Too much security may affect business processes

A balance is needed between the protection of information and productivity within a business environment.

Policies, training and awareness, technological tools, physical security barriers – the IT security market today offers all sorts of solutions to help you protect your business from potential reputational or financial damage. However, a heavy investment in information security solutions may have a counter-productive impact on the business. It can affect the corporate culture, flow of information and operational processes, leading to inefficiencies and productivity loss. On the other hand, being too permissive can have the same result, with employees able to access, share, lose or damage sensitive data too easily. How can you find the right balance between protection and productivity?

First of all, companies have to decide just what is important to them and identify the Information Assets that need protecting, the possible risks and the scale of security controls to implement. Once you have analysed each business area and decided which parts of your business are critical, it is then possible to evaluate the appropriate means to protect that information – which could include anything from technology controls to HR disciplinary procedures. A blanket approach to security can be damaging or even counter-productive if only 10% of the organisation has been identified as a high-risk area. Heavy security measures are only needed for critical areas or systems – Finance or HR normally need more controls than Admin and Marketing, which deal with less sensitive data.

Many organisations adopt complex passwords and encryption technology because they think they should, but they do not necessarily understand what they are trying to protect and the impact on the Confidentiality, Integrity and Availability of Information. Excessive restrictions can have similar effects to no restrictions at all: frustrated by the time and effort needed to perform the simplest operations, staff may find ways to circumvent controls to make their lives easier, with disastrous consequences. On the other hand, opening up completely and allowing employees to access and share confidential information is of course not advisable – employers need to protect themselves from their employee’s mistakes or malicious behaviour as well.

It’s a battle between security and productivity. Most businesses are ultimately focused on making a profit; however, they are also concerned with working more efficiently, collaborating with the supply chain, partners and so on. Technology and processes adopted should help make life easier for staff and not obstruct the flow of information.  A frustrated employee might take work home because it’s easier to work from there, with fewer restrictions. They might be unable to finish work in the office due to the time spent logging in and out, waiting for approval or phoning up the Service Desk because they forgot a password. Staff won’t be willing to document and collaborate if it is too restrictive and cumbersome to do so. Experience tells us that complex passwords tend to be written down as they are too hard to remember, which defeats the purpose, like hiding your house key under the door mat. At the same time, employers could be sued or unable to claim on insurance if the correct controls weren’t in place.

Think about why you lock your doors and windows when you leave your house unoccupied: it’s the same reason that a business implements Information Security controls.  Firstly, it is to protect what you own and, secondly, you want to ensure that, in the event of a break-in, all the requirements of your insurance cover are met, i.e. Insurance companies won’t pay out if you left your back door wide open. Yet you wouldn’t lock all the internal doors and windows when you are in the house, would you? That is because most people feel that would be unnecessary and too restrictive as the house is occupied. Having adequate controls in place based on the identified risk is the same process in your home as it is in business.

However, some types of businesses require a larger amount of security measures than others. Large corporations or certain types of businesses might want or need greater security across the whole of their organisation; they are able to implement more controls, as they can afford to pay for expensive technology and even accept large fines if this protection failed, without risking immediate bankruptcy. Banks require higher levels of security because they deal with very sensitive personal information and they rely on their clients’ trust to exist. They have to be very secure and comply with all legislation, regulations and best practices. Excessive controls in this case are justifiable because they will reduce the number of security incidents, fines and crimes.

It is small and medium-size businesses that are the most concerned with finding the right balance. They cannot afford to take the risk of not adopting the necessary best practice controls. At the same time, they cannot afford to pay for a large amount of technology that is not essential to them or will cause even more disruptions and possibly lead to a loss of revenue. If a SME is too restrictive, they won’t be able to be productive. Sharing information with partners, peers and other SMEs is vital for their survival. In this environment, restricting the flow of information could hinder their growth.

Information Security is not a one-size-fits all solution – it needs to be tailored to each business depending on their respective risks and business objectives. Organisations have become over-protective because of the pressure applied by clients to protect their information, stricter regulations and larger fines. Nonetheless, it is important to understand that sometimes productivity is much more important to a business. Security measures mustn’t be so restrictive they affect business processes, nor too relaxed that they cause harm. The key is to weigh up all the risks and vulnerabilities, potential consequences and controls and then decide which information assets to protect and which can be accessed and shared openly without major consequences.  Following a risk based approach will lead to business growth and spending the right amount of time and money on the right level of protection in the right areas.

ImageDavid Cowan, Head of Consulting Services

This article was published on Infosecurity Magazine:


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: