Early on in my information security career I was auditing a firm that conducted complex economic analyses for their clients. They processed a lot of personal information and they wanted to be sure they were applying appropriate controls to safeguard that information. Part of their business model was to charge their clients per hour for statistical analyses of large datasets. This meant that analysts were motivated to conduct analyses day and night and through weekends; each analytic run taking as many as 4 to 12 billable hours.
During my audit I spoke with analysts who were logging into their company’s network overnight and on weekends from their home computers. They were running some analyses from their homes and doing it in such a way that meant they could eventually be bringing personal information to their home-based machines.
When I found this out I thought this was a sure path to a PII (personally identifiable information) breach. I spoke with their CIO and recommended blocking all data transfers over the VPN (virtual private network). All data access would have to be done remotely on work computers that were in the office. No more client data traversing the VPN, even if it cost additional billable hours.
I checked back in with the analysts a week or so later to see if the new controls were working, or creating any undue burden for them. I sheepishly asked an analyst if the new prohibition against VPN data transfers was hurting their billable hours too badly. “Oh no,” he said. “No problem at all. See, we just use these USB drives to grab the data, then we bring it home with us to …” and that’s all I remember him saying. I was feeling pretty woozy by the time he said ‘USB drives’, realizing that my recommendation pushed this analyst to riskier behavior.
What had I done? I recommended a strong security policy and safeguard, but I had not thought through the implications of my recommendation. I then realized that when security conflicts with business, business trumps security. The analysts were faced with an obstacle to booking more billable hours, so they found a new way to get business done, perhaps at greater risk than the path I had blocked.
“I then realized that when security conflicts with business, business trumps security.”
HALOCK has responded to a number of our clients’ security incidents that were caused by personnel just trying to get their jobs done. Reams of sensitive paper reports have gone missing or ended up in recycle bins, un-shredded (goin’ green!). USB sticks have been used and lost because a client could not figure out how to use the encrypted, complicated document transfer portal. Personnel have installed unsecured remote desktop software because work had to get done and laptops were not permitted. Users wrote down passwords that were later stolen because their policies required very complex and ever-changing passwords that were too complex to remember.
When faced with security obstacles, workers will persist and will find a way to get business done even if it creates more and greater security risks. Their perseverance gets me feeling pretty optimistic about the American worker, but … oh boy.
So how do we ensure that our policies don’t create a breach-prone environment? Try these three recommendations:.
- Write your policies and procedures with personnel who will be required to follow them. Ask what the impact of the new policies would be on their work day. If you decide the safeguards conflict with the business model and staff incentives, then consider other ways to reach the same security goals.
- Conduct your risk assessment! Those who know me also know what a stickler I am on this point. Risk assessments are, among many other things, the way a business calculates the balance between costly safeguards and the organization’s mission. If you have any concerns about whether your proposed policies are strong enough (or too weak), your risk assessment will tell you.
- If you are using an internal audit process, make sure your internal auditor(s) keeps an eye out for the design and effectiveness of policies and safeguards, but also for any other security risks that result from adhering to policies.
There’s an old saying that the road to Hell is paved with good intentions. It is important for security professionals and managers to be cautious when we design policies and safeguards to be sure that we are not creating breach-prone environments. Following the advice above can help reduce the risk of that happening.
1 Comment
Very good point! Security has to remember it serves the business, not the other way round. When I see stuff like this, I remember John Gilmore’s statement “The Net interprets censorship as damage and routes around it.” People are the same way about restrictions on work processes.