SMBs Need Comprehensive Security Concepts (part 1)

“When it comes to integrating security measures, many companies, and SMBs in particular, are still in the Middle Ages”, comments Mario Hoffman from the Fraunhofer Institute for Secure Telecooperation (SIT). “Even if there is a certain degree of awareness, IT security is still largely regarded as a technical and product-oriented issue”, says Wolfram Funk, an adviser with the META Group, criticizing the attitude that some companies hold. “There is also a lot of catching up to do in terms of organizational measures”, he continues. It must be added that Funk’s opinion reflects a widespread situation. Studies by the META Group (June 2003), Deloitte & Touche (November 2003), the specialist magazine Informationweek (in conjunction with Mummert Consulting) and the trend barometer from PricewaterhouseCoopers (PwC; November 2003) – to mention only a few – clearly show that many companies, and SMBs in particular, still do not have sufficient security management systems in place, if any.

Creating a culture of security

This is astounding since the increasing frequency with which “highly developed technologies are employed in companies means that information security is becoming a critical factor”, says Mark Lobel, a security expert at PwC. Billions of Euros and Dollars are lost worldwide as a result of breaches in IT security. According to a recent report by the security specialists Symantec, there has been a massive increase in the risks to confidentiality, with the new threats deliberately extracting passwords, deciphering codes and key combinations. “It is therefore essential that IT security is regarded just as much a part of the management process as financial controlling or quality assurance in production”, states Peter Wirnsperger. IT security “must be understood as a comprehensive concept or as an umbrella term for reliability, availability and integrity”, continues Wirnsperger. A similar formulation is used by Anil Miglani, Vice President of the US consulting house AMI Partners, in responding to a survey of SMBs in the USA. The more US companies do their business with Internet support, the more they recognize that “IT security must be an integral component of their overall business activity.” Many large companies also make their awarding of contacts to smaller companies “dependent on their investment in security technologies”, adds Andy Bose, CEO and founder of AMI Partners. The same rules in terms of security management apply to both SMBs and multinational concerns.
Wirnsperger defines the following three areas as being of particular relevance to IT security: Organization (e.g. roles, processes and rules to carry out business processes smoothly), technology and people. Today’s distributed computer systems with their “open” connections can no longer be protected by organizational measures alone. Additional technical security measures must be put in place by, for example, precisely defining responsibilities and ensuring that all activities can be assessed and understood. According to Wirnsperger, companies should factor security into all communication issues to enable controllable information transmission and processing.
This requires strategic security concepts which guarantee the confidentiality and integrity of data transmitted via networks and ensure its continual availability, thereby safeguarding corporate value. This demand had already been made in the OECD’s (Organization for Economic Co-operation and Development) “guidelines on information and network security” which were published in mid-2002. The foreword stated that, given the worldwide networking that is now in place, it is essential to develop increased awareness and understanding of security requirements and to create a new “culture of security”. These guidelines list a total of nine areas from security awareness and risk analysis to IT security management which should help companies to establish a comprehensive security culture.

Service failures are expensive

The aim of all security measures must always be to prevent or minimize downtime since information and communication systems must be ready for action and fully available from the very outset. “Anyone who skimps on the security of their data networks”, said BITKOM Vice President Paul Heinz Bonn in a lecture at the ONLINE 2003 ITK trade show in Dusseldorf, “is taking a high risk for the whole company”.
SMBs in particular seem not always to be aware of this. According to Deloitte, the maximum downtime among the SMBs surveyed was an incredible 72 hours. The average system failure lasted approximately 12 hours. It is nevertheless amazing that companies cannot quantify the loss to business or state it as zero and that they only seldom specify their expenditure on IT security and possible damage. The PwC consultants also give only general figures in their security barometer, according to which 83 percent of companies had suffered financial loss. 11 percent had suffered no losses and six percent were unsure or did not reply to this question. The average time lost due to system failures during the last 12 months was estimated to be approximately 1.3 days.
A survey by the specialist magazine Informationweek of almost 2,500 IT and security managers worldwide carried out in the summer of 2003 casts some more light on the situation. The interesting feature of this survey was the comparison between German and US companies. While 32 percent of German companies stated that they had not experienced system failure, this figure was only 16 percent in the USA. For relatively short-term failures, the figure for both countries was 28 percent but the situation in terms of longer term failures was considerably worse among US companies. 38 percent of the US companies had suffered downtime of eight hours or longer while only 23 percent of German companies had experienced longer term faults. US companies were also worse off in terms of financial losses caused by downtime. Only 29 percent – the figure for German companies was 44 percent – has suffered no financial losses. Almost 60 percent of the US companies (37 percent for German companies) complained of financial losses totaling between less than USD 10,000 and more than USD 100,000. Wirnsperger warns, however, that concrete costs for IT failures are very difficult to calculate “since the associated estimates are based on an insufficient data basis with too few informative figures. Given the above average use of e-business by certain sectors such as companies supplying the automotive industry, a system failure of only a few hours can have serious consequences because delivery and production are both ‘just-in-time'”, he adds.

ROSI addresses this issue

Losses of five or even six figures as a result of system failures are often hard for smaller companies in particular to absorb. Increased investment in the security of IT systems and applications is money well spent, particularly if it’s a matter of the company safeguarding its own competitiveness. According to Peter Wirnsperger, many SMBs usually see expenditure on security simply as an “irksome cost factor” but fail to recognize that any system failure can potentially exceed IT security costs several times. The value of the concept developed by the University of Idaho called Return on Security-Investment, or RoSI is short, has recently gained increasing recognition. “RoSI calculates the cost-effectiveness of investment in corporate security”, explains Hamburg-based IT security expert Christian Aust. “This concept evaluates the costs of IT security in terms of its effectiveness and compares the expected cost-savings through risk reduction and the lower associated losses.”
In order to make RoSI calculations using this model, all security-related data must be documented and interpreted. However, this is also the main problem in the calculation. According to Mummert Consulting, German companies are particularly reluctant when it comes to providing information about losses. Furthermore, it is often difficult for smaller companies to calculate potential downtimes. Are SMBs actually able to perform a concrete RoSI calculation? “Of course”, says Christian Aust, “because the accuracy of the cost-effectiveness analysis is largely based on a sound risk analysis, so all risks can be evaluated according to the probability of them occurring and the expected potential damage. This means that the costs of a risk are known.” However, Aust also warns against excessive risk protection which is not cost-effective. Each company must define a “risk threshold” under which a risk is acceptable to the company. “The key to a positive RoSI is that the total costs are lower than the total benefits from damage limitation after a defined period of time,” concludes Aust.

Dr. Andreas Schaffry
Dr. Andreas Schaffry