Many managers agree that security solutions are necessary and that the protection of electronic communication is important.
The subject is particularly relevant now, since the new EU General Data Protection Regulation increases the requirements for data protection. But what size the investment should be in order to get the best return on investment is not the easiest question to answer. Management is seldom able to assess the direct economic benefits of the investment for their organization.
This subject can be approached from different perspectives, and the idea of this blog post is to stir ideas and bring forth issues that could be considered.
What is the significance of the information that is owned and used by your company?
The first thing to consider is:
- what information does the company possess,
- what it's importance is to business and
- how the information is protected.
If a company feels that it holds no information critical to business or to their competitive advantage, then it is clear that there is less interest in budgeting, for example, in security solutions regarding electronic communication.
However, if a company believes that it has information that is business-critical and even essential for maintaining a competitive advantage, then:
The second thing you could consider is:
- where and how the business-critical information moves, and
- what the implications for the company could be if in fact this information got into the wrong hands.
Accordingly, if business secrets or important non-public information are handled unprotected, it might be beneficial to consider what the financial burden could be in the case of this information falling into the wrong hands.
Furthermore, the issue could be approached by examining and reading data from scientific articles etc. which have calculated the average impact of such events on a company's revenue, on their own industry. The subject can be studied even deeper to find out how long the negative impact on your own turnover could last, for example in years. You could also find out how vulnerable the most important information for your business in reality is. Meaning, the information which in the wrong hands could have a long lasting direct negative impact on the company's revenue.
Only after we have found out: a) what is the risk of data falling into the wrong hands is, b) what the average negative impact on the revenue is, and c) how long the event would affect the company negatively, can we have some idea of what the risk could cost to the company, today.
However, we have not taken into account the impact of such an event on customer confidence, the company brand, motivation of the best employees to stay, possible legal actions against the company, and investor confidence and willingness to invest in the company, i.e. the market value of the company.
Interestingly, one might intuitively think that such negative events would affect bigger companies more in relation to smaller ones, but this is not necessarily the case. It has been suggested that smaller companies suffer more from such events than large ones. For example, one reason might be that there is less of a financial buffer, which means the survival of a smaller company is in principle more at stake. Also, that the company brand is not as strong as in a bigger company.
The positive effect of information security on business
The above model of thinking does not take into account the positive impact security solutions have on the company brand, and to how it affects the customer’s or partner’s trust towards the company.
As a conclusion, I would like to emphasize that, when management is considering investing, for example, in a security solution, it may be useful to do some kind of risk analysis. This could help in understanding the economic risk of a worst-case scenario and also to take into account the positive impact of a solution. Conducting a risk analysis might clarify that a company which invests in a security solution, seldom have to regret their decision. More to the contrary.
Positive aspects of investing in information security solutions for electronic communications could be, for example:
- cost savings
- improving company brand
- improving the service experience
- create an image of an actor who cares for customer’s data
- streamlining processes with electronic operations
- saving resources, e.g. working hours
- switching to a digital era
- becoming a business partner with which it is easy and efficient to operate
Contact me at +358 9 6850 3234 or email me so we can discuss together what kind of risk analysis best would suite your company. I´m looking forward for our coming discussions!