‘Excessive Security’ Could Slow The Business, But Is There Such A Thing?
Execs Look At Restrictive Controls In The EnterpriseAdd bookmark
Those charged with cyber security in the enterprise often face an uphill battle, and that’s striking a fine balance between security controls and productivity. But at what point do controls became too restrictive, and ultimately affect workflow?
On the flipside, lax security protocols could endanger the enterprise, making it susceptible to attack – for Chief Information Security Officers (CISO) and the like don’t always know if a proverbial “window” is open to the organization.
Security demands diligence, as well as a firm understanding of business processes. And thus you have that aforementioned “balance” – one that is difficult to attain and demands constant attention and tuning.
Our focus here is to understand that balance, and at what point a CISO’s verdict encroaches on the business.
No More External Storage
A fine example of a rather knee-jerk reaction to the threat landscape and rising hacker sophistication includes IBM’s decision in May to internally ban USB drives for employee data storage and movement.
According to a report from The Register in May, IBM released an advisory to its employees in which the company’s Global Chief Information Security Officer, Shamla Naidoo, stated that the multinational technology company was “expanding the practice of prohibiting data transfer to all removable portable storage devices (e.g., USB, SD card, flash drive).”
The release stated that IBM has latched onto this policy for a time, but that it was expanding it worldwide. It cited “the possible financial and reputational damage from misplaced, lost or misused removable portable storage devices,” according to the advisory.
IBM is not blind to the perceived inconvenience of the move, as the statement suggested that the decision may be “disruptive for some.”
Whether it was a carefully thought out and deliberate executive decision or an impulsive reaction to the widening attack surface, it is a rather direct way of eliminating risk.
But do abrupt policies like USB bans cross that proverbial line in the sand?
Commenting on this, Online Business Systems’ Director of Security Operations, Alain Espinosa, told the Cyber Security Hub: “Security controls can significantly affect workflow. The surprising thing that I have found is companies implement technology or restrictions (like not using USB drives) and then decide how they are going to re-architect the workflow. That is working backwards. I would begin by understanding what problem it is that needs to be solved.” (And that problem is the way in which data is used, not the actual USB stick.)
‘Striking A Balance’
Similarly, in a column for Information Security Buzz, Sam Elliott, Director of Security Product Management at Bomgar, said: “It falls to IT to ensure that the organization is striking the right balance between productivity and security. Part of this is working directly with end-users to make the most of technology implementations, from accessibility factors to individual or group training needs. But it’s also important that productivity considerations be included in security decisions from the outset.”
He continued: “No single technology or procedure can completely protect the entire organization. However, with the right combination of solutions, companies can achieve this duality of productivity and security.”
Espinosa added: “It starts with understanding what it is you’re ultimately trying to prevent and then not just seeking technology to mitigate it, but perhaps more importantly developing processes to address the issue (which sometimes includes technology).”
He referenced a 2012 move by Apple to do away with its optical drive for CDs/DVDs. While it took some time to adjust, today hardly any laptops carry the drive. “People adjusted,” Espinosa said.
Other areas that toe that aforementioned sensitivity line include identity and access management (IAM) and the corresponding controls.
Due to the threat of privileged accounts – essentially the “keys to the kingdom” – CISOs have to take immediate action to limit access (using “least privilege” principles). Early-stage PAM solutions may have seemed exceedingly restrictive. However, their utility is now fully realized in the enterprise.
On this vector in particular, Elliott wrote: “Eliminating or significantly restricting privileged access is not the answer. Employees and external partners alike need efficient access to conduct daily operations and keep the business running. Rather, companies should implement solutions that eliminate the threat vectors associated with privileged access but still enable these users to do their jobs.”
The InfoSec Buzz contributor highlighted credential injection (inserting privileged credentials from a password manager or vault into an end system) as one way to focus on both security and productivity.
Security controls, of course, go beyond PAM and portable USBs – venturing into spaces such as incident response and anti-malware. CISOs need to be cognizant of ways in which these areas are being leveraged by threat actors, while still remaining faithful to the business.
What’s more, while continuous security training and awareness campaigns may seem like time-consuming answers to an expansive, multi-front battle, it’s clear that any and all knowledge helps inform leadership, lines of business (LOB) and all other facets of the organization.
Be Sure To Check Out: Top 5 Security Initiatives Include IIoT, ML & Extensive Research