The trigger for this piece was a news report of a cyber attack on transport companies operating within the port of Antwerp, one of Europe’s largest – see Police warning after drug traffickers’ cyber-attack to read the story. An organised criminal gang recruited hackers to break into the IT systems of at least two of the companies operating in the port.
The gang was trafficking drugs from South America, hidden in containers carrying legitimate cargoes. The security breach allowed the hackers to get the location and security details of the containers. The traffickers could then send in truck drivers to steal the cargo before the legitimate owners arrived. The breach was discovered when workers in the port found that containers were disappearing without explanation.
Hardly a week goes by without a report of some security breach. And as this case shows, it’s not just nerds playing around but increasingly sophisticated attacks organised by criminals and even governments. It’s not surprising that security has risen high up the list of concerns of CIOs and other senior management.
However, those same managers are also under pressure to contain and even reduce costs. They are expected to deliver more with less. The result can be a tension between cost management and security provision.
To understand what’s involved, let’s take a closer look at system economics. Security is an economic factor and should be considered along with other economic factors when evaluating the cost of any IT environment.
The total cost of ownership (TCO) of IT systems can be divided roughly into two parts. The first part comprises what’s necessary to deliver services under normal conditions. Hardware, software and people constitute the bulk of the cost – roughly 85 to 90% according to a leading analyst. Cost reductions can be achieved by looking for cheaper alternatives or by increasing efficiency but adequate provision must be made to maintain service.
The second part of TCO is concerned with the abnormal. Money spent on security provision does not normally improve service delivery. Rather like disaster recovery (DR), it is an expense without an apparent gain. However, the cost of a security breach can be catastrophic. The Ponemon Institute, which specialises in security questions, puts the cost per record compromised at USD 136 – see 2013 Cost of Data Breach Study: Global Analysis.
It therefore seems obvious that an organisation would make adequate provision for security as an insurance policy. The same is true for DR. But what seems obvious is not always done. In an earlier piece on DR (‘Planning for the unplanned – disasters’ October 2011) I wrote that many organisations make no adequate provision for DR – sometimes no provision at all. The same goes for security.
One potential trap is where an organisation plans to leave one platform type – usually a mainframe-class system – for another apparently cheaper one. What may be forgotten is that mainframe-class systems such as ClearPath are very secure: there have never been any ClearPath system data breaches. The supposedly cheaper alternative is likely not to be secure so extra provisions have to be made, consistent with the level of exposure. (View details of reported data breaches by operating system type in the NIST database.)
This is not a hypothetical problem. I am aware of a ClearPath installation which was replaced by an alternative platform without due consideration for security. The new environment was hacked within a year and confidential financial data stolen, resulting in considerable expense.
The cost of security should be built into TCO models, along with the hardware, software, people and environmental costs. It’s not easy but certainly not impossible. Just asking a few questions helps to focus the minds of those making decisions. What appears to be a cheaper alternative may not turn out that way.
I analyze ClearPath economics in greater detail, including security, in a white paper – Delivering Value: The Economics of ClearPath Systems.