Perhaps the best part about running a business is doling out the dough for all the invisible yet completely necessary components to keep it running ... Yes, that is a joke.
Many organizations are bound by compliance regulations to submit to annual security audits. The audit itself can be intimidating, but the repercussions should you fail an audit or worse, experience a security breach, may have significant impact on the organization and the individuals responsible for compliance.
Security risk assessments are not only an audit requirement and help you ensure security, they help you identify areas where you may be investing too much money and attention, while helping you zero in on what really needs better protection.
Below, we’ve detailed a few ways that a security assessment can help you save money in the long run, allocate resources where they are needed, and eliminate practices that are likely exposing your organization to risk and liability.
Let’s take a look.
Drop Security Measures You Don’t Need
The best way to pass a security audit and avoid a breach is to stay proactive with your security measures. With that in mind, don’t go overboard. A common mistake that we see in many organizations is that they go out and buy every security measure they can think of without understanding the cyber risk they're trying to mitigate.
Something we look for is whether the resources are needed. Do they have more coverage than they need, and are they using it correctly and prepping their staff to handle them? If the last example is the case, your organization would benefit from Security Awareness Training.
Stop Non-Essential Data Hoarding
Do you need data loss prevention (DLP)?
Data loss prevention is one of those tools and techniques that you will find with PCI, HIPAA, and CJIS compliance, but rarely elsewhere. Time and time again, we’ve made the recommendation to organizations to change their business process, so they don’t even need to invest in data loss prevention or at the very least, invest less. DLP can typically range from $50,000 — $100,000 and goes up based on the solution and technology. We’ve seen cases where organizations have invested hundreds of thousands of dollars in DLP!
We know you don’t want to consider the possibility that any data is non-essential, but you need to ask yourself this question:
Are you hoarding data you don’t need?
To put this another way, “what is the actual business requirement to retain the data?” The common consideration is to err on the side of caution and keep all the data. Aside from the cost of expensive storage and backups, that data must be protected. Think about the cost to house ePHI. That data must be stored, indexed, made available quickly (flash storage), and protected with additional layers of security, including encryption. To illustrate this, we encourage our clients to calculate the cost of standard and enhanced protection data (such as ePHI).
We’ve seen this often: businesses holding on to data they don’t need or holding on to the "wrong" data. Why is this an issue? For example, think about the cost of data loss prevention for data that falls under Federal regulation. You are looking at a big price tag.
A Real-life Example of Data Hoarding
We experienced a prime example of “data hoarding” with a local municipality’s county jail. Because they were collecting federal convict data in their Offender Management System (OMS), they had Criminal Information Justice Services (CIJS) compliance to consider. The collected federal data was not necessary and was the only thing that constituted CJIS data, which requires higher protection to meet more stringent requirements. Once that data was removed from the OMS database, the protection requirements were relaxed, resulting in significant savings.
This was a unique example, but it holds true for organizations of any size. Unnecessary data, especially under the thumb of regulatory compliance, demands expensive data loss prevention measures and still exposes your organization to unnecessary risk, not to mention, the cost of all that data storage!
We’ve found, in doing risk assessments and Business Impact Analyses with customers over the years, that a misunderstanding of business and compliance requirements often results in overspending and increased risk. We also encourage our clients to have routine discussions between the business and IT, to ensure that the business requirements are understood and are being met.
Discuss Security Assessment Options with IE
Ready to trim the fat on your existing security strategy and save some money? Work with our team of Security experts to analyze your existing structure and eliminate areas where you’re siphoning money unnecessarily. We can help you build a compliant security posture custom-tailored to your business.