Prevention and cure: working out an information security budget

The Chancellor recently announced a £425 million government investment in the NHS over the next three years. While pundits speculate on what this will actually mean for our vital service, it is worth considering the issue of health in the context of business. Organisations need to ensure their ongoing health status by prioritising what steps should be taken to keep compliant with current legislation and prioritise the prevention and treatment of attacks.  Like Philip Hammond, they need to work out their priorities and work out an investment budget.

In information security terms, the A & E department – otherwise known as Incident Response – relates to extreme cases when an organisation suffers an emergency situation as the result of an attack, either on their information systems or on the physical building within which they operate. Such incidents can be swiftly mediated if a response plan is in place and continually updated. Quantifying the potential cost of this type of service requires an in depth assessment of current defences. Conducting such a review also helps in the event of an emergency as the expert consultant will be familiar with the structure, locations and systems in place. Much of this can be planned, conducted and budgeted for in a measured way by working with a specialist consultant.

Such outright attacks are thankfully rare, with attacks on specific data – often credit card data – being a more common issue. The financial consequences of a data breach are nonetheless significant. Headline figures can make Chief Information Security Officers (CISOs) quite dizzy. The press has reported huge sums lost in data breaches over the last year and, in addition to loss of business, payment card companies levy fines on the organisations involved. Things will only become tougher in the future when the Data Protection Act is replaced with the new GDPR which comes into effect in May 2018. Maximum fines for a data breach under GDPR are 20 million Euros or 4 per cent of turnover. The Payment Card Industry Security Standards Council (PCI SSC) has warned that this could mean UK businesses facing up to £122 billion in penalties for data breaches.

Yet fines are not the only financial consequences of a data breach. The damage to a company’s reputation can lead to significant reductions in income over a longer period of time. So how much should an organisation allocate to prevention and how much to cure? It’s all about context and vulnerability and an industry expert will be able to advise on the most cost-effective measures that will achieve the desired outcome.

As with any health situation, preventative measures are important. GDPR compliance is one element of this and SRM’s specialist team can facilitate a cost-effective strategy. They can then do as much or as little as required to support the CISO to embed GDPR compliance within their organisation. Working with a team of expert consultants who have an understanding of your organisation will ensure that protection levels are high and the general health status is good. They will also be on hand in the event of a flashing blue light and will be able to step in to the emergency situation with a clear strategic plan to deal with any haemorrhage.

For more about GDPR compliance see:

GDPR – The General Data Protection Regulation

The uncertainty of Brexit, the certainty of GDPR and the responsibilities of the CISO

GDPR: the impatient tiger

Posted 1 year ago on · Permalink