When you’re considering your organisation’s cyber security measures, there are two things you must consider: do these controls work now, and will these controls work in the future?
The first issue is comparatively easy to assess, because any solution you adopt should be designed to address a specific issue and tested before it goes live.
But as for the second issue? We can’t see the future, and even if we anticipate problems that might arise, we can never be one hundred percent sure that they will come to pass or that our fixes will work.
So what are you supposed to do? The answer is to make sure that your security solutions are flexible enough to enable you to adjust them as and when needed.
That’s a whole lot easier to do if your processes are streamlined and you use as avoid rigid rules as much as possible.
Unfortunately, many organisations neglect the big picture, instead adding controls when new problems arise. The result is an increasingly unwieldy set of processes that will one day become completely unmanageable.
In this blog, we take a look at how these problems might arise.
The dangers of inflexible security solutions
Meet Ian. Recently promoted to the role of information security manager at R&M media, one of his first tasks was to conduct a company-wide risk assessment.
The problem is that Ian already had some very firm, preconceived ideas about what he believed constituted a risk.
Ian was convinced that his employer displayed a great deal more risky behaviour than was acceptable.
In fact, Ian was so confident that certain practices in the company were so blatantly ‘wrong’ that he wasn’t planning to waste any more time on them with a risk assessment.
He would have banished these practices from the get-go – such as the fact that everyone was allowed to bring their own mobile devices to the office. As far as he was concerned, BYOD (bring your own device) policies were just a fad.
Ian had recently heard that a quarter of all mobile devices produced will eventually be stolen or lost. Allowing employees to use their own devices at work was simply ludicrous.
Ian knew of the most obvious risks posed by BYOD:
- There is no segregation between corporate data and private data on a mobile device. Anyone who steals a device potentially has access to confidential corporate information and even the corporate network.
- There is no certainty that the mobile device will have up-to-date patching and anti-malware installed on it, leaving the corporate network vulnerable to attacks from malware.
- Confidential information that might be encrypted on a work device might be unencrypted on a BYOD device.
It was quite clear to Ian that BYOD would have to go. And he isn’t alone in thinking that.
Many information security professionals mistakenly believe that avoiding risks entirely is the best approach to the problem. The truth is that risk avoidance is rarely the solution.
To grow and remain competitive, organisations must balance a certain level of risk with security measures that can mitigate potential security incidents with as little disruption as possible.
In our example, Ian would be advised to conduct a comprehensive risk assessment that identifies whether a BYOD policy does more harm than an alternative approach.
When else does this apply?
This principle doesn’t only relate to BYOD policies. Here are some other scenarios where you would benefit from a pragmatic approach to cyber security:
- A financial services provider may refuse to grant access to client personal information to temporary employees because of security fears, but these employees may be front- line staff who require such information in order to provide an adequate level of service.
- An organisation might implement a twelve-character alphanumeric password and enforce changes every thirty days out of the mistaken belief that this makes it harder for attackers to compromise login details. What it actually does is guarantee that users will either forget their passwords, or write them down as a reminder. Clearly, this type of behaviour makes these passwords even more vulnerable to theft, while at the same time driving up the costs of the IT team having to support these ‘forgetful’ users.
- An organisation might apply security measures that make it technically impossible for users to install anything on the desktop, since files on a user’s desktop are not as well protected as those stored in document libraries. These measures will make it difficult for users to read eBooks or attend online webinars, where software automatically installs to the desktop, without having made arrangements weeks in advance with the IT support team.
- Organisations might block staff from using instant messaging or social media tools because of the risk that confidential information might be leaked and that backup and archiving policies can’t be effectively enforced. The knock-on effect of such measures is that the company will soon start to lose market share because of its inability to communicate effectively using essential marketing channels.
Maintaining data confidentiality, integrity and availability
A risk assessment is the process of identifying threats and vulnerabilities that can affect an organisation’s information assets, and the steps that can be taken to assure the confidentiality, availability and integrity (CIA) of that data.
Analysing the CIA of each information asset is a critical part of the risk assessment. When too much security is applied to an information asset, the confidentiality, availability or integrity of that data might be compromised.
When conducting a risk assessment, the company can identify how severe the risks are and identify a range of controls that can be applied to reduce those risks.
In the case of BYOD, for instance, the controls could include educating employees on how to protect their devices, ensuring all devices are properly configured in line with security policies, implementing a BYOD policy, applying encryption solutions and software patching, to name a few.
Although it could pose significant security risks, a properly managed BYOD programme can reduce costs (by shifting expenses on to the user) and increase productivity (because of a more mobile workforce) without having an adverse effect on security.
What else do you need to know about risk assessments?
You can find more advice on how to assess your information security risks by reading our free whitepaper: 5 Critical Steps to Successful ISO 27001 Risk Assessments.
It explains the risk assessment process from beginning to end, including:
- How to determine the optimum risk scale so you can determine the impact and likelihood of risks;
- How to systematically identify, evaluate and analyse risks without losing your mind; and
- The baseline security criteria you must establish for a successful ISO 27001 implementation.
A version of this blog was originally published on 22 January 2016.