EXECUTIVE SUMMARY
This paper will help you justify the need for an automated Security Auditing product and demonstrate the positive Return on Investment (ROI) that can be achieved by acquiring a product like Secure Auditor™. It reviews the latest trends in cyber crime, outlines the cost of security breaches and demonstrates how automated security auditing can help manage vulnerabilities to defend against these threats. It further provides example of how to calculate an ROI to help justify acquiring an automated Security Auditing Product. As you will see, example reveals a positive ROI, making the purchase decision easily justified.
THE COST OF SECURITY BREACHES
A critical problem for public and private institutions is the increasing threat of attack. This is due to a combination of increasingly sophisticated and automated attack tools, the rapid increase in the number of vulnerabilities being discovered and the increasing connectivity of users. As systems are opened to employees, customers and trading partners, networks becomes more complex and most likely are more susceptible to a security breach. That is why information security is one of the most challenging and complex issue companies are facing today.
It's difficult to put a figure on the cost of a security breach. Companies that experience breaches often don't report them, fearing negative consequences to their reputation and exploitation by their competitors. Even if they do report them, victims of a breach seldom know how to quantify their loss. But there are industry statistics available that can give you a rough idea of what it will cost your organization if a breach does occur.
One of the best sources for computer crime information, also known as cybercrime, in the United States is the "CSI/FBI Computer Crime and Security Survey."1 (Cybercrime includes the following categories: viruses, unauthorized access, theft of proprietary information, denial of service, insider net abuse, laptop theft, financial fraud, system penetration, sabotage and fraud.) This annual survey found that financial losses related to unauthorized access to information and theft of proprietary information are rapidly increasing. Together, they now account for close to one-half of the total annual explicit financial loss experienced by the survey respondents. And, if implicit costs (e.g., loss of sales due to negative corporate image) were included, these categories alone would account well over half the financial losses.
These recent trends in cybercrime makes it more critical than ever that organizations acquire a true assessment of their security vulnerabilities so they can identify and address those vulnerabilities associated with their most valuable information assets. The most recent edition of this survey now estimates the average cost of a security breach to be $203,000. Note that the cost of a single serious breach can potentially be far worse than this figure discloses. For example, the average remediation cost to companies breached by the MS Blaster worm was $475,000. Larger companies reported losses up to $4,228,000. The recent, high-profile breach at Choice Point reportedly cost the company $11.4 million and a $6 sustained drop in its share price.
Industry statistics are a valuable starting point when calculating the cost of a breach, but clearly they don't reflect the unique characteristics of your business. For example, what is your organization's reputation worth? How much will it cost your organization if your critical services go down for a day? How much could you save on outside consultant by bringing penetration testing in-house? When it comes to your business, only you can provide accurate answers to these questions.
EFFECTIVELY MANAGING VULNERABILITIES WITH SECURITY AUDITING
Security auditing is an authorized attempt to explore security related vulnerabilities in your systems which if exploited can result in a major security breach. User can discover multiple vulnerabilities which could be exploited to gain access, but merely discovering these vulnerabilities enough? No! You may also need solutions to fix these problems. Secure Auditor™ extends its offer by providing overviews, descriptions and solutions of the identified vulnerabilities which if implemented properly will result in securing the system. Imagine a machine not offering any vulnerability which could be exploited to gain access this is a dream which is now a reality for any administrator due to Secure Auditor™.
You might be wondering what Security Auditing offers which penetration testing and vulnerability assessment doesn't? Well answer is simple, vulnerability assessment is guessing that a particular vulnerability exists in a machine and penetration testing is a proof of that. On the other hand Security Auditing takes an in-depth look of the security pasture of the system and leaves any chance of guessing, why! Because it is an authorized instance, which connects to the system to provide an in-depth look of the security.
CALCULATING RETURN ON INVESTMENT (ROI) FOR Secure Auditor™
Here we are taking an example of using Secure Ora Auditor™ which is a part of Secure Auditor™. A security conscious company routinely hires services of independent auditors to assess the security posture of their enterprise. An external auditor typically charges anywhere between US $100 to US $150 per Hours and for 20 hours a day your Audit cost for US$2000 to US$ 3000 for each audit. Since the audit is manually done or with not so comprehensive tools it is likely that certain security issues might be missed. Furthermore, your control over the audit is limited and complete customization cannot be achieved. A definite advantage of automated audit over manual is the ease of operation combined with fast and consistent audit cycles. In addition, preparation of comprehensive reports detailing threat descriptions and solutions always consume a great deal of time for manual audits.
| Return on Investment (ROI) Analysis for Secure Ora Auditor™ |
| Security Audit |
Data Admin |
IS Auditor |
SOA |
Time in hours |
20 |
20 |
0.15 |
Cost per hour |
$100 |
$150 |
- |
Audit cost per database |
$2,000 |
$3,000 |
$990 |
Cost per year (1 test every month) |
$24,000 |
$36,000 |
$990 |
Cost on monthly test |
$2,000 |
$3,000 |
$82.50 |
Let's now look at the types of savings users of Security Auditing products typically report:
Direct Savings
1. Reduced spending on outside Consultants
Organizations can easily spend between $10,000 and $100,000 on a single, once-a-year audit of your network by an outside service provider. In the sample case above, we'll assume only one audit is performed at a lower price. In your own calculations, you should increase this for how many audits per year you have performed, or should perform.
2. Prioritized Remediation Efforts
An automated Security Auditing product will classify vulnerabilities according to their risk level which will help administrators in prioritizing their remediation effort by fixing high vulnerabilities first. To calculate what cost savings this represents, estimate what percent of your staff's time is spent working on vulnerabilities that don't represent real threats to your organization. For example, if you have 2 network administrators that cost on average $100,000, fully loaded, and each spends 10% of his time in these activities, this cost is $20,000 annually.
3. Increased Staff Productivity
If you are implementing manual auditing internally, then using an automated product will allow you to conserve valuable staff time. To calculate the savings this represents, you need to determine the following:
- How many hours your security managers and team members devote annually to building and running manual auditing tests?
- How much is this time worth? For example, if you assume a single network administrator makes $100,000 per year (fully loaded) and is spending 25% of his time on conducting audits, this represents an annual cost - and potential savings - of $25,000.
4. Avoid Cost from Network Outages / Downtime from Security Breach
Once a security breach occurs, there is a direct cost to recovering from it. Industry estimates of this cost range from $100,000 to tens of millions. The estimates include IT staff time spent on fixing the problem (e.g., bringing servers back up, installing patches on servers and PCs, etc.), lost productivity of employees due to network downtime and, in some cases, lost revenue. If you can't estimate this cost for your organization, you may want to use the average cost of $203,000 noted earlier from the CSI study.
5. Ability to meet Regulatory/ Audit Requirements and avoid Fines
An automated Auditing product will help you meet the auditing/compliance aspects of regulations such as GLBA, HIPAA, Sarbanes Oxley and California State Bill. Violators of these regulations are subject to criminal penalties with fines up to $5 million and 20 years in prison. Automated Auditing products provide you with a detailed record of every vulnerability explored, and can help avoid these penalties.
Intangible Benefits
1. Improved Security and associated Peace of Mind
Using an automated product allows you to consistently test your network and easily integrate the practice with your overall security program. This means you'll have more confidence in the overall security of your network.
2. Ability to preserve Corporate Image and Customer Loyalty
A single incident of compromised customer data that becomes public can cost a company significant amounts of customer goodwill and market reputation. The nature of your business determines how important this is to your organization. This could be a fraction of the direct savings, or a significant multiple.
3. Ability to justify Existing Security Investments
You can use an automated auditing product to evaluate and test the effectiveness of deployed (or proposed) security products.
