O O Ø O O O O
The Dental Plan Metaphor
Alberta Blue Cross doesn’t cover your network’s health.
Another pamphlet floated by my desk today, advertising business internet connectivity and networking solutions. These sorts of deals are ubiquitous in 1998. There are many more than competent consulting shops that would love to connect your company to the internet. Dialup, dedicated, cable, ADSL or the whole nine yards.
It’s easy, it’s fast, and if you’re in Calgary, it’s cheap.
But the hidden price is the security exposure your company faces when it becomes wired. A typical internet connectivity job takes a perfunctory stab at being secure, then leaves the system to fend for itself after the install. Think hard. How confident are you that your firewall is patched up to the latest levels, or that your mail server isn’t going to fall over under the most recent tear drop attack?
Okay, the media has probably done enough fear mongering for all of us, so I won’t belabour the point.
Be Militant
My next argument is this: If you’re not going to be militant about configuring and maintaining your network security system, you’re probably better off not having one at all. That way you won’t be working under a false guise of protection, and you’ll probably think twice about keeping sensitive information on those systems.
Or maybe you don’t have anything worth protecting. Great! Your security exposure is nil.
Otherwise, if you’re committed to the benefits of internet and network connectivity, and you recognize the risks to which you may be exposing your business, then investing in some security insurance is probably the most prudent and cost effective step you can take. Look hard at your architecture, keep abreast of the latest security exploits, and monitor relentlessly. Attacks happen, we know. That’s why large corporations have security officers and auditing processes. That’s why companies like ourselves are around. That’s also what makes the quick Put Your Business on the Internet deals so dangerous.
Renew Your Insurance
Here’s my metaphor: A security solution is like dental insurance. When you’re insured, checkups, x-rays, and cleanings are cheap and affordable, and you see your dentist twice a year. Naturally, she’ll warn you to keep flossing, and to cut down on the coffee.
If you don’t have insurance, you’re likely to pay careful attention to your teeth, and to floss daily. That’s because if something turns up, it’s on your own dime. It also takes a great deal of discipline to make it to the dentist every six months.
But what if you think you’re covered, but discover otherwise? Missed filing the paperwork, or changed jobs. That second yearly x-ray isn’t covered, you know. And on top of that, maybe you haven’t been convincing yourself to floss every night. Yes, I’m suggesting that insured people are less diligent when it comes to dental care than their uninsured counterparts. And yes, I’m trying to equate an inadequate security setup with going under the drill.
Security really should be treated like insurance. It mitigates your risk exposure, and allows you to complete your mission goals in the face of adversity. If you don’t renew your security insurance, it’s useless to you.
Some Pleasant Stats
From an Ernst & Young and Information Week global survey of IS executives:
- 45% have had their Internet security breached
- Of those, 49% haven’t installed firewalls (!)
- 20% don’t have formal security policies
- 45% don’t monitor internet security at all
- 25% of all losses due to an infosec breach were greater than US$250,000
- 84% of US executives don’t know the potential financial costs of a successful attack
Evan Spence
Friday, April 24, 1998