail
By  Alicia Buller Published  September 25, 2004

|~|pkmcafee100.jpg|~|Peter Kwisthout, Middle East territory manager at McAfee|~|In 2001, a virus affected just one in 300 e-mails. By 2015, three out of four e-mails will be infected, according to Marshall Institute. The research firm also says that e-mail is just one vulnerability in a network. As internet criminals get smarter, the litany of potential threats is growing as worms, Trojans, website defacement, information theft, spoof e-mails and in-house fraud are becoming increasingly common. Security is an issue concerning companies across the world and the Middle East is no exception. Last year’s joint ACN and PricewaterhouseCoopers (PwC) survey revealed that 55% of local respondents admitted that viruses had impacted their organisation. In addition, 50% said systems failure and inappropriate use of computing resources by employees had also affected their companies. These incidents have prompted local businesses to realise the importance of having a secure network. However, there’s still some ambivalence around how to make IT security investments worthwhile. Research firm IDC recently reported that companies are now spending up to 80% of their IT budgets on security, a figure that is simply not sustainable in the long-term. “Still, all businesses must take precautions in protecting their intellectual property, ranging from customer information and research through to development data to confidential employee records. Failure to do so can mean the loss of millions of dollars in ‘clean-ups,’ shareholder distrust in the integrity of corporate information and lawsuits,” warns Michel Kilzi, CEO of security vendor, Front Defence. “In the end, it could be a lot riskier and more expensive to cut corners on security spending,” he adds. The key is to realise where security is required the most, and to apportion the budget accordingly. Often when there is a security challenge, businesses have a tendency to push it over to their IT division without finding out the problem. “And these technical guys don’t know what really needs to be managed from the business [perspective],” says Mirza Asrar Baig, CEO of IT Matrix. “The [management] should decide what needs to be managed. Once that is decided, the IT team can then suggest what technology needs to be implemented,” he adds. As businesses in the Middle East start to use sophisticated technology, IT divisions are fast becoming an integral part of the core business. For instance, if a bank’s IT system crashes and suffers from two hours downtime, it will paralyse all of its operations — this is a critical business issue. It can signal serious costs, and not only in terms of money. “Dubai airport was down for eight hours because of the Sasser worm and this cost [it] millions of dollars. But, in reality, it could be much more than that. The possibilities are endless,” says Peter Kwisthout, Middle East territory manager at McAfee. “The impact on your brand is huge, though not measurable. It’s unacceptable for a large corporation to have their system down or to have critical information stolen,” he adds. Making security pay is a matter of understanding potential risk exposures. The best way to do this is to conduct periodic audits of organisational assets and then implement technology and processes that protect those assets. Typically, this will include regular vulnerability assessments in order to understand who has access to what company information and to ensure that security policy is in line with corporate governance. “Security is a process and requires a change in corporate thinking. IT and other managers need to create processes to combat security risks. One way to do this is for managers to educate employees through regular security training and awareness programmes,” says Kilzi. Furthermore, as much attention must be paid to the implementation of a solution as to the boxed technology itself. An inexpensive well-deployed one will better protect a company than a poorly implemented top-of-the-range solution. ||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code