Four Options for Risk
By Lawrence Walsh | Posted 2008-03-28
Hannaford Bros. breach proves, yet again, that there's no such thing as "unbreakable" security.
Both cases demonstrate what organizations can do with risk. There are four options:
- Mitigate: Take steps to prevent security breaches and incidents.
- Defer/assign: Give someone else responsibility to secure your data and infrastructure (such as a managed services provider) or get insurance to cover damages incurred as a result of a breach.
- Accept: Understand and accept that you can only mitigate so much risk and that you will always have some level of exposure.
- Ignore: Simply do nothing.
It could be argued that TJX accepted its risk by choosing not to improve its security, but some would also say that it ignored the risks by not meeting PCI standards. Hannaford mitigated its risk by complying (we assume) with PCI, but the company wasn’t completely invincible.
Everyone says that security breaches and identity thefts have real costs. If you believe the Ponemon Institute’s figure stating that each compromised record costs $197 to remediate, then the TJX breach should cost $18.5 billion. In reality, remediating the damaged and punitive penalties will cost TJX only around $300 million.
People argue that it’s hard to put a price on the damage to a company’s reputation for allowing a security breach. Ahem, in the year TJX struggled with its massive breach, its sales were up 7 percent, and its stock price remained stable. In other words, there was no reputational damage.
Incidents like these demonstrate that enterprises need to do what they can to mitigate risks and then accept that a breach is still going to happen. Threats and risk are ubiquitous and evolving. IT systems are inherently flawed and vulnerable, despite the security we put in to protect them. And every enterprise is subject to the human factor: Users and hackers will always find new and innovative ways to break systems, regardless of the protections.
No matter how much money enterprises spend on security, they will never mitigate their security exposure to zero. You can’t ignore risk; that’s stupid. Everyone should make a reasonable effort to provide an adequate level of protection. That doesn’t mean bulletproof security, but there should be enough safeguards to avoid a casual, trivial breach.
At a certain point, enterprises, regulators and users must accept the fact that breaches will happen to everyone. So get comfortable with that concept, because a breach will eventually happen to you, too.
Lawrence M. Walsh is editor of Baseline magazine. What do you think of risk exposure and mitigation strategies? Send Larry your thoughts at lawrence.walsh@ziffdavisenterprise.com.