In the previous post we gave an overview of why security is an investment and that a Return On Investment (ROI) is measurable. In summary the better security you have, the higher the likelihood of preventing loss, which will ensure a good return on investment. If – on the other hand – the investment is done badly, it is money wasted. Far too often we see the result of bad investments in security. It leaves a bad taste in the investor’s mouth and negatively affects the confidence in the industry. If security is purely price driven instead of result driven, bad decisions are made and it could be argued that it is better not spending the money at all.This is why, for example: you find an LCD monitor secured by an entry-level laptop lock, with no option of adding other devices and calling it a desktop solution.
In the run-up, 4 main areas were identified and these will be elaborated on in this (and the next) session.
We will be looking at: 1) the ease of implementation, and 2) recovery is hard. The next session will then deal with the last 2 issues on this topic.
1. It is easy to implement
How does the user (non-security professional) know if what was sold to him/her is actually value for money? A simple way that will give a reasonably accurate evaluation is to look at 2 things: 1) is it easy to use and understand, and 2) does it secure everything? If the requirement is to secure a standard desktop computer one has to recognize that it consists of several essential parts (CPU box, LCD screen, Mouse, Keyboard, cabling). Does the security solution secure all these parts and how difficult was it to install?
In a consumer market place, we know that you can ‘Google’ something you need and most likely find a bunch of options within a few seconds and within a few kilometers from where you are. Simply setting a budget and getting the first person you trust to meet your requirements will normally get you a result.
The question therefore is not whether you have security but whether it will actually work for you. The distinguished provider therefore needs to be more superior at the same things in order to service a consumer better. For example: more security vehicles in your area; intelligent IR systems; higher quality locks; shorter lead times; etc…
Lastly, understanding that the higher the level of security the less user-friendly it becomes. This will serve the prospective buyer well to remember before accepting the first option that crosses their desk.
2. Recovery is hard and with low success.
The security industry is not renowned for being revolutionary. What we mean is that CCTV, alarms, gates and locks have been around for decades. Sure, there have been improvements but nothing jumps to mind as being revolutionary to the industry. There is no ‘Uber’ that disrupts the security industry like it did the taxi industry.
We all, at some level or another, subscribe to a somewhat cynical notion of stolen items become broken items. We therefore buy security products in the hope of preventing loss. In general, this is buying the same items with varying levels of improvements, tailoring and ingenuity. We hope that in the event of a break-in the perpetrator(s) will come in harmlessly without making a mess and only take the broken microwave in the corner – and then leave. So, we invest in cloud-based backup systems and/or data storage systems. We increase our insurance policy even though we hate seeing the debit order going off at the end of every month.
And after all that the hit comes and 10 office PC’s get swiped! Do you expect to get them back? Or, do you even want them back considering equipment damage and the failure that might come with it?
The truth is, recovery is hard, procedures need to be followed before stolen goods can be returned and this does not include fixing the door/window that got knocked in during the event. You will still have the insurance claim to deal with, you will still have the down-time while waiting for new/recovered equipment and you will still have the inconvenience of feeling vulnerable.
So, what if you went out and got an IT Security professional to give you advice on what to do. Someone that will tell you that not only is access prevention important but frustrating the perpetrator with internal security measures like cloak- and pepper-gas alarms and/or physical security will in 90% of cases prevent any loss, any downtime and return visits.
Ask yourself how do I get the right advice? Your computer supplier might give some advice but their primary focus is the computer. Its like going to the doctor (GP) and asking for marriage advice. He/she might know something about it but if they have your best interest at heart you will get referred to a specialist in that field. Ask yourself if your IT service provider is doing the same.
You don’t have to go buy the most expensive solution – you just have to get the right one!