The cost of the information security system. Information Security: A Cost Source or a Strategic Investment? Security costs are on the rise

The term "information security" has different meanings depending on the context. In its broadest sense, the concept implies the protection of confidential information, production process, company infrastructure from deliberate or accidental actions that lead to financial damage or loss of reputation.

Information security principles

In any industry basic principle of information security is to maintain a balance of interests of the citizen, society and the state. The difficulty in maintaining a balance lies in the fact that the interests of society and the citizen are often in conflict. A citizen seeks to keep secret the details of his personal life, sources and level of income, bad deeds. Society, on the contrary, is interested in “declassifying” information about illegal income, facts of corruption, and criminal acts. The state creates and manages a restraining mechanism that protects the citizen's rights to non-disclosure of personal data and at the same time regulates legal relations related to the disclosure of crimes and bringing the perpetrators to justice.

Important in today's environment principle of legal support acquires information security when regulatory support does not keep pace with the development of the information security industry. Legal gaps allow not only evading responsibility for cybercrimes, but also hinder the implementation of advanced technologies data protection.

The principle of globalization , or systems integration information protection affects all sectors: political, economic, cultural. The development of international communication systems requires consistent data security.

According to principle of economic expediency , the effectiveness of measures to ensure information security must match or exceed the expended resources. The unrecoverable cost of maintaining a security system only harms progress.

The principle of systems flexibility information protection means the elimination of any regime restrictions that prevent the generation and implementation of new technologies.

Strictly regulated confidential and not open information presupposes principle of non-secrecy .

The more different hardware and software security tools are used to protect data, the more versatile knowledge and skills are required for attackers to discover vulnerabilities and bypass protection. It aims to strengthen information security the principle of diversity protective mechanisms of information systems.

Ease of control principle security system is based on the idea that the more complex the information security system, the more difficult it is to check the consistency of the individual components and implement central administration.

The key to the loyal attitude of personnel to information security is constant training in information security rules and clear explanations of the consequences of non-compliance with the rules, up to the bankruptcy of the company. Loyalty principle for data security administrators and all company personnel, security is linked to employee motivation. If employees, as well as counterparties and customers perceive information security as an unnecessary or even hostile phenomenon, even the most powerful systems cannot guarantee the security of information in a company.

The listed principles are the basis for ensuring information security in all industries, which is supplemented with elements depending on the specifics of the industry. Let's look at the examples of the banking sector, energy and media.

Banks

The development of cyberattack technologies forces banks to introduce new and constantly improve basic systems security. The goal of developing information security in the banking sector is to develop such technological solutions that are capable of securing information resources and ensuring the integration of the latest IT products into key business processes of financial institutions.

Information security mechanisms for financial institutions are built in accordance with ratified international conventions and agreements, as well as federal laws and standards. The following are the benchmarks in the field of information security for Russian banks:

• Bank of Russia standard STO BR IBBS-1.0-2010 "Ensuring information security of banking system organizations Russian Federation»;
• Federal Law No. 161 "On the National Payment System";
• Federal Law No. 152 "On Personal Data";
• PCI DSS Payment Card Industry Data Security Standard and other documents.

The need to follow different laws and standards is due to the fact that banks carry out many different operations, conduct activities in different directions that need their own security tools. For example, ensuring information security in remote banking services (RBS) includes the creation of a security infrastructure, which includes means of protecting banking applications, controlling data flows. monitoring banking transactions and incident investigation. Multi-component protection information resources ensures the minimization of threats associated with fraud when using RBS services, as well as protection of the bank's reputation.

The information security of the banking sector, like other industries, depends on staffing... The peculiarity of information security in banks is the increased attention to security specialists at the level of the regulator. In early 2017, the Bank of Russia together with the Ministry of Labor and Social Protection with the participation of FSTEC, the Ministry of Education and Science for information security specialists.

How to conduct an information security audit in a bank correctly?

Energy

The energy complex is one of the strategic industries that require special measures to ensure information security. If at workplaces in administrations and departments there is enough standard tools IS, then protection at the technological sites of energy generation and delivery to end users needs increased control. The main object of protection in the energy sector is not information, but technological process... In this case, the safety system must ensure the integrity of the technological process and automated systems management. Therefore, before introducing information security mechanisms at enterprises of the energy sector, experts study:

• object of protection - technological process;
• devices used in power engineering (telemechanics);
• accompanying factors ( relay protection, automation, energy metering).

The importance of information security in the energy sector is determined by the consequences of the implementation of information cyber threats. This is not only material damage or a blow to reputation, but above all - harm to the health of citizens, undermining the environment, violation of the infrastructure of a city or region.

Designing an information security system in the energy sector begins with predicting and assessing security risks. The main assessment method is modeling of possible threats, which helps to rationally allocate resources when organizing a security system and to prevent the implementation of cyber threats. In addition, the assessment of security risks in the energy sector is continuous: the audit is carried out during the operation of the system constantly in order to change the settings in a timely manner to ensure the maximum degree of protection and keep the system up-to-date.

Mass media

The main task of information security in the media is to protect national interests, including the interests of the citizen, society and the state. Activity funds mass media in modern conditions, it boils down to the creation of information flows in the form of news and journalistic materials that are received, processed and issued to end users: readers, viewers, site visitors.

The provision and control of security in the field of mass media is implemented in several directions and includes:

• development of recommendations on anti-crisis procedures in case of realization of the threat of an information attack;
• training programs on information security for employees of media editorial offices, press services, public relations departments;
• temporary external administration of an organization that was attacked by information.

Another problem of information security in the media is bias. To ensure objective coverage of events, a protection mechanism is required that would protect journalists from pressure from government officials, management and / or the owner of the media, and at the same time - insure bona fide business structures from the actions of dishonest media representatives.

Restricting access to data is another cornerstone of information security in the media sector. The problem is that restricting access to information in order to prevent information threats does not become a "cover" for censorship. A decision that will make the work of the media more transparent and help avoid harming national security interests is contained in the draft Convention on Access to Information Resources, which is awaiting a vote in the European Union. The norms of the document assume that the state provides equal access to all official documents by creating appropriate registries on the Internet, and sets access restrictions that cannot be changed. There are only two exceptions that will allow you to cancel restrictions on access to information resources:

• public benefit, which implies the ability to disclose even those data that are not subject to dissemination under normal conditions;
• national interest if hiding information harms the state.

Private sector

With the development of a market economy, growth and tougher competition, the company's reputation becomes an inseparable part of intangible assets. The formation and safety of a positive image directly depend on the level of information security. There is and Feedback when the established image of the company in the market serves as a guarantee of information security. With this approach, there are three types of business reputation:

1. Image of a "useless" organization, the information resources of which are not of interest, since they cannot be used to the detriment or benefit of a third party.

2. The image of a strong adversary, to threaten the safety of which is "my own dear". The blurring of the boundaries of opportunities for repelling an information attack helps to maintain the reputation of a formidable adversary: ​​the more difficult it is to understand the potential of information protection, the more unapproachable a company looks in the eyes of attackers.

3. Image of a "useful" organization... If a potential aggressor is interested in the viability of the company, instead of an information attack, dialogue and the formation of a common information security policy are possible.

Each company organizes its activities, observing the norms of the legislation and striving to achieve the set goals. Similar criteria will also fit in the development of information security policy, implementation and operation of internal security systems for confidential data and IT resources. To ensure the highest possible level of security of information in an organization, after the implementation of security systems, the security components should be systematically monitored, reconfigured and updated as needed.

Information protection of strategic facilities

In early 2017, the State Duma of the Russian Federation adopted in the first reading a package of bills that relate to information security and critical information infrastructure of the country.

The main sources of information threats in the military sphere of the Russian Federation.

The chairman of the parliamentary committee on information policy, information technology and communications Leonid Levin, presenting the bills, warned of an increase in the number of cyber attacks on strategically important objects. At a meeting of the committee, FSB representative Nikolai Murashov said that 70 million cyberattacks were carried out on objects in Russia during the year. Simultaneously with the growing threats of external attacks, the scale, complexity and coordination of information attacks within the country are increasing.

Bills passed by parliamentarians create a legal basis for providing information in the field of national critical infrastructure and individual industries. In addition, the bills prescribe the powers of state bodies in the field of information security and provide for tougher criminal liability for violation of information security.

Purpose of the study: to analyze and determine the main trends in the Russian information security market
Used the data of Rosstat (statistical reporting forms No. 3-Inform, P-3, P-4), Financial statements of enterprises, etc.

Use of information and communication technologies and information security tools by organizations

• To prepare this section, aggregated, geographically separate divisions and representative offices were used (Form 3-Inform "Information on the use of information and communication technologies and production computing technology, software and services in these areas ".

The period 2012-2016 has been analyzed. The data do not claim to be complete (since they are collected for a limited number of enterprises), but, in our opinion, can be used to assess trends. The number of responding enterprises for the period under review ranged from 200 to 210 thousand. That is, the sample is fairly stable and includes the most likely consumers (large and medium-sized enterprises), which account for the bulk of sales.

Availability of personal computers in organizations

According to the statistical reporting form 3-Inform, in 2016 in Russian organizations that provided information on this form, there were about 12.4 million units personal computers(PC). PC, in this case, means desktop and laptop computers, this concept does not include mobile Cell Phones and pocket computers.

Over the past 5 years, the number of PC units in organizations, in Russia as a whole, has grown by 14.9%. The most equipped federal district is the Central Federal District, it accounts for 30.2% of PCs in companies. The undisputed leader in this indicator is the city of Moscow; according to data for 2016, Moscow companies have about 1.8 million PCs. The lowest value of the indicator was noted in the North Caucasus Federal District, in the organizations of the district there are only about 300 thousand PC units, the smallest number in the Republic of Ingushetia - 5.45 thousand units.

Rice. 1. Number of personal computers in organizations, Russia, mln.

Information and communication technology spending by organizations

In the period 2014-2015. due to the unfavorable economic environment, Russian companies were forced to minimize their costs, including the cost of information and communication technology... In 2014, the cost reduction for the ICT sector was 5.7%, but already by the end of 2015, there was a slight positive trend. In 2016, the costs of Russian companies on information and communication technologies amounted to 1.25 trillion. rubles, exceeding the indicator of the pre-crisis 2013 by 0.3%.

The main part of the costs falls on companies located in Moscow - over 590 billion rubles, or 47.2% of the total. The largest volumes of expenses of organizations on information and communication technologies in 2016 were recorded in: Moscow region - 76.6 billion rubles, St. Petersburg - 74.4 billion rubles, Tyumen region - 56.0 billion rubles, the Republic of Tatarstan - 24.7 billion rubles, the Nizhny Novgorod region - 21.4 billion rubles. The lowest expenditures were recorded in the Republic of Ingushetia - 220.3 million rubles.

Rice. 2. The volume of companies' expenditures on information and communication technologies, Russia, billion rubles.

Use of information protection means by organizations

Recently, one can note a significant increase in the number of companies using information security protection tools. The annual growth rates of their number are quite stable (with the exception of 2014), and amount to about 11-19% per year.

According to official data from Rosstat, The most demanded means of protection at present are technical means of user authentication (tokens, USB keys, smart cards). Of more than 157 thousand companies, 127 thousand companies (81%) indicated the use of these particular means as information protection.

Rice. 3. Distribution of organizations by the use of information security tools, in 2016, Russia,%.

According to official statistics, in 2016, 161,421 companies used the global Internet for commercial purposes. Among organizations that use the Internet for commercial purposes and have indicated the use of information security tools, the electronic digital signature is the most popular. This tool over 146 thousand companies, or 91% of the total, indicated as a means of protection. According to the use of information security tools, the companies were distributed as follows:

• • Means of electronic digital signature- 146,887 companies;
  • Regularly updated antivirus software- 143,095 companies;
  • Software or hardware to prevent unauthorized access malware from global information or local computer networks(Firewall) - 101,373 companies;
  • Spam filter - 86,292 companies;
  • Encryption tools - 86 074 companies;
  • Computer or network intrusion detection systems - 66,745 companies;
  • Software tools for automation of security analysis and control processes computer systems- 54 409 companies.

Rice. 4. Distribution of companies using the Internet for commercial purposes, by means of protecting information transmitted over global networks, in 2016, Russia,%.

In the period 2012-2016, the number of companies using the Internet for commercial purposes increased by 34.9%. In 2016, 155,028 companies used the Internet to communicate with suppliers and 110,421 companies to communicate with consumers. Of the companies using the Internet to communicate with suppliers, the purpose of use was indicated:

• obtaining information about the necessary goods (works, services) and their suppliers - 138,224 companies;
• providing information about the needs of the organization in goods (works, services) - 103 977 companies;
• placing orders for goods (works, services) necessary for organizations (excluding orders sent by e-mail) - 95 207 companies;
• payment for the supplied goods (works, services) - 89,279;
• receipt of electronic products - 62,940 companies.

Of the total number of companies using the Internet to communicate with consumers, the purpose of use indicated:

• provision of information about the organization, its goods (works, services) - 101,059 companies;
• (works, services) (excluding orders sent by e-mail) - 44 193 companies;
• electronic settlements with consumers - 51,210 companies;
• distribution of electronic products - 12,566 companies;
• after-sales service (service) - 13 580 companies.

The volume and dynamics of the budgets of federal executive authorities for information technology in 2016-2017

According to Federal Treasury, the total amount of limits of budgetary obligations for 2017, brought to the attention of the federal executive authorities (hereinafter referred to as federal executive bodies) according to the expenditure type code 242 "Purchase of goods, works, services in the field of information and communication technologies" in terms of information that does not constitute state secret, as of August 1, 2017 amounted to 115.2 billion rubles, which is approximately 5.1% higher than the total volume of budgets for information technology federal executive authorities in 2016 (109.6 billion rubles, according to the Ministry of Telecom and Mass Communications). Thus, with the continued growth of the total volume of IT budgets of federal departments from year to year, the growth rate decreased (in 2016, the total volume of IT budgets increased by 8.3% compared to 2015). Wherein there is an ever-increasing stratification of "rich" and "poor" in terms of spending on information and communication technology departments. The undisputed leader not only in terms of the size of the budget, but also in terms of the level of achievements in the field of IT is the Federal Tax Service. Its ICT budget this year is more than 17.6 billion rubles, which is more than 15% of the budget of all federal executive authorities. The total share of the top five (FTS, Pension Fund, Treasury, Ministry of Internal Affairs, Ministry of Telecom and Mass Communications) - more than 53%.

Rice. 5. Structure of budget expenditures for the purchase of goods, works and services in the field of information and communication technologies in the context of federal executive bodies in 2017,%

Legislative regulation in the field of procurement of software for state and municipal needs

From January 1, 2016, all state and municipal bodies, state corporations "Rosatom" and "Roscosmos", governing bodies of state off-budget funds, as well as state and budgetary institutions that carry out purchases in accordance with the requirements Federal law dated April 5, 2013 No. 44-FZ "On the contractual system in the field of procurement of goods, works, services to meet state and municipal needs" are obliged to comply with the prohibition on the admission of software originating from foreign countries for the purpose of making purchases to ensure state and municipal needs. The ban was introduced by the Decree of the Government of the Russian Federation of November 16, 2015 No. 1236 "On the establishment of a ban on the admission of software originating from foreign countries for the purpose of making purchases to meet state and municipal needs." When purchasing software, the above customers must explicitly indicate the prohibition to purchase imported software in the purchase notice. The ban applies to the procurement of software for electronic computers and databases, implemented regardless of the type of contract on a tangible medium and (or) in in electronic format through communication channels, as well as exclusive rights to such software and the rights to use such software.

There are a few exceptions when customers are allowed to purchase imported software.

• purchases of software and (or) rights to it by diplomatic missions and consular offices of the Russian Federation, trade missions of the Russian Federation with international organizations to ensure their activities on the territory of a foreign state;
• procurement of software and (or) rights to it, information about which and (or) the procurement of which constitutes a state secret.

In all other cases, the customer, prior to purchasing software, will need to work with a unified register of Russian programs for electronic computers and databases and a classifier of programs for electronic computers and databases.
The Ministry of Telecom and Mass Communications of Russia is engaged in the formation and maintenance of the register as an authorized federal executive body.
As of the end of August 2017, the register contains 343 software products belonging to the class of "information security tools" of 98 Russian development companies. Among them are software products such large Russian developers as:

• OJSC Information Technologies and Communication Systems (Infotecs) - 37 software products;
• AO Kaspersky Lab - 25 software products;
• Security Code LLC - 19 software products;
• Crypto-Pro LLC - 18 software products;
• Doctor WEB LLC - 12 software products;
• LLC "S-Terra CSP" - 12 software products;
• CJSC "Aladdin R.D." - 8 software products;
• Infovatch JSC - 6 software products.

Analysis of the activities of the largest players in the field of information security

• As the main information for the analysis of the activities of the largest players in the information security market, for the preparation of this study, we used information on public procurement in the field of information and communication activities and, in particular, information security.

To analyze trends, we selected 18 companies that are among the leaders in the information security market and are actively involved in government procurement. The list includes both the developers of software and hardware and software protection systems, and the largest system integrators. The total revenue of these companies in 2016 amounted to 162.3 billion rubles, exceeding the indicator of 2015 by 8.7%.
Below is a list of companies selected for the study.

Tab. 1. Companies selected for research

As of the end of October 2017, companies from the sample presented have concluded 1,034 contracts with government agencies in the amount of 24.6 billion rubles. Leading in this list in terms of the volume of concluded contracts, the I-Teco company - 74 contracts for the amount of 7.5 billion rubles.
Over the past years, with the exception of the crisis year 2014, one can note a constant increase in the total volume of contracts for the selected companies. The most significant dynamics falls on the period 2015-2016. So, in 2015, the volume of contracts increased by more than 3.5 times, in 2016 - by 1.5 times. According to the available data on the contract activities of companies for the period January-October 2017, it can be assumed that in 2017 the total volume of contracts with government agencies will be about 37-38 billion rubles, that is, a decrease of around 40% is expected.

There are two main approaches to justifying the cost of information security.

Scientific approach... To do this, it is necessary to involve the management of the company (or its owner) in assessing the cost of information resources, determining the assessment of potential damage from violations in the field of information protection.

1. If the cost of information is low, there are no significant threats to the company's information assets, and the potential damage is minimal, ensuring information security requires less funding.

2. If the information has a certain value, the threats and potential damage are significant and identified, then the question arises of budgeting the costs of the information security subsystem. In this case, it is necessary to build corporate system information protection.

A hands-on approach consists in determining the option of the real cost of a corporate information security system based on similar systems in other areas. Experts-practitioners in the field of information security believe that the cost of an information security system should be approximately 10-20% of the cost of a corporate information system, depending on the specific requirements for the information security regime.

Generally accepted requirements for ensuring the information security regime "best practice" (based on practical experience), formalized in a number of standards, for example ISO 17799, are implemented in practice when developing specific methods for assessing the effectiveness of an information security system.

Application modern methods assessing the costs of information security allows you to calculate the entire expenditure part of the organization's information assets, including direct and indirect costs of hardware software, organizational measures, training and advanced training of employees, reorganization, business restructuring, etc.

They are necessary to prove the cost-effectiveness of existing corporate security systems and allow information security managers to justify the information security budget, as well as to prove the effectiveness of the employees of the corresponding service. Cost estimation methods used by foreign companies allow:

Obtain adequate information about the security level of the distributed computing environment and the total cost of ownership of a corporate information security system.

Compare the information security divisions of an organization both with each other and with similar divisions of other organizations in the industry.

Optimize your organization's information security investments.

One of the most well-known cost estimation techniques in relation to an information security system is the total cost of ownership (TCO) of the Gartner Group The CER indicator is the sum of direct and indirect costs of organizing (reorganizing), operating and maintaining the corporate information security system during the year. It is used practically at all major stages of the life cycle of a corporate information security system and makes it possible to objectively and independently substantiate the economic feasibility of introducing and using specific organizational and technical measures and information security tools. For the objectivity of the decision, it is also necessary to additionally take into account the state of the external and internal environment of the enterprise, for example, indicators of the technological, personnel and financial development of the enterprise.

Comparison of a certain TCO indicator with similar TCO indicators in the industry (with similar companies) makes it possible to objectively and independently substantiate the organization's information security costs. Indeed, it often turns out to be quite difficult or even almost impossible to assess the direct economic effect of these costs.

The total cost of ownership for an information security system generally consists of the cost:

Design work,

Purchases and software settings technical means protection, including the following main groups: firewalls, cryptography tools, antiviruses and AAA (authentication, authorization and administration tools),

The cost of ensuring physical security,

Staff training,

System management and support (security administration),

Information security audit, - periodic modernization of the information security system.

However, direct costs include both capital components of costs (associated with fixed assets or "property") and labor, which are accounted for in the categories of operations and administration. This also includes the cost of services for remote users, etc., associated with supporting the activities of the organization.

In turn, indirect costs reflect the impact of the corporate information system and information security subsystem on employees of the organization through such measurable indicators as downtime and "freezing" of the corporate information security system and the information system as a whole, the cost of operations and support (not related to direct costs ). Very often, indirect costs play a significant role, since they are usually not initially reflected in the information security budget, but are identified in a cost analysis later.

The calculation of the organization's TCO indicators is carried out in the following areas.

Components of the corporate information system(including the information security system) and information acts of the organization (servers, client computers, peripherals, network devices).

Expenses for hardware and software information protection : Consumables and depreciation costs for servers, client computers (desktop and mobile computers), peripherals and network components.

Information security organization costs: maintenance of the information security system, standard means of protection peripheral devices, servers, network devices, planning and management of information security processes, development of security concepts and policies, and others.

Information management costs stems: direct costs of personnel, cost of work and outsourcing, made by the organization as a whole or by the service for implementation technical support and operations to maintain infrastructure for users.

Administrative expenses: direct costs of personnel, maintenance of activities and costs of internal / external suppliers (vendors) to support operations, including management, financing, acquisition and training of information systems.

End user transaction costs: end-user self-support costs, formal end-user training, occasional (informal) training, self-directed applied developments, local file system support.

Downtime costs: Annual loss of end-user productivity from planned and unplanned outages network resources including client computers, shared servers, printers, application programs, communications resources and communications software.

Large commercial companies spend about 1% of their annual revenue on ensuring the physical security of their businesses. Enterprise security is as much a resource as technologies and means of production. But when it comes to digital protection of data and services, it becomes difficult to calculate the financial risks and necessary costs. We tell you how much money from the IT budget it is reasonable to allocate for cybersecurity, is there a minimum set of tools that can be dispensed with.

Security costs are on the rise

Commercial organizations around the world, according to report Gartner, spent about $ 87 billion on cybersecurity needs in 2017, including software, specialized services and hardware. This is 7% more than in 2016. This year, the figure is expected to reach 93 billion, and next year it will cross the 100 mark.

According to experts, the market for information security services in Russia is about 55-60 billion rubles (about 900 thousand dollars). 2/3 of it is closed by government orders. In the corporate sector, the share of such costs strongly depends on the form of the enterprise, geography and field of activity.

Domestic banks and financial structures on average invest in their cybersecurity 300 million rubles a year, industrialists - up to 50 million, network companies (retail) - from 10 to 50 million.

But the growth figures Russian market for several years now, cybersecurity is 1.5-2 times higher than on a global scale. In 2017, the growth was 15% (in terms of customers' money) in relation to 2016. At the end of 2018, it may turn out to be even more impressive.

The high growth rates are explained by the general revival of the market and the sharply increased attention of organizations to real security your IT infrastructure and data security. The costs of building an information protection system are now viewed as an investment, they are planned in advance, and not just taken on a leftover basis.

Positive Technologiessingles out three drivers of growth:

1. High-profile incidents of the last 1.5-2 years have led to the fact that today only the lazy does not understand the role of information security for the financial stability of an enterprise. One in five top executives takes an interest in practical security in the context of their business.

The past year has been instructive for businesses that ignore the elementary ... Absence actual updates and the habit of working in disregard of vulnerabilities led to the shutdown of Renault plants in France, Honda and Nissan in Japan; banks, energy, telecommunications companies were affected. Maersk, for example, cost $ 300 million at a time.

1. The ransomware epidemics WannaCry, NotPetya, Bad Rabbit have taught domestic companies that installing antivirus and firewalls is not enough to feel safe. You need a comprehensive strategy, an inventory of your IT assets, dedicated resources, a threat response strategy.
2. In a sense, the tone is set by the state, which has announced a course towards a digital economy that encompasses all spheres (from healthcare and education to transport and finance). This policy directly affects the growth of the IT sector in general and information security in particular.

The cost of security vulnerabilities

All of this is instructive, but every business is a unique story. The question of how much to spend on information security from the general IT budget of the company, although not correct, but, from the point of view of the customer, is the most pressing one.

International research company IDC on the example of the Canadian market calls optimal 9.8-13.7% of investments in cybersecurity of the total IT budget in the organization. That is, now the Canadian business spends on average about 10% for these needs (it is believed that this is an indicator of a healthy company), but, judging by the polls, it would like to be closer to 14%.

Companies have no reason to wonder how much they need to spend on their information security in order to feel calm. Today, assessing the risks from cybersecurity incidents is no more difficult than calculating the losses from physical threats. There is a worldwide statistics , according to which:

• Hacker attacks cost the global economy more than $ 110 billion annually.
• For small businesses, each incident costs an average of $ 188,000.
• 51% of hacks in 2016 were targeted, that is, organized criminal groups against a specific company.
• 75% of attacks are carried out with the aim of causing material damage, financially motivated.

In the spring of 2018, Kaspersky Lab carried out its large-scale study ... According to a survey of 6 thousand company specialists around the world, the damage from hacking corporate networks and data leaks has grown by 20-30% over the past couple of years.

The average cost of damage for February 2018 for commercial organizations, regardless of size, scope of activity, was $ 1.23 million. For SMEs, a staff error or the successful actions of hackers cost 120 thousand dollars.

Feasibility study for information security

In order to correctly assess the financial resources necessary for organizing information security at the enterprise, it is necessary to draw up a feasibility study.

1. We carry out an inventory of IT infrastructure and assess risks, compile a list of vulnerabilities in descending order of importance. Reputational losses (an increase in insurance rates, a decrease in the credit rating, the cost of downtime of services), the cost of restoring the system (updating equipment and software) are also included here.
2. We list the tasks that the information security system should solve.
3. We select equipment, tools for solving problems, and determine its cost.

If the company does not have the competencies to assess cybersecurity threats and risks, you can always order an information security audit on the side. Today this procedure is short-lived, inexpensive and painless.

Industrial companies with a high level of process automation experts recommend use an adaptive security architecture model (Adaptive Security Architecture), proposed in 2014 by Gartner. It allows you to properly reallocate information security costs, paying more attention to the tools for detecting and responding to threats, and implies the implementation of a monitoring and analytics system for the IT infrastructure.

How much cybersecurity costs for small companies

The authors of the Capterra blog decided count up how much the information security system costs on average for small and medium-sized businesses in the first year of use. For this was chosen list out of 50 popular "box" offers on the market.

It turned out that the range of prices is quite large: from $ 50 per year (there are even 2-3 free solutions for small companies) to 6 thousand dollars (there are single packages and 24 thousand each, but they were not included in the calculation). On average, a small business can count on $ 1,400 to build a rudimentary cyber defense system.

The cheapest are technical solutions such as a business VPN or security Email to help protect against specific types of threats (such as phishing)

At the other end of the spectrum are complete monitoring systems with “advanced” event response and comprehensive protection tools. They help to protect corporate network from large-scale attacks and sometimes even allow predicting their appearance, stopping them in the early stages.

The company can choose several models of payment for the information security system:

• Price per license, Average price - $ 1000-2000, or $ 26 to $ 6000 per license.
• Price per user. The average cost of an information security system per user in a company is $ 37; the range is from $ 4 to $ 130 per person per month.
• The price for the connected device. The average cost for this model is $ 2.25 per device. The price ranges from $ 0.96 to $ 4.5 per month.

To correctly calculate the cost of information security, even a small company will have to implement the basics of risk management. The very first incident (the site, service, payment system), which cannot be corrected within 24 hours, can lead to the closure of the business.

As already noted, the security of an enterprise is ensured by a set of measures at all stages of its life cycle, its information system and, in the general case, is made up of the cost:

• - design work;
• - procurement and settings of software and hardware protection tools;
• - the cost of ensuring physical security;
• - staff training;
• - management and support of the system;
• - information security audit;
• - periodic modernization of the information security system, etc.

The cost indicator of the economic efficiency of an integrated information security system will be the sum of direct and indirect costs for the organization, operation and maintenance of the information security system during the year.

It can be considered as a key quantitative indicator of the effectiveness of organizing information protection in a company, since it will allow not only to estimate the total costs of protection, but to manage these costs to achieve the required level of enterprise security. However, direct costs include both capital components of costs and labor costs, which are accounted for in the categories of operations and administration. This also includes the cost of services for remote users, etc., associated with supporting the activities of the organization.

In turn, indirect costs reflect the impact of an integrated security system and information security subsystem on employees through such measurable indicators as downtime and "freezes" of the corporate information security system and the integrated security system as a whole, the cost of operations and support.

Very often, indirect costs play a significant role, since they are usually not initially reflected in the budget for an integrated security system, but are clearly identified in the cost analysis later, which ultimately leads to an increase in the company's "hidden" costs. Consider how you can determine the direct and indirect costs of an integrated security system. Suppose that the company's management is working on the implementation of an integrated information security system at the enterprise. The objects and objectives of protection, threats to information security and measures to counter them have already been determined, the necessary means of protecting information have been acquired and installed.

Typically, information security costs fall into the following categories:

• - costs for the formation and maintenance of the management link of the information security system;
• - the costs of control, that is, to determine and confirm the achieved level of security of the enterprise resources;
• - internal costs of eliminating the consequences of a violation of information security - costs incurred by the organization as a result of the fact that the required level of security has not been achieved;
• -External costs of eliminating the consequences of information security breaches - compensation for losses in violation of security policy in cases related to information leakage, loss of company image, loss of trust of partners and consumers, etc .;
• - the costs of maintaining the information security system and measures to prevent violations of the company's security policy.

At the same time, one-time and systematic costs are usually distinguished.

One-time, costs for the formation of enterprise security: organizational costs and costs of purchasing and installing security equipment.

Systematic, operating and maintenance costs. The classification of costs is arbitrary, since the collection, classification and analysis of information security costs - internal activities enterprises, and the detailed development of the list depends on the characteristics of a particular organization.

The main thing in determining the costs of a security system is mutual understanding and agreement on cost items within the enterprise.

In addition, cost categories should be constant and should not overlap. Security costs cannot be completely eliminated, but they can be brought to an acceptable level.

Some security costs are absolutely necessary, and some can be significantly reduced or eliminated. The latter are those that can disappear in the absence of security breaches or decrease if the number and damaging impact of breaches decreases.

While observing safety and carrying out prevention of violations, the following costs can be excluded or significantly reduced:

• - to restore the security system to meet security requirements;
• - to restore the resources of the information environment of the enterprise;
• - for alterations inside the security system;
• - on legal disputes and compensation payments;
• - to identify the causes of security breaches.

Necessary costs are those that are necessary even if the level of security threats is low enough. These are the costs of maintaining the achieved level of security of the enterprise information environment.

Inevitable costs can include:

• a) maintenance of technical means of protection;
• b) confidential office work;
• c) the functioning and audit of the security system;
• d) the minimum level of inspections and control with the involvement of specialized organizations;
• e) training of personnel in information security methods.

However, there are other costs that are difficult to determine. Among them:

• a) the cost of additional research and development of a new market strategy;
• b) losses from priority reduction in scientific research and the impossibility of patenting and selling licenses for scientific and technological achievements;
• c) costs associated with the elimination of "bottlenecks" in the supply, production and marketing of products;
• d) losses from compromising products manufactured by the enterprise and lower prices for it;
• e) the emergence of difficulties in the acquisition of equipment or technologies, including an increase in prices for them, limitation of the volume of supplies.

The listed costs can be caused by the actions of personnel from various departments, for example, design, technological, economic planning, legal, economic, marketing department, tariff policy and pricing.

Since employees in all these departments are unlikely to be busy full-time with external losses, the establishment of the amount of costs should be carried out taking into account the actual time spent. One of the elements of external losses cannot be accurately calculated - these are losses associated with undermining the company's image, reducing consumer confidence in the company's products and services. It is for this reason that many corporations hide that their service is unsafe. Corporations fear such information being released even more than attacks in one form or another.

However, many businesses ignore these costs on the grounds that they cannot be estimated with any degree of accuracy — they are only speculative. Costs of preventive measures. These costs are probably the most difficult to estimate because prevention activities are carried out across departments and affect many services. These costs can appear at all stages of the life cycle of the resources of the enterprise information environment:

• - planning and organization;
• - acquisition and commissioning;
• - delivery and support;
• - monitoring of the processes that make up information technology.

In addition to this, most of the costs in this category are related to the work of security personnel. Prevention costs mainly include salaries and overheads. However, the accuracy of their determination to a greater extent depends on the accuracy of establishing the time spent by each employee individually. Some of the precautionary costs are easy to identify directly. They, in particular, may include payment for various works of third parties, for example:

• - maintenance and configuration of software and hardware protection tools, operating systems and used network equipment;
• - Carrying out engineering and technical work on the installation of alarms, equipment storage of confidential documents, protection telephone lines communications, computer facilities, etc .;
• - delivery of confidential information;
• - consultations;
• - training courses.

Sources of information about the considered costs. When determining the costs of providing information security, you must remember that:

• - the cost of acquiring and putting into operation software and hardware tools can be obtained from the analysis of invoices, records in warehouse documentation, etc .;
• - payments to personnel can be taken from the statements;
• - the volume of salary payments should be taken taking into account the actual time spent on carrying out work to ensure information security, if only part of the employee's time is spent on activities to ensure information security, then the feasibility of assessing each of the components of the cost of his time should not be questioned;
• - the classification of safety costs and their allocation by elements should become part of the daily work within the enterprise.