Investment is a word mostly correlated with finance or assets, but there are various other avenues we venture into each day, like investment of time, knowledge etc. The most important assets of any organisation are these investments captured in the form of data, which leads to an important question, ”How do we secure our data?”
My vision on security starts with home. We want our house to be safe and ensure that our family is secure in all circumstances. However, we also place a lot of importance on convenience and always consider the risk – benefit ratio before implementing any form of home security. At Insentra we operate like one big family and have a similar outlook on the Information Security landscape.
Our recommendation is a gradual approach where we start with an assessment and gradually work towards expanding the security strategy to an extent where the risk – benefit ratio is maintained. It starts with identifying potential risks – this could involve known as well as known – unknown factors – triggered by either an intentional malicious action or an innocuous accident. The next step is to quantify the potential impact of each risk and evaluate appropriate risk mitigation measures. Our Architect-as-a-Service (MapOne) offering is a great example of our delivery approach and you can read more about it here – MapOne Part 1 & MapOne Part 2.
We have seen organisations resort to drastic measures like blocking various forms of access. I’m afraid there is no standard answer around the best approach and the only way we visualize this is through an evaluation of risks vs. benefits. Let’s assume a data loss prevention scenario where an organisation has blocked USB access for employees. The below factors may be considered:
· What is the impact of the risk, i.e. employees copying data on USB?
· What is the cost of productivity loss incurred by the organisation as n number of employees cannot perform their job conveniently? The lack of convenience is likely to result in delays or the job not being done, which could mean a significant cost to the organisation.
· Is the blocking rule limited to departments or people who handle confidential data? Do we really need to apply this restriction to the entire organisation?
· Do we have alternative convenient solutions for secure file transfer?
· Have we applied this restriction gradually with employee education and communication?
· Is the potential cost of this risk higher than the potential cost of mitigation? If the answer is yes, we may certainly explore the mitigation strategy with an active effort to minimize the cost of mitigation.
Organisations spend a fortune in procuring security solutions but a bad implementation could mean a bad risk – benefit ratio. It is imperative that we look at Information Security as an investment and ensure that it does not impact our larger interests. At Insentra we leverage a perfect blend of our organizational values and tremendous Information Security expertise to help organisations achieve the maximum ROI with their investments.
Please feel free to reach out to us for a risk assessment.
