Do you value your security?

We are in a new year now, the end of the world never materialised and everyone will be back at work, getting ready to push on their new years resolutions – even the ones doomed to failure.

Security has value
Everyone says security is important but what matters is do you put your money where your mouth is?

Unfortunately, lots of the mistakes that were made last year will be repeated and it likely that during the next 12 months we will still see news items about hackers accessing sensitive data and the Information Commissioner fining yet another Government department for a DPA violation. The private sector will suffer undisclosed breaches and the retail and transport industries will suffer loss and “wastage” as people pilfer goods rather than pay for them.

What this seems to show is that despite almost every CEO, MD, CIO, CTO, CISO etc., talking about how important security is, when it comes down to it, they aren’t prepared to put their words into action.

Already this year, we have worked with two organisations – both in the small-medium enterprise sector although one has stock locations across the country – who have demonstrated how this causes a problem between words and action. Both of these clients suffered financial losses in 2012 as the direct result of security incidents and, quite rightly, had decided to take action to prevent this continuing.

The larger of the two organisations, with several locations, suffered from a variety of security issues that have gone unchecked for a couple of years to the point at which they were causing financial pain. It was estimated that they had endured a direct loss (from theft, employee theft and vandalism) of £750,000 in 2012 (with similar amounts each year since at least 2009) and the marketing assumption was that where this was public knowledge, it had tarnished the reputation and cost around £500,000 in additional revenue.

We were engaged by the Head of Security and two of our consultants spent a week visiting the locations, assessing the existing controls and determining what had led to the incidents described. On completion of our engagement, we provided the organisation with a detailed report of what controls should be implemented to reduce the loss. In end, we identified controls costing around £200,000 to implement (it varied by site) which would have reduced the 2011 loss from £750,000 to around £250,000. The marketing team agreed that these controls would also address the negative publicity and may lead to additional sales, but this is not something we would normally include in our estimates.

Armed with this information, the Head of Security presented to the board how an investment of £200,000 during 2013, would save the organisation £500,000 and drive new sales into new sectors. This is a board that, in previous years, have made several statements about how they “believe in driving good security” and similar promises. However, when presented with this clear opportunity to live up to it’s claims, the board changed its mind and refused the funding. Following some frantic negotiation, the Head of Security eventually got a budget of £15,000 for security improvements at two locations which, if implemented last year would have prevented about £20,000 of the loss.

In this instance, it appears that the problem with the organisation is how the budgets are structured. The board viewed the security improvement, not as an investment that would increase overall profits more than not spending it, but instead as a centralised cost while the losses, were distributed across various segments of the organisation – each location and business function had their own reporting chains.

The problem is that no one segment of the organisation was losing enough to justify spending on additional security while the overall losses were causing pressure on the board to reduce expenditure.

Although nothing in security is certain, the loss trend for this organisation indicates that they will continue to lose around three quarters of a million pounds each year because the board has allowed the organisation’s structure to become so convoluted it is incapable of protecting itself.

Security is an investment, not a cost
Bad security costs more than good security. Diluting the harm creates a major risk for your organisation.

The smaller organisation – with only four locations in a reasonably compact geographical area – presented a good counterpoint.

We were engaged by the owner of the company to help following a break in to one location which had resulted in the loss of about £15,000 worth of assets. The owner was concerned that this may happen again and at the other company locations. The owner also identified other incidents over the last couple of years where vandalism and petty theft had led to extra costs for the business and we worked closely with the local Police force crime prevention team to determine what the crime trends were like.

Following our assessment, we identified security improvements that would cost the owner around £20,000 to implement but would be effective in preventing the burglary they had already experienced and significantly reduce the smaller scale crime. Additionally, the additional controls would mitigate against several risks to assets with a total value to the company of £250,000.

Even though this would cost more than the single high-loss event they had experienced, the owner realised that this was a cost across four locations and would be effective for several years. As a result of this, the business owner has decided that it makes good sense to invest in the security and drive down their risks.

By being able to see the big picture risks, and being the person who felt the pain of the security losses, the owner of this company was in a much better place to drive forward and implement good security practice.

When a business grows, it makes sense to bring in more layers of administration and organisation but as the first example shows, it is a major failing of corporate risk management if these layers begin to hide risks and dilute the opportunities you have to mitigate threats.

This New Year, why don’t you make a resolution to blow out the cobwebs of your corporate risk strategies and look at how your administrative and reporting chains work? Do you dilute the threats your business faces to the point at which you can no longer determine what controls are cost effective? Do you have a centralised risk management strategy which allows your key decision makers to see where risks are growing? Are you able to be proactive at driving down risks and security threats?

If not, this is the time to make change happen.

If you want more advice on this, or would like to simply discuss some of the topics raised, then please get in touch with Halkyn Security or start a discussion in the comments here.

Taz Wake - Halkyn Security

Certified Information Systems Security Professional with over 19 years experience providing in-depth security risk management advice to government and private sector organisations. Experienced in assessing risks, and producing mitigation plans, worldwide in both peaceful areas and war zones. Additionally, direct experience carrying out investigations into security lapses, producing evidential standard reports and conducting detailed interviews to ascertain the details of the incident. Has a detailed understanding of the Security Policy Framework (SPF) and JSP440, as well as in depth expertise in producing cost-effective solutions in accordance with legislative and regulatory guidelines. Experienced in accrediting establishments and networks as well as project managing the development of secure, compliant, workable business processes.