In this second of a short series, the first being the business case for antispam, we’ll discuss the business case for antivirus software, on both the desktop and server.
Revisiting, briefly, the methodology of the first article, all such purchases need to stem from having a security strategy.
It’s easy to get carried away, and purchase ad-hoc, which can result in a poor mix of disparate solutions, with different start and end licensing dates and requiring you to learn yet another application.
Having a strategic and well-defined security strategy for your business or home PCs can help you to save money. As can having one provider for each type of security software.
Luckily, in this age of the Internet, price comparisons can help you find a good deal. But a word of caution, saving money, typically, shouldn’t be your first approach. Of course, money matters. However, you should understand WHAT you are trying to achieve BEFORE defining a price strategy.
Now, you may not have a choice in this, for instance, you may have a fixed budget; and that is understandable. It is recommended, however, that you look at the big picture first, then whittle down the likely candidates to fulfil you strategy from there.
Some of the questions you should try to answer:
- What do I want to achieve?
- What am I trying to protect?
- Protect from what?
- What are my legal obligations? (If you are a business).
- What are my contractual obligations (as a private individual or as a business)?
- Based upon my answers to the above, what is my maximum budget?
Let’s deal with those questions one-by-one.
1. What do I want to achieve?
Your answer to this might be complex or simple, depending on if you are a business or personal user. A personal user, for instance, might simply “not want to get a malware infection and protect their identity”. A business user might have to look at more complex issues, such as not only protecting against infection, but meeting regulatory or legal obligations as well. However, you do need to understand this, because otherwise you are unable to make decisions on your precise needs.
2. What am I trying to protect?
One PC? A few PCs and a server or two? If you are a business owner, or supporting businesses, do you actually know what hardware you’ve got on your network? Many people don’t, particularly once a business has been running for a while and if there has been no central purchasing of assets. Other things to consider here: home PCs, laptops, other devices with PC-like functionality. What about Macs, Linux boxes… etc. Knowing the answer to this will help you to budget appropriately.
3. Protect from what?
This might seem obvious, but what are you trying to do? Just antivirus? Or anti-spyware too? HIPS, firewall, other? Have you thought through the possible risks of running different platforms, software, services? Sure, it can be a lot of work, but how can you know if you are getting it right if you haven’t thought through what you are trying to do?
4. What are my legal obligations?
If you are a business, you will almost certainly have legal obligations to protect and retain certain data. You will almost certainly NOT want customer data to be compromised. You will also, almost certainly, need to maintain your records (in whatever form you have them) for many years for tax purposes, or fire regulations or HR (attendance data, for instance.) In your jurisdiction, you may have other obligations you need to consider. Do you know them?
5. What are my contractual obligations?
Think PCI compliance. Or your contract with your internet service provider. Have you read them? Many people haven’t, and yet man also impose a need to not propagate malware on ISP networks. But if you don’t know, you could be breaking them, and not know it at all. Until something goes wrong, which is usually not the best time to find out.
6. Based on the above, what is my maximum budget?
This is a tough one to know until you really have analysed your needs. If the budget is tight, you’ll have to prioritize the risks. For instance, you can probably get away with not having PDA antivirus, whereas you really should never have a PC connected to your network without antivirus protection that is running and fully up-to-date.
Your analysis of the above provides your direct business case for antivirus software. Factor in IT support costs for recovery of your data, clean up of your PCs and potentially fines you can get for revealing customer data (if you are a business), and in reality, you’ll see that antivirus software can be a big saving compared to what you might need to pay if you don’t have it.
Do you agree? Did we miss anything? We’d love to have your feedback.