Comment: Too Much Security May Affect Business Processes

How can you find the right balance between protection and productivity? David Cowan explores the question
How can you find the right balance between protection and productivity? David Cowan explores the question
David Cowan, Plan-Net
David Cowan, Plan-Net

Policies, training and awareness, technological tools, physical security barriers – the IT security market today offers all sorts of solutions to help you protect your business from potential reputational or financial damage. However, a heavy investment in information security solutions may have a counter-productive impact on the business. It can affect the corporate culture, flow of information and operational processes, leading to inefficiencies and productivity loss. On the other hand, being too permissive can have the same result, with employees able to access, share, lose or damage sensitive data too easily.

How can you find the right balance between protection and productivity?

First, organizations have to decide just what is important to them and identify the information assets that need protecting, the possible risks and the scale of security controls to implement. Once you have analyzed each business area and decided which parts of your business are critical, it is then possible to evaluate the appropriate means to protect that information – which could include anything from technology controls to HR disciplinary procedures.

A blanket approach to security can be damaging or even counter-productive if only 10% of the organization has been identified as a high-risk area. Heavy security measures are only needed for critical areas or systems – for example, finance or HR normally need more controls than administrative and marketing personnel, who deal with less sensitive data.

Many organizations adopt complex passwords and encryption technology because they think they should, but they do not necessarily understand what they are trying to protect and the impact on the confidentiality, integrity and availability of information. Excessive restrictions can have similar effects to no restrictions at all: frustrated by the time and effort needed to perform the simplest operations, staff may find ways to circumvent controls to make their lives easier, with disastrous consequences. On the other hand, opening up completely and allowing employees to access and share confidential information is, of course, not advisable – employers need to protect themselves from their employee’s mistakes or malicious behavior as well.

It’s a battle between security and productivity. Most businesses are ultimately focused on making a profit; however, they are also concerned with working more efficiently, collaborating with the supply chain, partners and so on. Technology and processes adopted should help make life easier for staff and not obstruct the flow of information.

A frustrated employee might take work home because it’s easier to work from there, with fewer restrictions. They might be unable to finish work in the office due to the time spent logging in and out, waiting for approval or phoning up the service desk because they forgot a password. Staff won’t be willing to document and collaborate if it is too restrictive and cumbersome to do so. Experience tells us that complex passwords tend to be written down because they are too hard to remember, which defeats the purpose (like hiding your house key under the door mat). At the same time, employers could be sued or unable to claim on insurance if the correct controls weren’t in place in the event of a breach.

Think about why you lock your doors and windows when you leave your house unoccupied: it’s the same reason that a business implements information security controls. First, it is to protect what you own and, second, you want to ensure that, in the event of a break-in, all the requirements of your insurance coverage are met (i.e., insurance companies won’t pay out if you left your back door wide open).

Yet you wouldn’t lock all the internal doors and windows when you are in the house, would you? That is because most people feel it would be unnecessary and too restrictive because the house is occupied. Having adequate controls in place based on the identified risk is the same process in your home as it is in business.

Yet, some businesses require a greater amount of security measures than others. Large corporations or certain types of businesses might want or need greater security across the whole of their organization; they are able to implement more controls, because they can afford to pay for expensive technology and even accept large fines if this protection failed, without risking immediate bankruptcy. Banks require higher levels of security because they deal with very sensitive personal information and they rely on their clients’ trust to exist. They have to be very secure and comply with all legislation, regulations and best practices. Excessive controls in this case are justifiable because they will reduce the number of security incidents, fines and crimes.

It is small and medium-sized enterprises that are the most concerned with finding the right balance. They cannot afford to take the risk of not adopting the necessary best practice controls. At the same time, they cannot afford to pay for a large amount of technology that is not essential because it will cause even more disruptions and possibly lead to a loss of revenue. If an SME is too restrictive, then they won’t be productive. Sharing information with partners, peers and other SMEs is vital for their survival. In this environment, restricting the flow of information could hinder growth.

Information security is not a one-size-fits all solution – it needs to be tailored to each business depending on their respective risks and business objectives. Organizations have become over-protective because of the pressure applied by clients to protect their information, stricter regulations, and larger fines.

Nonetheless, it is important to understand that sometimes productivity is much more important to a business. Security measures must neither be so restrictive that they affect business processes, nor too relaxed and thereby causing harm. The key is to weigh up all the risks and vulnerabilities, potential consequences and controls and then decide which information assets to protect and which can be accessed and shared openly without major consequences. Following a risk-based approach will lead to business growth and spending the right amount of time and money on the right level of protection in the right areas. 

David Cowan is the head of consulting services at IT service provider Plan-Net. A respected IT professional with over 11 years of experience in the industry, he has worked with some of Plan-Net’s biggest clients to deliver technically complex projects and manage change in major businesses and public sector organizations.

Possessing excellent all-around technical knowledge and a lateral, common-sense approach to providing IT solutions, Cowan works across all aspects of the IT spectrum with a detailed understanding of ITIL, ISO/IEC 20000, ISO27001 and PRINCE2.

What’s hot on Infosecurity Magazine?