Target, Home Depot, JPMorgan Chase, Anthem – the list of industry giants that have recently experienced a sophisticated cyberattack continues to grow. However, savvy IT professionals know that organizations of all sizes are vulnerable to security breaches. Why? A lack of dedicated resources and expertise to address the increasingly sophisticated security threats is the main reason. Focusing on compliance over data security is another, especially in light of the steep fines being levied on organizations that are required to maintain strong compliant postures against HIPAA, PCI and SOX regulations, is another.
The cost of in-house data security teams
So, how can organizations fortify themselves against potential cyberattacks? Basically they have two options. The first is for them to build an in-house data security team, arming them with a suite of the latest intrusion detection and malware protection tools. For many organizations, this can be an expensive endeavor. Below are the typical annual costs involved.
- Security Analyst: $92,120
- Intrusion Detection System: $15,000
- Malware Protection: $15/Server
- Integrity Monitoring: $4,000 + $595/Server
- Vulnerability Scanning: $360
- Software Maintenance: $4,140
A single security analyst who oversees the entire threat management cycle may cost a small business with a significant online presence as much as $280,000 over a three-year period. Having a five-person security team that provides 24 x 7 x 365 coverage would cost the same organization an additional $1 million over the same period.
That is, if they can find this in-demand talent. According to a recent study by Hewlett-Packard and the Ponemon Institute, approximately 40% of security positions went unfilled in 2014, resulting in 70 percent of data security teams being understaffed.
Data security questions to ask potential cloud providers
Few organizations have the time and resources to source, vet, hire and retain top-tier data security and compliance talent. As a result, they are increasingly turning to managed cloud service providers (CSPs) that have this expertise in-house. While there are literally hundreds of cloud service providers that claim to provide secure, compliant managed cloud solutions, a small percentage of them can actually deliver on their promises. Organizations in the market for data security and compliance services need to do their homework and evaluate potential CSPs based on key criteria including the following.
- Does the CSP have the ability to conduct a thorough data security assessment tailored to every individual customer’s unique needs?
- Do they have an in-house, dedicated information security and compliance team that is fluent in the complexities of security as it relates to specific compliance regulations such as HIPAA, PCI DSS and SOX?
- Do they perform intrusion detection across the full IT infrastructure using automated log collection, analysis, alerting and reporting capabilities?
- Do they create, test and document disaster recovery procedures for each individual client to ensure the availability of mission-critical data at all times?
- Do they undergo annual risk assessments and compliance reviews from separate assessors to maintain a solid compliance posture against HIPAA/HITECH, PCI DSS and SOX regulations?
These are just a few factors for organizations to consider when evaluating their current data security posture and resource requirements.