Maksim Kabakou - Fotolia

Q&A: James Plouffe, lead solutions architect at MobileIron

Just how much do security breaches really cost? Nick Booth puts the question to MobileIron

Calculating the cost of a breach can be incredibly difficult. The most easily quantifiable measures are regulatory fines and settlements, but it’s harder to decipher the financial implications of business downtime or the marketing strategies needed to mitigate customer concerns. That’s before you consider reputational damage and loss of competitive advantage.

A lot of organisations cite reputation as the most important asset. Putting a price on 80 years in business is no small task. All of these elements have to be factored in to even have a chance of accurately measuring the impact of a data breach.

The cyber security industry is full of hype and scaremongering. Each new iteration of malware or data breach stokes the fires of security fears once again. Yes, many threats can be hugely damaging, but it’s not always clear how one compares to another. What answers does MobileIron have to offer?

What’s the best way to work out how much you need to invest in cyber security and justify that to the bosses who sign it off?

There’s no universal model, but most organisations have to factor in the level of exposure, brand recognition, intellectual property, industry compliance requirements and government legislation.

Often, action is taken retrospectively after a breach, adding more security to the compromised areas. Risk management is a better model, however, and clarity helps security departments focus on business value with clear measurable results.

Some companies have a culture where the staff are in a permanent state of seething resentment. Surely, they need to be identified because they need to spend more on security than regular companies with happy cultures?

Granular factors such as employee morale, physical theft of equipment and propensity to human error can contribute to data loss. However, a comprehensive risk assessment and full IT estate inventory helps to allocate spend to the most affected areas of the business.

Many organisations have plans for natural disasters and work stoppage. Cyber security and data breaches should have that same level of scrutiny and preparedness.

Surely, the whole bring your own device (BYOD) movement, created by IT firms, drives a coach and horses through anyone’s budget ceiling, not to mention their defences?

Shadow IT was once used to describe anything that wasn’t supported by the IT department. But with BYOD and cloud-based apps the term takes into account a much broader remit. This makes securing a network extra challenging, but not impossible.

Forward-thinking IT departments are opting for EMM [enterprise mobility management] suites which allow teams to manage company-owned and employee-owned devices from a single pane of glass. 

What security strategy do you recommend to clients?

Classify their assets, identify the risks to those assets and define their risk tolerance. This determines what risks they need to mitigate and which they can accept. This exercise may include detailing which devices are corporate-owned and loaned to employees and what level of access each employee gets.

Read more on Data Protection Services