When addressing the issue of web security there are two ways to phrase the question concerning what to spend on IT security. The first question is: How much should I expect to spend on web security? The second question is: How much will it cost the company if I don’t spend enough on web security? Of course a business not only needs to spend money on system security, but it must be spent on effective security systems and reviews.

In today’s economic climate the issues of security have come to the forefront as web site hackers and computer system attacks grow globally. When looking at the issue of systems and software security, you must consider potential company losses due to online theft, the return on investment for having adequate security, and the need to stay ahead of the brilliant hackers able to manoeuvre their way through even the most sophisticated muli-leveled software systems.

In March 2009 a hacker’s group proved that hacking can reach into a customer data bases without a company even knowing. A UK newspaper, "The Telegraph", was compromised by a hacking group and the newspaper found out when the nameless hacking group posted screen shots and other information on the internet, gleaned from their hacking of a 700,000 customer base, as proof of their success.

Upon reading the story closer it seems The Telegraph was using a 2-year old third party code that simply was outdated in the world of sophisticated hackers. When hackers obtain access to customer credit card data, personal information, or government identification numbers, it won’t take long before a company finds itself losing business because the targeted market is unwilling to take a chance on accessing their website.

Cost of Doing Nothing

There is a cost to doing nothing when it comes to securing a website. The research shows that up to 10 percent of a company’s IT budget may be dedicated to hardware and software security. In most cases it is probably closer to 3 to 6 percent of the budget. Smaller businesses tend to spend smaller percentages of their IT budget on security because of lack of resources more than anything else.

But the fact is hackers can ruin a small business as well as a large business. Deciding what to spend on a web security system is dependent on a number of factors. One of the overriding factors is the type of business itself. For example, a bank or investment business will need state-of-the-art server, router, and operating system securities in place in addition to regular security assessment and penetration testing.

Even as you read this article, hackers are devising new ways to penetrate firewalls and break into websites in order to steal information. Your business should be working just as hard to protect the system as hackers are working to break in to it. Implementing a security system without regular assessment and upgrades is the same as doing nothing. That is what The Telegraph newspaper discovered with their two-year old system.

Mitigating Risk

Mitigating risk is certainly one of the main reasons for security assessment. The underlying infrastructure and codes, employee access capabilities, and customer use of systems must be reviewed regularly for new vulnerabilities. The most common vulnerabilities include SQL injection, URL manipulation, cross-site scripting cookie poisoning and the database server.

Other factors determining how much should be spent on IT security include the following.

• Government regulatory compliance

• Sophistication of system including use of wireless networks, remote access to computer system, dependence

• Need to assure customers system meets industry security standards and best practices

• Rate of past incidences of security breaches

• Size of the potential losses in the event a computer system is attacked

The one thing a company cannot afford to do is to do nothing. Computer data and system protection costs should be budgeted at a rate that gives a company the assurance it can provide customers safe access to its websites and no access to hackers.