Here’s an unsettling statistic for you: according to The Ponemon Institute’s 2014 Global Report on the Cost of Cybercrime, 2014 cybercrime incidences increased by 10.4% over 2013 numbers.
Another from IBM: after a breach, an organization loses, on average, 29% of market mindshare due to reputation and brand damage, 21% of potential revenue due to lost productivity, and 19% of direct revenue.
With these kind of numbers floating around, it’s no surprise that our association clients are constantly asking us what kind of investment it’s going to take to secure their mission-critical data. The good news is, if you’re asking this question, you’re already on the right track.
Below we’ll work through the main factors that will affect what your association’s overall IT security investment will look like, and what you should expect to see in the long run.
Key factors that influence the nature of your IT security spend
The amount you want to invest in your association’s IT security each year depends on the following factors:
- Whether or not you’ve had a recent security audit. Before you can make any strides toward bolstering your IT systems, you have to establish a clear baseline. This takes the form of an outside provider performing an objective gap analysis that locates existing vulnerabilities and offers a roadmap for remediation. (Put simply, if you haven’t invested in a security audit recently, you’ll need to.)
- The size and complexity of your association. This one is pretty straightforward; the more nooks and crannies your technology environment has, the more effort (and likely money) it’s going to take to secure them. Not only that, but a larger staff count also means investing more time in properly training them on any security policies.
- The state of your current hardware and software. Are your servers and workstations regularly patched and monitored for health statistics? Are any of your servers out of warranty? Are you running machines with Windows XP that is no longer supported in any capacity? Is your software patched and properly licensed?
- The nature of your data. Is your association storing sensitive information, be it personal, financial, or otherwise? Are you subject to any compliance regulations? If your data were to get in the wrong hands, what would the repercussions be? The more tightly you need to control your data, the more you’ll need to invest in things like encryption (at the hardware, file, and email level).
- Your tolerance for risk. The million-dollar question: how secure do you want your association to be? Are you comfortable sacrificing maximum protection for the sake of cost savings? Where? Do you trust your employees to follow best practices without any controls in place? As you can probably guess, the lower your tolerance, the higher your costs will be.
How much should associations spend on IT security?
As you can see from the factors above, there is an adoption curve when it comes to security—your placement on this curve is going to dictate the nature of your overall IT security spend.
Look at it this way: if you are just now taking the initiative to secure your association, you’re going to have to invest a significantly higher amount than those organizations that have been making security a priority and a part of their organizational culture for quite some time.
A security audit on its own, for example, is going to run you an average of $10,000.
From there, you could be looking at an investment of $5,000 to $10,000 in engineering and consulting labor to implement the necessary technology solutions and policies to eliminate existing vulnerabilities.
Once your environment is shored up, you should expect your ongoing security maintenance costs (including testing and adjustments) to hover around $3,000 to $5,000 over the course of each year.
These are some pretty hefty expenses, but keep in mind what it would end up costing your association in reputation, membership, and revenue if a breach were to occur.
If it all just seems too much for you to work through on your own, look to getting some strategic guidance in whatever form is feasible. There are countless resources out there who can help get your spending and your security on the right track.
Can you really afford not to?