Do responsibly. Security which doesn’t interfere with business processes
How companies set traps up to the corner and hop all the way to the exit
Fighting about corporate security measures can’t be extinguished — some people ask for all-round fortification and others prefer to work with no interruptions. It seems quite clear: the more a company is protected, the better the things are. But extremes are no good.
Sometimes managers are too diligent in trying to save the company from risks. By doing so they create more emerging threats, because the more complicated business process gets, the more probability is that employees will find a workaround: quick, simple and perilous.
Such control distracts from critical threats which are left “unattended”. And this is the problem for small and large businesses.
In 2013 a security researcher told how messages sent by telecommunications operators appeared to be disclosed. Employees emailed each other from private accounts violating internal regulations. When the email box of one of them got breached everyone could gain access to the confidential documents enclosed. Why would employees, who were aware of all the security requirements, use non-corporate services? Security policies were configured bluntly and letters were filtered substantially, and the company’s email service didn’t seem usable. The new threats were created by employees due to such an inefficient security measure.
A typical case is when a manager tries to control everything — signing papers, approving, confirming. As a result contracts, invoices issued to customers are waiting to be signed for days. Managers go to a business trip or just a trip, and the office freezes. And when it concerns an urgent agreement, executives often ask to sign their name. If employees can do it once, why not doing it twice? That’s how staff members begin to sign on behalf of the management in some other situations as well.
When is it “enough”?
Ubiquitous control is not a remedy, it can’t be part of balanced risk treatment, but it often becomes a reason for misconduct. Companies are flouncing about: from no security policies to severest limitations. Some impose no restrictions, and others get agitated by the need to look after a company’s documents, turning a simple task into a ceremonial procedure.
There’s always a conflict between business and data safety which demands a “referee”. Usually this role is assigned to a proprietor. A proprietor or a representative risks own money which can be either invested into the coverage of corporate fraud expenses or needed to offset the financial loss in the market due to interference in business processes. A proprietor is a decision maker — it is up to a budget owner which risks are acceptable.
A company was going to create a role model for business processes which required time and contribution: developers, software testers and analysts were to be hired. Soon they realised that the level of information security would only increase a little. “A little” is not enough, is such a result when business processes are better to be left untouched. That’s what the company did. And the decision was made by a proprietor.
How often should security policies be revised
Security policies should be reconsidered each time a plan altering business processes appears. But sometimes the processes get altered so frequently that a security specialist and a “proprietor-referee” can’t catch up with the introductions. A flexible model is not about frequently changing business processes which rather indicate irregularity. A quarterly alteration is a sufficient period to rebuild business without detriment to security requirements.
There was a case when a company initiated the process of auditing roles. But while a specialist was auditing the conformity of a role model, business processes were changing fast. And the auditing would begin from scratch.
Imitating this hectic activity a company omits costly threats, for example, continues to use unlicensed software, considering the fact that just one claim by Microsoft is powerful enough to ravage the most footsure organisation. There was a company which ruled out the issue without taking it to court. But that cost it a lot — the management had to purchase the software priced at $700 000.
If your business is not about banking, knowledge-intensive production, medicine, government, defense, — where data safety is regulated impeccably and information leak impacts a company, clients and society directly, — you don’t need thoroughly adjusted security mechanisms as there’s no “castle” to fortify.
Many companies have deeply worried managers, but all they should do is to make sure that business processes conform to security requirements and to create a document which would be clear for each and every team member. And revise it twice a year.