Four Options for Risk
By Lawrence Walsh | Posted 2008-03-28
Print
Hannaford Bros. breach proves, yet again, that there's no such thing as "unbreakable" security.
Both cases demonstrate what organizations can do with risk. There are four options:
- Mitigate: Take steps to prevent security breaches and incidents.
- Defer/assign: Give someone else responsibility to secure your data and infrastructure (such as a managed services provider) or get insurance to cover damages incurred as a result of a breach.
- Accept: Understand and accept that you can only mitigate so much risk and that you will always have some level of exposure.
- Ignore: Simply do nothing.
It could be argued that TJX accepted its risk by choosing not to improve its security, but some would also say that it ignored the risks by not meeting PCI standards. Hannaford mitigated its risk by complying (we assume) with PCI, but the company wasn’t completely invincible.
Everyone says that security breaches and identity thefts have real costs. If you believe the Ponemon Institute’s figure stating that each compromised record costs $197 to remediate, then the TJX breach should cost $18.5 billion. In reality, remediating the damaged and punitive penalties will cost TJX only around $300 million.
People argue that it’s hard to put a price on the damage to a company’s reputation for allowing a security breach. Ahem, in the year TJX struggled with its massive breach, its sales were up 7 percent, and its stock price remained stable. In other words, there was no reputational damage.
Incidents like these demonstrate that enterprises need to do what they can to mitigate risks and then accept that a breach is still going to happen. Threats and risk are ubiquitous and evolving. IT systems are inherently flawed and vulnerable, despite the security we put in to protect them. And every enterprise is subject to the human factor: Users and hackers will always find new and innovative ways to break systems, regardless of the protections.
No matter how much money enterprises spend on security, they will never mitigate their security exposure to zero. You can’t ignore risk; that’s stupid. Everyone should make a reasonable effort to provide an adequate level of protection. That doesn’t mean bulletproof security, but there should be enough safeguards to avoid a casual, trivial breach.
At a certain point, enterprises, regulators and users must accept the fact that breaches will happen to everyone. So get comfortable with that concept, because a breach will eventually happen to you, too.
Lawrence M. Walsh is editor of Baseline magazine. What do you think of risk exposure and mitigation strategies? Send Larry your thoughts at lawrence.walsh@ziffdavisenterprise.com.
Lawrence Walsh is editor of Baseline magazine, overseeing print and online editorial content and the strategic direction of the publication. He is also a regular columnist for Ziff Davis Enterprise's Channel Insider. Mr. Walsh is well versed in IT technology and issues, and he is an expert in IT security technologies and policies, managed services, business intelligence software and IT reseller channels. An award-winning journalist, Mr. Walsh has served as editor of CMP Technology's VARBusiness and GovernmentVAR magazines, and TechTarget's Information Security magazine. He has written hundreds of articles, analyses and commentaries on the development of reseller businesses, the IT marketplace and managed services, as well as information security policy, strategy and technology. Prior to his magazine career, Mr. Walsh was a newspaper editor and reporter, having held editorial positions at the Boston Globe, MetroWest Daily News, Brockton Enterprise and Community Newspaper Company.
