Netforcement Header
Spacer Services Security Resources Case Studies About Contact Us

Network Security - The 95/5 Solution

Our Premise: 95% of Network Security Issues can be addressed with 5% of the effort and investment. Return on Investment

EXECUTIVE SUMMARY - To Meet a "Standard of Reasonable Care" for Network and Information Security, for most companies, simply implement our system, as explained below. Initial costs are typically less than $5,000. Not only will you have ensured that your company has met any reasonable standard, but you will also both decrease costs and increase income at the same time. The Security Process

How can such a high level of security be achieved without major expense? There are a number of reasons, here are the most important:

  • Hackers, Worms and Viruses normally take advantage of known vulnerabilities which the network admin didn't get around to patching yet, either because they are overwhelmed, or afraid of breaking the software, or unaware of the vulnerability;

  • Insider attackers are really not that smart (in most cases), it's just that many users do dumb things (such as have a password identical to their username, or never log off their machine, even at nights, or do that passwords-on-the-Post-It-stuck-on-the-bottom-corner-of-the-monitor thing);

  • Firewalls are useless unless they are properly configured;

  • Lack of access control polices;

  • Your IT staff spends all of their time keeping your business running, are not security experts, and don't always see security as a business issue;

  • Network wiring matters - don't have your web servers physically connected to your LAN, for example;

  • Information not being properly backed up or taken off site.

Even if you have your own in-house IT staff, all industry experts recommend hiring an outside consultant to double-check your network security, because the consultants are experts, and because your people are so close to the situation they don't see problems easily identified by trusted outsiders with a fresh viewpoint.

Here's the step by step approach we've developed, and the total cost of the process (this example assumes you have 5 servers and 145 workstations, all running in a single Class C subnet.):

  • We use our own proprietary toolset to scan your IP range from the Internet, which will show the publicly available information and access points of your network. This can find problems with firewall configuration, internal machines which have external IP addresses, and unnecessarily open ports and running services, among others.


  • From the external scan, we generate a list of critical items to address first, to immediately lock down obvious trouble points.

  • We then run an "Internal Vulnerability Scan", which goes across your entire LAN, and quickly audits, identifies, and reports on a host of configuration and user setting problems, including weak or blank passwords, unpatched OS's and Applications, dial-up modems, wireless access points, trojans, unnecessary shares and services - our scanning software now checks for more than 3,000 vulnerabilities known to have been exploited in the past. Your entire network can be scanned in a matter of hours - imagine how long it would take to physically visit each machine and perform manual checks. Executive Summary and Detailed Action reports are generated.

  • How do we address the discovered issues? We strategize with you, and develop a plan to address the classes of issues in a hierarchical fashion. Wiring matters. So does installing critical patches and hotfixes for OS's and applications. We make sure the firewall is running the latest firmware, and properly configured. We set dates and deliverables. We make sure it gets done. We work in conjunction with your in-house staff to control costs.


  • If you have servers which must retain an external IP address, we run more intensive "External Penetration Testing" against them, just to be sure you're safe.

  • We typically next re-run both the initial external and network-wide scans, to be sure everything is locked down.


  • Total outsourced cost of the whole program: $4,000 to $6,000, as described above, when your IT staff is used to address issues which are within their normal activity area.


  • The one missing element is to institute "Information Security Policies" in your workplace. We can supply you with a set as a starting point for creating your own policies, at no charge as part of our services. You should publish and distribute these policies within your organization, and have employees and other associates complete quizzes based on the policy content. If the quiz results for an individual are not acceptable, have IT or HR visit with that individual, explain the policies that were misunderstood, and re-test.


  • Of course, you also need business-class AntiVirus protection, running real-time on all machines, and reliable off-site back-ups - but you've already made sure of these, right? (If not, we can help.) Back to Top

WHAT'S THE RETURN ON INVESTMENT?

The costs of achieving "95% Secure Networking" have now been established ($4,500, on average, in the above example). Here's the low-hanging fruit:

  • Letting employees know you are serious about Network and Information Security and Policies will result (conservatively) in one-half-hour per day of increased productivity for each Internet-connected worker, and if you have 140 of them, and if, on average, their work time is worth $25/hour, productivity will increase by $1,750 per day. This is a payback of less than one week for your investment.

If you are weighing the ROI in so far as the costs of potential liability, your investment is akin to the premium paid on an insurance policy. You are insuring against a "probability" that a catastrophe will occur in a given time frame.

Here's are some examples of PC/ROI (Probability Costing Return on Investment):

  • Let's say that without properly implemented and tested information policies, an employee used corporate e-mail to send messages which were deemed to be sexually harassing by a jury. Possible Cost: $100,000 in award and legal costs. Probability of occurring in any given year: 10% (or substitute your own guess). PC/ROI for our example: $10,000 (.10 x $100,000) / $4,500 = 222%.

  • Or, let's look at what could happen if an ex-employee whose user account wasn't deleted teamed up with a knowledgeable coder after he went to work for your competitor, and somehow managed to hack in and download a copy of your marketing plan for next year, and your reps in the field were always a day late and priced a bit too high: Possible Cost: $250,000 in lost margin (feel free to put in your own values here). Probability of occurring: 10% (again, it's somewhere between 1% and 99%). PC/ROI: $25,000 / $4,500 = 555%.

  • A more common example: one of your employees surfs to risque websites while tucked in his cubicle at lunchtime, because, he'll claim, he didn't know he wasn't permitted to do so. He picks up a virus or trojan there, in part because you are not forcing your machines to all run real-time anti-virus protection. It spreads across your LAN to infect 10 other desktops and 2 servers before it is stopped. Possible Cost: $7,800, composed of $3,000 in IT time to repair all the involved machines, and loss of productivity of $25/hour for all 12 machines at an average downtime of two days each. Probability of occurring in any given year: 100% (or more ?). PC/ROI: $7,800 / $4,500 = 173%.

  • Note that in all but one of the above examples, even if you reduced the "Probability" to just 5% (in other words, the bad thing would only happen once every 20 years, if you totally ignore network security), you still achieve an ROI of approximately 100% in just one year. Back to Top

Real-World examples of what else can go Wrong

What about the other 5%?

Depending upon the size of your organization, and it's mission-critical resources, you also might be able to justify additional security investments for:

  • Web Filtering: Cost $15 or so per employee per year. What is it? You control where and when your employees can surf on the web, if they can run instant messenger, icq, if they can access personal e-mail accounts at Yahoo and Hotmail, and more. Who needs it? Almost everyone - schools, brokers, manufacturers, attorneys, in short, just about anyone who is concerned about workplace productivity, security, and liability.

  • Intrusion Detection: Cost $49 to $5,000, or more. Who needs it? Everyone with a direct Internet connection like the T1 at work or even the DSL/Cable modem user at home.

  • Content Inspection: Cost $1,000 to $5,000, or more. Who needs it? Everyone! Have you ever heard of spyware, malware or adware? If not we are 100% sure your IT staff has. They are probably spending plenty of hours resolving problems caused by malware.

  • Emergency Response Planning: Cost $0 (if all done in-house) to $10,000 (Small/Midsize Business). Who needs it? Everyone, but the probability of a Class1, 2, or 3 Emergency happening to your organization is, in all likelihood, less than 5% this year. You can afford to get to this later, but please don't ignore it forever. Owners do pass away eventually, and car accidents and fires do happen.

  • Disaster Recovery Planning: Cost: $3,000 to $35,000 (for the SMB). Who needs it: just about everyone who uses computers to manage their core business activities. You are a manufacturing plant employing 250...do you need it? Yes.




Related - How to Reduce Your IT Support Costs

Network Vulnerability Scanning - Our Services- NVSS

More on Our Philosophy to 99% Network Security (100% is impossible)
Step-by-Step Approach Holistic Approach

Links to Security Resources

REQUEST MORE INFORMATION

 
610.260.9989 | Request Info Privacy & Security Site Map | © 2006 Netforcement   
Footer1
Home Page Customer Login PGP Keys