At this point, it’s beyond trite to remind you that times are tough right now. In all likelihood, you’re facing difficult decisions about what IT activities to fund and what you can afford to let slide.
Network security is one of those largely invisible activities that might look like a tempting place to make a few cuts. Maybe divert some budget away from security to other networking initiatives, or not be so quick to install the latest version of network immunity software, or be slightly less vigilant about who gains access to your network. Then cross your fingers and hope for the best.
I’d like to offer a different perspective: Given the risk of security breaches and the cost of those breaches, you literally can’t afford to slack off on your network security efforts. Moreover, investing wisely in your security now can reap tangible rewards in terms of both lower operating costs and improved competitiveness over time.
Security breaches are becoming more costly
As enterprise networks become more open – a positive move to promote greater collaboration and productivity – they also become more vulnerable to both external and internal threats. In addition, the nature of attacks continues to evolve, becoming nastier and more expensive.
Here are a few chilling statistics to put things in perspective:
The Register (U.K.) reported on February 4 that the cost of data breaches among U.K. firms surveyed had risen from an average of £47 per record in 2007 to £60 (USD$86) in 2008, according to a study by the Ponemon Institute, sponsored by PGP. Now, that might not sound so bad, except when you consider that in each case considered, the number of records involved ranged from 4,100 to 92,000. In other words, firms can easily experience losses in the millions from a single security breach.
An equivalent study of U.S. companies, also conducted by the Ponemon Institute and sponsored by PGP, estimated per-record costs at USD$202 in 2008, up from USD$197 in 2007 (as reported in an article by Andy Greenberg on Forbes.com).
In a worldwide survey of 1,000 decision-makers by McAfee, Inc., surveyed companies estimated an average loss of USD$46 million worth of intellectual property in 2008. Many (42 percent) pointed to laid-off employees as the single biggest threat to their intellectual property and other sensitive data.
By 2006, USA Today reported that data breaches and ID theft had become organized crime’s number-one business, costing the U.S. economy more than USD$67 billion that year. Surely, the costs in the U.S. and worldwide have continued to rise since then.
Privacy Rights Clearinghouse estimates that since 2005, 88 million data records of U.S. residents have been exposed to security breaches.
A well-publicized breach at the TJ Maxx retail chain in August 2007 netted at least 45 million records for identity thieves. The company set aside more than USD$100 million to cover the costs and potential liability arising from the breach, including reimbursement of banks suffering from fraudulent losses connected to the attack.
More recently, Heartland Payment Systems revealed in January that hackers had siphoned off credit card numbers from its network. According to a USA Today article, Heartland’s systems process 100 million payment transactions each month – and they’re still trying to figure out how long the hackers had access to the system and how many records and victims are affected.
In a May 2006 article, CIO Magazine reported that after experiencing a security breach, a company could expect 20 percent of its affected customer base to no longer do business with the company, 40 percent of customers to consider ending the relationship and 5 percent to hire lawyers.
Security breaches extract costs in a number of ways, well beyond the actual costs of detecting and responding to the breaches, notifying customers affected, and hiring lawyers and security consultants. That’s only the beginning.
In his Forbes.com article, Andy Greenberg sums up the situation as follows: “More bad news in the world of data security: Companies aren’t just losing more of their customers’ private information than ever before. Customers are also losing patience with those increasingly common breaches.”
The article in The Register says that among the surveyed companies, more than half of reported costs were due to lost business. Think about it: How likely would you be to continue doing business with a company that experiences a security breach? So the costs of any incident must include the purchase of new security measures to prevent future occurrences and restore confidence in the company; ongoing public relations damage control; and, in some cases, liability payments resulting from the inability to adequately protect sensitive records.
The message is clear: Especially in this time of tight budgets, you simply cannot afford the risk of a breach to your enterprise network.
What to do
OK, so much for the gloom and doom. What’s the best way to mitigate your risk of a security breach and avoid the costs involved?
It starts with a change of perspective about network security. For example, despite what you might believe or have been told:
Effective network security requires a comprehensive, multi-layered approach. Which is precisely what ProCurve ProActive Defense is all about.
HP ProCurve’s ProActive Defense security vision and strategy delivers a trusted network infrastructure that is immune to threats, controllable for appropriate use, and able to protect data and integrity for all users.
ProActive Defense has three main pillars:
A strong foundation that we call Secure Infrastructure to establish a robust underlying platform that secures the network for policy automation. A secure infrastructure is able to resist attacks and deploy strong password policies, encrypt management traffic and separate management from user traffic. This includes protection of network components; privacy measures to ensure the integrity and confidentiality of sensitive data; protection from data manipulation; prevention of data eavesdropping; and privacy for remote access, site-to-site communications and wireless communications.
A good offense through Access Control to proactively prevent security breaches by controlling which users and devices are granted access to your network.
A good defense through Network Immunity to detect and respond to threats such as virus and worm attacks by monitoring network behavior and applying security information intelligence to maintain a high level of network availability.
HP ProCurve offers a growing number of products that enable a ProActive Defense solution; you can find more information on the HP ProCurve Web site. And now, thanks to the ProCurve Open Network Ecosystem (ProCurve ONE) multi-vendor alliance program, you can also choose from among best-in-class security applications that run seamlessly with an HP ProCurve network infrastructure.
HP ProCurve’s approach gives you both choice among best-in-class vendors as well as the tight integration previously associated only with proprietary single-vendor approaches. As a result, you gain not only flexibility and adaptability on both an IT and a business level, but also some real cost benefits.
For example, to achieve network security you can choose – and pay for – just the right combination of products and solutions that will meet your particular security needs. You’re not paying extra for capabilities you don’t need, and you’re not forced to make a tradeoff between robust security and other important networking features.
What’s more, as market pressures and your own organization’s circumstances change, your adaptive, flexible and open HP ProCurve security infrastructure will be easier to fine-tune to meet those changing needs – without expensive overhauls. You’ll see faster return on your IT investment, and you’ll have a network infrastructure better able to support and advance overall business objectives.
Of course, there’s no guarantee in the world of network security, and no panacea or silver-bullet solution. Network security is better thought of as a verb, not a noun. It’s an ongoing process of adaptability and improvement, not a static product you can buy and install.
Still, I believe in the superiority of multi-layered, comprehensive security approaches such as ProActive Defense. In these challenging times, I hope you’ll explore how such an approach might help you avoid the security breaches that you simply can’t afford.
Mauricio Sanchez, MSEE, CISSP, is the Chief Network Security Architect for HP ProCurve. He is responsible for specifying ProCurve’s ProActive Defense security technology strategy across all product lines.
