It is important that there be
collaboration between employees, suppliers, and partners, but one
must weigh the risk of giving people who are not employees access to your
systems, as data can easily be lost through theft, carelessness, or malware.
How could you measure such risk and apply due diligence when making the
decision to do so?
Access versus Security - do you have to choose?
When the American banking giant Wachovia failed in the Great Recession, the bank was taken over by Wells Fargo. The two bank’s employees could not send encrypted email between each other, because Wachovia used Lotus Notes and Wells Fargo used Microsoft Outlook (Exchange). It is possible to send encrypted mail between these two email systems, but not easy for the end user to do so. Rather than address this problem, the bank chose to ignore it for several years, deeming it not worth the effort, since all the employees would eventually more to the domain WellsFargo.com.
Here is an instance of a company choosing productivity over security. It would have been more secure for the bank—a business that deals in highly-private financial matters—to send emails encrypted. But it would have been less productive to do so, given the definition of productivity we give below.
How could Wells Fargo have approached this issue? Like any other business decision, that should be considered on risk-versus-reward (cost-versus-benefit) basis.
If you want a mechanical approach for determining this, you could grant access only when reward > risk. That is what the auditors would say. To do this, you would need to translate risk and reward into numbers.
The reward of granting access is increased productivity. Productivity is:
productivity= (output per employee) / number of employees
The definition of “output” varies. It could be the number of support calls handled, sales dollar amount, widgets built, shorter time-to-market, and so forth.
What about risk? If you follow the COBIT 5 framework for governance, you know that the company is supposed to keep a risk profile. That means each type of data is assigned a score based on how it would impact the business, if this data were lost. So you can quantify risk.
If you don’t want to resort to mathematics, just keep this thinking in mind, as you make these decisions. Here are some inputs to that model.
Possible Risks including Network Security
The benefits of using collaboration are fairly obvious. People working on the same project should have access to the same data and be able to communicate easily. But what are some of the risks? This new blog post outlines some of the risks and how to mitigate against them. You'll fine the post here http://bit.ly/1kkS3OZ
As always we’re very interested to hear what you think – what are the key factors you take into account when allowing access to corporate systems ?