Is it ever worth it to cut corners on security? No

From the corporate perspective, there is never a reason to skimp on network security. If you are connected to the Internet, your business is liable for the actions of your network devices. If your network is penetrated, the legal and economic repercussions could be severe.

If "no" is the answer I'm told when I ask if there's room in the budget for security equipment and software, then "no" is the answer I must give when we've been hacked and the IT manager asks, "Can't we just patch our systems and put them back online?" When your e-commerce server has been breached, you can be sure that log files will be erased, common applications Trojaned and back doors installed. Unfortunately, completely reformatting your systems and rebuilding them from scratch is the only way to even begin to secure the server. Your valuable IT staff will have to be pulled from other tasks and work through the night just to bring your systems back to the same vulnerable position they were in before the attack.

Forget everything you know about the term "hacker." Corporate vulnerabilities and tools for hacking them are published on the Web daily. It no longer takes an elite group of individuals to break into your network systems. A hacker might be that corporate espionage agent you read about in Tom Clancy novels, or a terrorist with a political statement to make, but it also could be a 13-year-old sitting at Dad's computer. In any case, the intruder has scanned you and knows you're an easy target, whether his purpose is to steal corporate data, hijack your systems to attack other networks or simply hide his stash of child porn.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

From the corporate perspective, there is never a reason to skimp on network security. If you are connected to the Internet, your business is liable for the actions of your network devices. If your network is penetrated, the legal and economic repercussions could be severe.

If "no" is the answer I'm told when I ask if there's room in the budget for security equipment and software, then "no" is the answer I must give when we've been hacked and the IT manager asks, "Can't we just patch our systems and put them back online?" When your e-commerce server has been breached, you can be sure that log files will be erased, common applications Trojaned and back doors installed. Unfortunately, completely reformatting your systems and rebuilding them from scratch is the only way to even begin to secure the server. Your valuable IT staff will have to be pulled from other tasks and work through the night just to bring your systems back to the same vulnerable position they were in before the attack.

Forget everything you know about the term "hacker." Corporate vulnerabilities and tools for hacking them are published on the Web daily. It no longer takes an elite group of individuals to break into your network systems. A hacker might be that corporate espionage agent you read about in Tom Clancy novels, or a terrorist with a political statement to make, but it also could be a 13-year-old sitting at Dad's computer. In any case, the intruder has scanned you and knows you're an easy target, whether his purpose is to steal corporate data, hijack your systems to attack other networks or simply hide his stash of child porn.

Why did this happen? In a phrase, "zero stated security policy," meaning you have an open security policy, whether it's in writing or not. An open security policy leaves your network vulnerable to bad IT practices, poor network design and subsequently, inadequate security.

The opposing view
Burton Craig: "No one wants to jeopardize the company's security. The hard part is deciding when it's OK to cut corners: that's what's called risk assessment."
Face-off forum
Debate the issue with Craig, Tillman and your peers.

Emphasis placed on determining how an intruder got in is usually wasted effort. If security is not paramount, one security hole plugged will just force hackers to take advantage of another. Once in, their first priority will be to erase evidence of tampering. A more important question to address is how to prevent future attacks.

At the start of any project, you determine requirements and write a systems architecture plan. There is no reason to remove security planning from this process. Include security at the beginning, and the mindset about security changes from "extraneous cost" to an integral part of the overall budget.

By putting good security policies and practices in place now, you can ensure that security isn't just an afterthought. They will protect your customers' information, reduce your company's liability and improve the overall operations of your organization in the long run. Cut costs now by improving your odds against situations that could take down your e-commerce systems, hurt your company's reputation or put your company completely out of business.