Osterman Research Blog


The TCO of Doing Nothing
February 23, 2012, 8:07 pm
Filed under: Uncategorized

Our research finds that many organizations don’t have the budget to address many of the problems they face, such as managing certificates in a careful and coordinated way, monitoring and archiving social media content, implementing data loss prevention systems that can check for intellectual property or sensitive information sent outside the company without encryption, or retaining content for the length of time required by statute or legal precedent.  The argument is that budget is simply not available or the problem is not of sufficiently high priority to warrant doing anything about it.

While the cost of implementing technology or services can be substantial, so is the cost of doing nothing.  For example:

  • In a white paper we published this past October, we demonstrated that in an organization of 500 users, going through 10 e-discovery exercises over a three-year period with an email archiving system will result in savings of $395,000 compared to going through e-discovery without archiving.  Our calculations determined that the Total Cost of Ownership of an archiving system will be $35,000 per e-discovery event (including the amortized cost of the archiving system or service), while the cost of e-discovery without archiving will be $74,500 per event.  The result, assuming just 10 e-discovery exercises in three years, is that the TCO of archiving is $233 per user per year.  However, the TCO of not archiving to satisfy e-discovery requirements will be $497 per user per year.  The result is that the cost of doing nothing is the difference between these two, or $264 per user per year, or 13% more than implementing an archiving system.

  • In another white paper published this past July, we demonstrated that the cost of major, serious and minor malware and hacker attacks will be about $278,000 for the typical organization over a four-year period (we explain the methodology in detail in the white paper).  Moreover, the cost of a robust Web security gateway to prevent these attacks will be about $108,000.  Consequently, the cost of preventing attacks, assuming a 500-seat organization, will be about $54 per user per year, while the cost of doing nothing (the difference between the cost of attacks minus the cost of the gateway) will be $85 per year, a difference of 57%.

  • There have been many reports of sexual harassment via email and other forms of communication, one of the most notorious being Chevron’s $2.2 million settlement in 1995 ($3.27 million in 2012 dollars).  Sexual harassment is potentially more serious when communicated electronically – one study found that jurors were 3.6 times more likely to find that sexual harassment occurred via email than in face-to-face communication.  If we assume that an organization has only a 1% chance of such a claim occurring in any given year, using a quantitative business analysis approach demonstrates that the actual cost of such a judgment is $32,721 annually – the cost of doing nothing to prevent this from occurring.  Given that the US Equal Employment Opportunity Commission received more than 11,700 sexual harassment claims in 2010 that resulted in $48.4 million in settlements (not counting settlements from private actions), this is a problem that must be addressed through email, social media and other types of monitoring, but often is not.

The bottom line is this: when considering the deployment of any new technology, it is critical to consider its TCO.  Equally important, however, is the need to consider the TCO of doing nothing, which often carries with it a much higher cost.

1 Comment


Dealing with the Implications of Social Media
February 16, 2012, 12:00 am
Filed under: Uncategorized

We are about to publish an industry analysis report on corporate use of social media and have completed three large surveys as part of that effort: one on the business aspects of social, one focused on its IT implications, and another with end users.  Here is some of what we’ve found:

  • Social media use on corporate networks is up significantly.  Our research found that 36% of corporate employees are using Facebook at work, up from 28% 12 months ago; Twitter use has gone from 11% to 17%; LinkedIn from 22% to 29%.
  • Most organizations have a social media policy – sort of.  Only 22% of organizations have a formal, detailed and thorough social media policy, while another 53% have only a general policy.
  • Malware is rampant in social media.  Among organizations using Facebook, 24% have had malware infiltrate their corporate networks; the figures for Twitter and LinkedIn are 7%.  However, a significant proportion of the IT-focused individuals we surveyed are simply not sure if they have been the victims of malware via social media or not.
  • Monitoring and screening is minimal.  The vast majority of organizations ask their employees to comply with corporate policies, but they do not monitor, screen or otherwise manage content on public social networks.
  • Decision makers are concerned about a variety of risks.  More than 40% of organizations are concerned or extremely concerned about employees wasting time using social media, employees divulging sensitive or confidential information via social media, and employees using their corporate social media account to say something damaging to their company’s reputation.
  • Many employees have been fired because of social media posts.  Our research found that one in six organizations have fired an employee because of something they posted on social media.
  • Enterprise social media is not widely deployed.  Despite all of these problems, fewer than one in five organizations have yet deployed a true enterprise-grade social media platform.

What this research is telling us is that social media in the workplace today is where email was during the mid-1990s:  rapidly growing use, but little oversight of or insight into that use.  This leaves organizations vulnerable to a wide range of threats, including malware infiltration, data leaks, a failure to archive corporate records posted via social media channels, and other risks that are far more costly than the technologies that could be deployed to protect against them.

Leave a Comment


A Few Reasons to Consider Cloud Security in 2012
February 8, 2012, 7:33 pm
Filed under: Uncategorized

While on-premises security solutions can provide robust defenses against spam, malware and other security threats, cloud-based security – used either as a standalone solution or in conjunction with on-premise defenses – offers a number of inherent advantages:

  • Most threats never hit the on-premises network - The use of a cloud service for spam processing, for example, eliminates the majority of content processing, storage and bandwidth associated with spam before it ever reaches the customer’s network, making the on-premise infrastructure more efficient.  More critically, the bulk of malware can be eradicated before it ever reaches the corporate network, leaving on-premise solutions – if they are in place – to act as another layer of protection against these threats.
  • More efficient use of IT resources - One of the key issues that should be considered by any organization – but one that often is not – is the opportunity cost of IT staff members.  Most CIOs and IT managers would agree that finding and retaining highly qualified IT staff is not an easy task.  As a result, in-house IT staff should be used so that they can provide maximum efficiency to their employer, while also giving them a satisfying work experience that will motivate them not to move elsewhere.  A cloud security solution – whether used for messaging security, Web security or other capabilities – allows IT staff members to move on from managing security servers and appliances and to work on projects that provide more differential value to the organization and that can result in greater job satisfaction.
  • Easier support for mobile and remote users - Given that a growing proportion of the working population is mobile – either because of corporate telework initiatives or employees who travel as part of their work – security for these employees can be difficult to manage using on-premise systems.  Cloud security capabilities can provide a high level of protection for these employees, many of whom use Wi-Fi hotspots and other resources that are much less secure than their in-office counterparts.
  • Extending the life of on-premises solutions - Related to the point above is that cloud services allow an organization to extend the useful life of an in-house security solution.  For example, if a company has reached the maximum capacity of its email filtering appliances, it could implement a cloud-based spam filtering service that would dramatically reduce the amount of incoming traffic and thereby allow new investments in internal hardware to be postponed or avoided altogether.
  • Improved disaster recovery and business continuity - Another important advantage of cloud solutions is that they can provide a very useful backup messaging solution in the event of an outage of the primary messaging system.  For example, most cloud security providers will spool incoming email for at least several days (much longer in some cases) if it cannot be delivered to a customer’s server.  This prevents an email server outage from causing bouncebacks to senders and ensures that incoming email is still being processed.

We have just published a white paper on this topic that you can download here.

Leave a Comment



Follow

Get every new post delivered to your Inbox.

Join 1,561 other followers