Anyone who grew up in a cold climate probably remembers the thrill of a "Snow Day" that cancelled school. You couldn't wait to run out and play with your friends. But there was this person who stopped you and her name was Mom.
"Do you have a sweater on? Where are your mittens? What about your hat? You're going to need a scarf. I think those boots are too small. Wait here until I find some better ones!"
And you just wanted to scream: "Enough. Mom, it's enough. I just want to play with my friends."
Your mom could be running your IT department when it comes to protecting you against data breaches. Sometimes, enough is enough.
Let's get this straight, I am not advocating a careless strategy in which your firewall has more holes than Swiss Cheese. But you have a business to run. That business needs to be profitable. So what's the right amount to spend when it comes to protecting yourself against hackers.
One way to analyze this is the cost per breach. Gartner, the IT research and advisory company, estimates a cost of $154 per compromised record. IBM is slightly higher at $217 per record. If you have roughly 30,000 customer records, your cost per breach is going to be between $4.5 million and $6.5 million. These costs include hiring forensic experts, outsourcing hotline support and providing free credit monitoring subscriptions.
I hope you have good cyber security insurance.
But what is the "right amount" to spend per employee on technology (with security costs included.) CIO magazine puts the baseline at 6.9 percent of company revenue. Gartner's estimate is $700 per month, per employee. So a firm of 60 employees would spend about $500,000 annually.
Can you afford that? Can you afford the breach? Can you afford to be perfect? And what are the costs of perfection?
For instance, you can demand that your employees' computers go to sleep after 10 seconds of inactivity and require a password to wake up. That's great security, but it kills productivity. Some companies require the IT department to open every attachment sent to every employee. That's a terrific slowdown, but viruses love to catch a ride on an innocent looking attachment, so that policy might be valuable. How bitterly do employees complain about how frequently they have to change passwords?
There is a "reasonable standard of care" in data protection and information technology. I call it "good enough." How do you – as a CEO – know when your IT protection plan is good enough?
- Is there a reasonable amount of comfort with the plan? Use your common sense and decide if you're comfortable with the parameters of your plan.
- Is your IT chief explaining things in a way you can understand? If it's too technical, it's probably too costly?
- Recognize that you will never be 100 percent secure. The cyber criminals work overtime. Physical crime such as bank robberies are down. But information crime is rising. They make a lot of money this way.
- Measure your return on investment. Will the amount of money you spend help or hurt your company?
- Ask yourself: What is the problem we are trying to fix? How do we know there is a problem? Does this solution fix the problem?
Finally, call your mother. Tell her you love her. Tell her she was right about the gloves, but the extra scarf was too much.