Adding layers of controls without a proper information security risk management strategy isn’t the best way to handle information risks. Take Ian, for example: recently promoted to the role of information security manager at R&M media, one of Ian’s first tasks was to conduct a company-wide risk assessment.
The problem is that Ian already had some very firm, preconceived ideas about what he believed constituted a risk.
Ian was convinced that his employer displayed a great deal more risky behaviour than was acceptable. In fact, Ian was so confident that certain practices in the company were so blatantly ‘wrong’ that he wasn’t planning to waste any more time on them with a risk assessment. He would have banished these practices from the get-go. Like how everyone was allowed to bring their own mobile devices to the office. As far as he was concerned, ‘BYOD’ was just a fad. Ian had recently heard that a quarter of all mobile devices produced will eventually be stolen or lost. Allowing employees to use their own devices at work was simply ludicrous.
Ian certainly knew of the most obvious risks posed by BYOD:
- There is no segregation between corporate data and private data on a mobile device. Anyone who steals a device potentially has access to confidential corporate information and even the corporate network.
- There is no certainty that the mobile device will have up-to-date patching and anti-malware installed on it, leaving the corporate network vulnerable to attacks from malware.
- Confidential information that might be encrypted on a work device might be unencrypted on a BYOD device.
It was quite clear that BYOD would have to go.
Ian is not alone in his thinking.
Many information security professionals mistakenly believe that avoiding risks in their entirety is the best approach to the problem. The truth is that risk avoidance is rarely the solution.
In order to grow and remain competitive, companies need to embrace the power that new technologies provide, but at the same time reduce the risks that are associated with introducing these new technologies. In Ian’s case, it would be detrimental to the business if he chose to avoid certain risks.
After doing a little research, Ian soon realised that proper risk treatment and management can only be effectively achieved through a comprehensive risk assessment that identifies the best ways to treat and manage those risks.
Ian also encountered these other examples where too much security can outweigh the benefits, such as:
- A financial services provider may refuse to grant access to client personal information to temporary employees because of security fears, but these employees may be front- line staff who require such information in order to provide an adequate level of service.
- An organisation might implement a twelve-character alphanumeric password and enforce changes every thirty days out of the mistaken belief that this makes it harder for attackers to compromise login details. What it actually does is guarantee that users will either forget their passwords, or write them down as a reminder. Clearly, this type of behaviour makes these passwords even more vulnerable to theft, while at the same time driving up the costs of the IT team having to support these ‘forgetful’ users.
- An organisation might apply security measures that make it technically impossible for users to install anything on the desktop, since files on a user’s desktop are not as well protected as those stored in document libraries. These measures will make it difficult for users to read eBooks or attend online webinars, where software automatically installs to the desktop, without having made arrangements weeks in advance with the IT support team.
- Organisations might block staff from using instant messaging or social media tools because of the risk that confidential information might be leaked and that backup and archiving policies can’t be effectively enforced. The knock-on effect of such measures is that the company will soon start to lose market share because of its inability to communicate effectively using essential marketing channels.
Maintaining data confidentiality, integrity and availability
A risk assessment is the process of identifying threats and vulnerabilities that can affect an organisation’s information assets, and the steps that can be taken to assure the confidentiality, availability and integrity (CIA) of that data. Analysing the CIA of each information asset is a critical part of the risk assessment.
When too much security is applied to an information asset, the confidentiality, availability or integrity of that data might be compromised.
When conducting a risk assessment, the company can identify how severe the risks are and identify a range of controls that can be applied to reduce those risks. In the case of BYOD, for instance, the controls could include educating employees on how to protect their devices, ensuring all devices are properly configured in line with security policies, implementing a BYOD policy, applying encryption solutions and software patching, to name a few.
Although it could pose significant security risks, a properly managed BYOD programme can reduce costs (by shifting expenses on to the user) and increase productivity (because of a more mobile workforce) without having an adverse effect on security.
Too much security isn’t a good thing
Fortunately, Ian discovered that too much security isn’t a good thing.
It is incumbent on the information security professional to consider and prioritise the business requirements. The risk assessment and risk management process shouldn’t restrict the business from achieving its objectives.
The risk assessment is fundamental to ensuring that necessary security precautions are adopted, while creating an enabling environment for the business to continue operating at maximum capacity.
Free whitepaper download: 5 Critical Steps to Successful Risk Assessments
Download our free white paper to get detailed advice on how to conduct a risk assessment the right way.