Security and the user - taking on the great balancing act

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.information-age.com/technology/security/123458682/security-and-user-taking-great-balancing-act

The rapid evolution of computing devices has enabled 24/7 access to
information and services almost everywhere. However, the abundance of
technology has introduced a wealth of data security concerns that need to
be addressed. The problem is that security measures impact the usefulness
of data; too much will make systems unusable, while too little will make it
too risky to use. A fine balance between the two is needed, but what does
this look like?

Chasing the ideal

A good example of this balance can be seen in contactless bank cards, which
enable us to pay up to £20 by simply tapping them against a reader without
the need for a PIN or signature. The security measures in place are
twofold. First, the maximum payment limit prevents criminals from spending
huge amounts if you lose your card. And second, banks have made it easier
to cancel a bank card and reimburse any money if it is stolen. The security
aspects of contactless bank cards haven’t stood in the way of making them
useable and their popularity is growing day by day.

Balancing act for businesses

So what can businesses learn from innovations like these? To properly
decide what safeguards are needed, we need to understand that business data
is incredibly valuable – a lost file could result in competitors stealing
intellectual property, or the records of millions of customers being made
public. For others, it can be a matter of national security.

The most security conscious organisations have authentication processes
involving rigorous physical and electronic checkpoints which can take
several minutes to get through. This means that even a simple toilet break
can result in a significant amount of offline time. This is one extreme of
the security spectrum – for the most secret data, it is warranted. Placed
in a business context, often these types of controls would be totally
unreasonable. Yet at the same time, organisations can’t leave the door wide
open.

Don’t have it if you don’t need it

To strike the balance between security and usability, businesses need to
implement solutions that support the way that we work. To do this,
businesses should look at what data each user requires access to and only
grant it to those files and directories. For example, an HR department
wouldn’t necessarily need to use a customer data base so they shouldn’t be
automatically granted access to it. Nor should data be allowed to be stored
on unlicensed devices. This will alleviate the risk of file loss without
affecting how those workers that actually need the data work.

Encryption for all

Controlling access is only one step. As pessimistic as it sounds, a data
breach on any organisation is, given time, certain to happen. Businesses
need to take a fatalistic stance when it comes to security – they should
assume that they have already been breached and assess their options
accordingly. Key to this is data encryption, which will make any stolen
data unusable by an unauthorised user. This is perhaps one of the most
effective security measures organisations can take, as even if an intruder
accesses a company’s data, they can’t do anything with it. The importance
of encryption can’t be understated. The Information Commissioner’s Office
has been promoting the need for data encryption across the board, clamping
down increasingly hard on organisations that are found not to use it
effectively – or at all.

A lesson in security

Regardless of the measures an organisation takes, the weakest link will
nearly always be the human factor. Consequently, it’s more important than
ever that employees are educated about the risks that they take when using
sensitive data. At a minimum, employees should learn basic security
measures, ranging from choosing strong passwords to best practice when
handling data or working on a mobile device.

In addition, companies should take the time to inform employees about
everyday security risks. For example, there are several different phishing
scams doing the rounds which are all engineered to extract valuable data.
Informing employees about some of the tell-tale signs of phishing scams to
look out for are a simple step to avoiding catastrophe. Ultimately, it
comes down to the security department staying on top of the latest security
threats, and sharing that information throughout the organisation.

Achieving the balancing act

Ultimately, security measures do not need to be overly complicated.
Business level security does not need to obstruct usability, but that is
not to say that it shouldn’t exist altogether. The best way to assess
organisations’ security needs is ultimately to assume that they have
already suffered a data breach and implement measures accordingly.
Overcomplicating security will only obstruct workflows, but measures like
data encryption, correct access privileges and worker education are all
ways of striking the fine balance between usability and security.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!