About Me

Raj Samani

Raj Samani
VP, CTO for McAfee EMEA Raj is currently working as the VP, Chief Technical Officer for McAfee EMEA, having ...

Read More

Corporate Blogs

Feeds & Podcasts

Meet the Bloggers

Archive

Tags

12 Scams of Christmas, 2012 Virtual Sales Kickoff, Accredited Channel Engineer, ACE, ACE certification partner, Acquisition, Alex Thurber, Annual Partner Survey, Apple, ASIC, attacks, Australia, automobile, automotive, award, awards, beyond the PC, Biological Computer, Blackhat, C-SAVE program, Change Control, channel partner, Channel Partners, Channel Partner Town Hall, Channel Program, Channels Town Hall, chromebook, CIO Insomnia Project, Citrix, Civil War, cloud, Cloud computing, cloud security, Commercial/SMB, Commercial and Enterprise Deal Registration, Compliance, Consumer, consumerization, consumerization of IT, Continuing Education, Corporate Responsibility, critical infrastructure, cyberattacks, Cybercrime, Cyber risks, cybersafety, cybersecurity, cyber security awareness, Cyber Security Mom, cyberthreats, Database, database security, data breach, data center, data center security, Data Loss Prevention, Data Protection, Dave DeWalt, Dave Marcus, David Small, Deal Registration, Deep Command, DeepDefender, Deep Defender, DeepSAFE, DLP, Dmitri Alperovitch, education, Email & Web Security, Email Protection, embedded, EMEA, encryption, Endpoint Protection, Endpoint security suite upgrade, Enhanced Deal Registration, enterprise, epo, ePO DeepCommand, ePolicy Orchestrator, Family Safety, Focus, Focus11, FOCUS 2011, Foundstone, France, France Law, French Law, Gartner, Gavin Struthers, George Kurtz, Global Risk 2012 report, global threat intelligence, gold software support, google, government, GTI, Hackers, heidi klum, identity fraud, identity protection, IDF 2011, Incumbency Advantage Program, India, Initiative to Fight Cybercrime, innovation, integration, intel, intellectual property, intrusion prevention, iPad, IPv6, I Series, IT as a Service, IT Security market, Joe Sexton, julian Assange, kurtz, labs, law, LCEN, mac, Mac OS X, malware, Marc Olesen, mcaf.ee, McAfee, McAfee Application Control, McAfee Channel, McAfee Channel Partner, McAfee Cloud Security Platform, McAfee Data Loss Prevention, McAfee Employees, McAfee Firewall Enterprise, McAfee FOCUS, McAfee Identity Protection, McAfee Initiative to Fight Cybercrime, McAfee Labs, McAfee Labs Q3 Threat Report, McAfee Network Security Platform, McAfee Network Threat Response, McAfee Partner, McAfee Partner Learning Center, McAfee Partner of the Year Award, McAfee Partner Program, McAfee Partner Summit, McAfee Rewards, McAfee Security Management, mcafee total protection, McAfee Vulnerability Manager, Microsoft, Microsoft Security Bulletin, Mid-Market, Middle East, Mike Decesare, Mike Fey, Mobile, mobile applications, Mobile Data Protection, mobile malware, mobile security, MS12-020, M Series, national cybersecurity awareness month, National Cyber Security Awareness Week, NCSA, Network Security, Next Generation, next generation data center, Night Dragon, NitroSecurity, Nitro Security, north america, OCTO, Operation Aurora, Operation Shady RAT, PARC, Partner Acceleration Resource Center, Partner Care, partners, Partner Summit, Patch Tuesday, Paul Otellini, PCI, PCI DSS, Pemberton, peter king, policies, president obama, privacy, Products, promotion, Public Sector, quarterly threat report, regulation, regulations, Renee James, risk, risk and, Risk and Compliance, Risk Management, Riverbed, ROI, RSA, RSA 2010, s, SaaS, SaaS Monthly Specialization, safe, SAIC, Saudi Arabia, SCADA, scareware, security, Security-as-a-Service, Security Connected, security management, short url, SIEM, Small Business, Smart Grid, smartphones, SMB, SMB Advisor Tool, SMB Extravaganza, SMB Specialization, social media, social networking, social networks, social responsibility, solid state drive, spam, Steve Jobs, Stop.Think.Connect, Support, targeted attacks, TCO, Tech Data, technology trends, Telecommunications, The VARGuy, threat reduction, thurber, Todd Gebhart, Trust and Safety, twitter, UAE, Ultrabook, Underground Economies, United Arab Emirates, Vanity Fair, Virtualization, Virtual Sales Kickoff 2012, virus, VMworld 2011, WAN, Web 2.0, web security, wikileaks
Corporate : CTO :

Quantifying The Financial Impact Of Security Incidents

Thursday, December 23, 2010 at 11:01am by Raj Samani
Raj Samani

How much?  It’s a simple question really, and one that I know the security professional often finds very difficult to answer when trying to justify mitigating risks to business.  I mean what exactly is the financial impact of a virus outbreak?  Or can you calculate how much the bottom line would be affected if that laptop was left in a bar?

In November 2010, the task of quantifying the financial impact of security incidents (in the UK) got a lot simpler thanks in part to the Information Commissioners Office (ICO).    The ICO have now used the powers to fine granted in April 2010 with two organizations facing hefty penalties for misdirected faxes, and the loss of an unencrypted laptop.

Such fines can reach up to half a million pounds, which I suppose some organizations may see as relatively small when compared with the recent fines imposed by the FSA.  However when combined with the negative publicity, and ultimately lost business then this makes a compelling case to ensure that security budgets reflect the changing regulatory landscape.

According to McAfee’s Simon Hunt (VP and Chief Technology Officer, Endpoint Security ) “It’s often forgotten that around 30% of reported data breaches are caused accidentally by insiders – people trying to do their job, trying to solve problems, but just inadvertently making a mistake and disclosing information. The Hertfordshire County Council incident for example was just a case of a mistaken fax number, a simple mistake but tremendously embarrassing, costly, and damaging for the victim.”

“Even though the risk of unencrypted data on mobile devices like laptops has been understood for over a decade, we still find examples where very sensitive information is on unprotected devices. The A4e case was particularly damaging as it wasn’t “secret sauce”, it was very sensitive and reveling personal information. Companies need to remember that they are only the custodians of personal information – they are not the owners, we, the individuals are, and we should be demanding they take good care of it, either by keeping it under lock and key, or by using commonly available technological measures to secure it.”

Although both organizations reported the incidents to the ICO, there will be some people who will be tempted to simply not report future incidents for fear of penalties, but I would suggest that the likelihood of a member of public (who may have inadvertently received a misdirected fax for example) not raising this is slim.  So a more cost effective, and operationally efficient approach will be to implement an Information Security program that reduces the risk of such incidents happening again.  Ultimately I believe that the cost of managing information risk is not prohibitive, we often talk about security being a business enabler and it really can be.  One of the first steps I would suggest is reading this excellent blog by my colleague Matt Fairbanks.

Bookmark and Share

Tags: , ,

Comments are temporarily suspended due to blog maintenance, comments will be available again from Monday 21st May.