Comment: Staying Secure With a Limited Budget

According to Bryant, austerity and security can co-exist
According to Bryant, austerity and security can co-exist

On October 20, 2010, Chancellor George Osborne fixed spending budgets for each government department up to the 2014–15 financial year. In his speech he confirmed that an average of 19% was to be cut from departmental budgets over the next four years, an additional £7bn would be lost from the welfare budget, and police funding would be reduced by 4% per year. Now, I wouldn’t claim we’re a selfish nation, but the question on everyone’s mind is “how will this affect me?”

As individuals this is certainly an important question, but let’s spare a thought for the IT department managers who now face the even tougher predicament of maintaining the same level of service with less money. Only the very fortunate few will see their budgets untouched as government and local councils attempt to safeguard frontline services at the expense of back-office activities.

So, is it possible to make some savings and still provide a good quality of service?

It would be too depressing if the answer was no so, thankfully, it can be yes. However, any areas where savings are to be made must be carefully chosen to ensure that they do not jeopardize the mission of an organization.

As an example, consider the situation where an authority has thousands of users working on a Windows-based platform. A new version of the OS is released, which has some nice features, but is it really needed now? The cost of upgrading thousands of users will be high, not just to buy the software but to install it and re-train the users. It could involve using external contractors and might necessitate upgrading hardware.

Delaying this decision for a few years could be fiscally prudent at the moment, unless the new release contains a must-have security feature. Similarly delaying the upgrading of hardware will produce mid-term savings. Eventually it will have to be done, but much of it can be put off until times are easier.

Reducing the cost of external consultants can provide big savings. This doesn’t have to mean that the work won’t get done – just not yet. What it will mean is that external consultants will share the pain of reduced overall budgets and that contracts will have to be re-negotiated to produce more efficiency and lower hourly rates. It can be done in the interest of long-term relationships.

It’s evident that cuts can be made, and just about everyone could think of an area to start on, but one area that needs careful consideration before anything is done is IT security. Recently the government identified “hostile attacks upon UK cyber space” as a major risk to our national security. Anyone thinking of cutting back spending in this area needs to be certain that security is not being compromised. The government said that it would be spending large amounts on this, figures of £650m have been mentioned, but has anyone actually seen any additional funds yet?

There are, however, things that can be done in the security area that can reduce short- to mid-term costs without placing the organizations’ IT security at risk. Today, every organization should be using security solutions at the desktop and network level.

  • There can be no compromise at the desktop level. Anti-virus software must be kept up-to-date as the expense to the organization when curing an infection can be immense – not to mention lost downtime, risk of data breaches, etc.
  • At the network level it’s important to know that your firewalls/IDS/IPS/UTM work correctly, as this is your first line of defense against hackers

It’s always tempting to splash out on the latest and greatest software or piece of hardware because the vendor claims it’s the “best thing since sliced bread”. However, there are ways to make existing network security kit work more efficiently and thereby extend its life.

To do this you’ll need to use one of the IP filtering testing solutions that are available. These tools test your network security and tell you if, and where, there are problems. The better ones will actually give you a fix should a problem be found. By applying the fix to the IPS/IDS/UTM/Firewall you can put off the day when you will need to replace it. Regular testing could extend the life of the kit by a considerable amount. Using one of these tools can also produce further savings by reducing the need to employ external penetration testing, which is time consuming and expensive.

By employing IP filtering testing you can significantly reduce the amount of time spent on testing, enable more regular testing to be performed, enable the testing to be done by internal staff, and reduce the reliance upon external pen-testers. This will save money and improve security. It’s a double windfall.

UK Plc can no longer continue to borrow from Peter to pay Paul, so budget cuts are inevitable. Improved security comes at a price – but isn’t it refreshing to discover it can be at a lower one?

Ray Bryant is the chairman and CEO of Idappcom. Bryant started working life in a firm of London Chartered accountants, qualified as Chartered Company Secretary in 1979. His career in IT started in the very early days at Control Data Corporation, in finance, production and logistics. Bryant then spent 15 years with Ciba Geigy, Switzerland, on finance and ERP software implementations in the UK, US, Saudi Arabia, Greece, Turkey and the Philippines. A period at SSA Global technologies as a financial systems consultant culminated with the creation of an independent compliance company, SLA Management Services (Barham Group), which Bryant headed as chairman and managing director. The Barham Group grew in six years to service many IT companies, including one of the largest IBM mid range (and UNIX), ERP and CRM software providers in the world. He took the company from start up to successful sale in 2008. Since then Bryant has been strengthening the security offerings of Idappcom, which resulted in the acquisition of the Traffic IQ product range in 2009.

What’s hot on Infosecurity Magazine?