Excerpted from Global Knowledge White Paper: Security on a Budget
Security is expensive. Many organizations struggle to deploy sufficient security defenses on a shoestring budget. No security defense is perfect, and you often get what you pay for. However, just because something is expensive does not mean it is great; likewise, just because something is cheap or free does not mean it is worthless. With these suggestions, you may be able to improve your security without breaking the IT budget.
Use What You Have
Most security can be summed up with only a few key components, namely: firewall, IDS, anti-malware, authentication, authorization, and auditing. Once these are appropriately addressed, there is often little need for significant additional or specialized components for most organizations. Just like many consumers, we in IT have fallen prey to the notion that buying something new is the way to fix or smooth over a problem. All too commonly, we have a sufficient security solution already on hand if we modify, tune, or configure it properly.
Leverage Your Knowledge Base
If your staff is already knowledgeable about a product, product line, operating system, etc., then it is often in your best interest to select a new product that will fall within their existing areas of expertise. This allows the security staff to become fully versed on the new product quicker; shorten the installation, tuning and testing phases; and get your new defenses rolled out quickly and with solid results.
Consider the Use of Open Source Solutions
Open source is not the only solution, nor is it always the right one either. But it is often overlooked or at least not properly considered. When looking for a new solution to a security problem, especially before purchasing a new commercial product, you should explore the open source options. From operating systems to malware scanning, the open source community has many amazing products that often rival their commercial competition.
Re-Purpose Old Hardware
As your company expands, you need new equipment. In many cases, previous years’ desktop or server computers can be re-purposed for a variety of uses. Most hardware manufactured in the last five years can be redeployed as highly functional client or server systems. Primarily, the solutions I’m alluding to are variations on the Linux platform. You can find an amazing variety of open source Linux builds that take “obsolete” hardware and transform it into powerful systems serving as clients, file servers, routers, SAN/NAS servers, Web servers, firewalls, and more.
Hire Interns Instead of Professionals
When it becomes time to increase staff, look into hiring interns or fresh-out-of-college workers who are looking to get started in an IT career. Obviously, if you fill a position that requires high levels of expertise or experience, you can’t just hire anyone with a heartbeat. However, you may be able to promote from within and subsequently fill the lower, vacant positions with new personnel eager to get started but who may need a bit of training and guidance.
Review Your Policies
Most of the benefits of saving money on security are done as a long-term, consistent security management process. Another area where this notion applies is the organization’s security policy. It should be a yearly activity to review the security policy. You may find that the policies themselves prescribe processes or solutions that are overly expensive. You should evaluate each element of prescribed security as to its cost/benefit versus its actual expenditure.
Re-Assess Your Threats
In addition to a regular review of your security policy, you should also re-perform a risk assessment on a yearly basis. You should recall that the basic steps of risk assessment are: inventory assets, inventory threats, then evaluate costs and risks. By re-performing this process, you may be able to determine whether a risk identified in the past is still present or whether a new threat has appeared that needs to be addressed.
Cut Out the Fluff
Re-evaluate each component of your security policy and deployed security infrastructure. Any element that is showy or flashy is likely suspect of being of little substance. If the security product is easily fooled, bypasses, or ignored, then it is a solid candidate for disposal.
Spend Money to Save Money
Often, when it comes to security, spending money properly now will save money later. The logic is as follows: if there is a real threat and you fail to defend against it, when the risk is realized and loss occurs, the loss will often cost the organization more than the defense would have cost. Thus, once you have identified real threats that are likely to occur, you will save money by implementing the proper security defenses before the breach.
Use Public Resources
Deploying and maintaining security is often an expensive business task. However, there are ways of keeping those costs under control, especially in the area of configuration and troubleshooting. The Internet has made an astounding amount of knowledge available at one’s fingertips. Just about any topic, especially related to computers, networking, and security, is freely available for anyone to access. The next time your staff needs access to specific information that is perceived to be accessed only through a paid consultant or pay-as-you-go technical support, look into free public resources.
Not every aspect of your company’s IT or security has to be performed by your own staff. There may be some circumstances where outsourcing to a service company or consulting group is less expensive than doing it yourself. From staffing, to training, to equipment, to licensing, often, outsourced solutions provide high-quality services at a lower price than you could provide for yourself.
Evaluate Your Insurance Options
Another aspect of security that many IT workers overlook is insurance. One type of insurance to consider is that of hacker or malware insurance. A few insurance companies are beginning to offer this type of specialized IT security insurance. However, be aware that insurance companies are not in the business to pay claims — they are in the business of collecting premiums. So, you may find that the offered options for hacker or malware insurance are not favorable enough for the expense.
Security Is Not Just IT
Security is not just a computer issue. Security is a business issue. Businesses need to see security as an essential part of their organization. This idea is important, because any breach at any location throughout the organization can result in severe damage to the company as a whole, as well as the IT infrastructure.
Security Cost Is Not Just Purchase Price
The purchase price of a new security component is not the only factor that should be addressed when evaluating security costs. In fact, often the purchase or licensing fee of a product is small in comparison to other costs of maintaining security over time. You should take into consideration the expense of training administrators to install, configure, manage, maintain, and troubleshoot a product over its lifetime.
Improve Security While Reducing Costs with Training
Yet another way to stretch your IT and security budget is to spend it wisely on training. By improving the knowledge and skill base of your existing staff, you directly improve your organization’s internal ability to handle its own security issues.
Security is expensive, but not having security is even more expensive. Preventing damage from malicious attackers, stopping the infestation of malware, and preventing theft and fraud is not cheap. But failing to erect adequate protections for your organization’s level of known threat is not a cost-saving measure; it is simply a deferment of the cost until a later date. Often, that date arrives sooner than expected, and the bill is much higher than imagined. Saving money on security is about making sound decisions on the right products that provide the best security for their cost.