Productivity vs. Information Security: Balancing Offense and Defense

Every organization struggles to balance the needs of data privacy and security against the demands of operational efficiency and growth. You have to make those decisions at a personal level every time you get an update message on your PC or mobile device: do you drop everything to install that critical security update or do you tell it to Remind Me Later because you’re on a deadline? You don’t want to interrupt work for security tasks any more than necessary, and you’d rather spend budget on competitive offense than on privacy and security defense. But you also can’t afford to take risks with your data. With the specialization in cyber crime, attackers can buy malware and exploit vulnerabilities in the blink of an eye, so every shortcut in security leaves you more vulnerable. In large organizations, small vulnerabilities can add up to huge risk.

In my experience, the best way to achieve a balance is to approach security the same way you approach other business operations: prioritize by really understanding the risks and benefits of different approaches, maximize efficiency by building security into operations wherever possible, and then recognize that security is a business process as important as any other.

Customers Come First: Data Breach Response Survey

Know Risks and Benefits

No matter what your business, all information security threats are not equal. As we noted in our recent blog series on the economics of cyber crime, cyber attackers want to get in fast and get out with the most information that will fetch them the highest price. In healthcare, that’s patient records. In retail, that’s credit card numbers. In banking, it’s customer account info. In government, it might be employees’ personal information. You also need to figure out which data is most exposed and where. Then you can allocate money and resources to protect the most likely targets first, and if you close the security gaps to protect those resources, there’s a good chance you’ve also made it harder to get to everything else.

Build In and Automate

The more you can automate security and build it into operations, the less chance for mistakes. Spend security budget on products and processes that prevent those issues before they start. Even the smartest staff member could be fooled by a well-constructed phishing email that looks like it comes from the CEO or from HR.

In a recent podcast, I spoke to James Christiansen, vice president of information risk management at cyber security firm Optiv. James recommends two practices that should be part of your normal information security workflow: First, lower your attack surface by keeping systems patched and keeping good endpoint security. Your IT team should already be installing security patches on backend servers regularly, and the processors in today’s laptop computers support remote administration, so your IT team can be updating staff’s computers remotely at night or in the background while staff is working, with minimal interruptions. That leaves the problem of personal devices. You can provide guest networks for basic internet access, limit and encrypt information that can be downloaded to devices, and have your core networks check security patch levels before allowing devices to connect.

James also recommends having more visibility, monitoring access to that high-risk, high-value data so that you can head off attacks in progress. Monitor and review system logs so that you know what is normal and can spot activities that aren’t. Attackers tend to go through supplier or business partner systems that may be less protected, so it’s vital to monitor business associates’ access to your systems.

Security is a Business Process

While you can streamline and automate a lot of data security and privacy activities, business leaders today need to recognize that protecting information is a business process as vital to productivity and financial results as the products or services that you sell. If a ransomware attack brings your operations to a standstill or a data breach causes lost revenue or big regulatory fines, it hurts the bottom line.

Take the lead in building a culture of security. Consider subscribing to a cyber intelligence service so you can warn your workforce about incoming threats, and make that daily phishing alert bulletin as routine and non-disruptive as morning coffee. You can choose the highest impact security programs for your staff. (For example, a Ponemon study found that malware awareness training can have a 50x payoff.)

You also need to measure and recognize good security behavior just as you do good productivity. If your top-ranked employee makes a security mistake that brings your organization to a halt or costs millions, all the productivity in the world won’t undo the damage.

Customers Come First: Data Breach Response Survey