The purupose of a business is not to minimize risk. Many cybersecurity professionals have not grasped this, and a security strategy that does not align with the strategy of the business will likely do more harm than good.
Risk mitigation is not free. It always comes with a cost; the direct cost of implementing a control, and the implicit cost due to the effect of this control on the ability of the business to deliver its services and products to its customers. No risk mitigation is also not a viable solution; the likelihood of something going seriously wrong will be very high. In terms of cybersecurity it is worth asking: what is secure enough?
How can a risk control be bad for the business?
Let’s say you are running a hair salon. Your goal is to provide your customers with “the latest and greatest style advice and products for stunning beauty”. Your insurance company urged you to buy cyber insurance, and they then required you to list the cyber threats you worry about. At the top of this list is “ransomware”. The insurance agent tells you this is the typical way a small business gets infected:
- Employee receives message by email with a dangerous attachment or link
- Employee opens or clicks the dangerous content
- The computer is infected
- The ransomware encrypts the computer, and your point-of-sale terminal, and demands a ransom
How can this be avoided? You hire a “cyber warefare specialist” to come up with security controls.
Here are the suggestions:
- Block internet access for employees, except for a few business related sites
- Add a filter that will strip out all links and attachments from emails
- Segregate the internal network so that the office computer cannot talk to any financial systems, including point-of-sales.
All of these mitigations could be effective against the identified ransomware risk. But do they have side effects? If you really worry about ransomware, perhaps you will opt to go for all of these protections. How would that affect your business?
Armin is your best stylist. He usually spends his break time on the computer looking at fashion sites, drawing and coming up with new ideas to try. He also likes to participate in reddit and other forums to discuss new products and ideas with other stylists. After the new security controls came up, he stopped doing this, and instead sat at a chair browsing his Facebook feed and feeling bored. After a few months, customers are not coming back any more and Armin accepts an offer from your biggest competitor.
Your mother’s friend Elvira runs a small accounting firm, and she has been helping you with book keeping, invoicing and cash management for years. She is very good at this, and the service is cheap as well. She prefers to send monthly statements as Excel attachments on email for you to go through before closing the month’s tax reporting. Without attachments in emails, this workflow doesn’t work anymore, and since Elivira doesn’t like to change her ways of working the only way to continue working with her is to drive over to her office to look at the statements in her office. This is inconvenient and takes a lot of time, but at least you are less vulnerable to ransomware?
Segregating the internal network to block any communication between the office computer and the point-of-sale terminal will stop ransomware from affecting the payment solution. At the end of the day you usually download today’s sales data from the terminal over the local network. Without connectivity you would need to transfer this in another way, such as using a USB drive. This will take 30 seconds extra, so perhaps this is not so bad?
None of the suggestions are bad as such, but without understanding the business context, making decisions on what security controls to use can have undesired side effects. Spending 30 seconds to get the sales data can be acceptable, the star stylist leaving for a competitor is definitely not.
How can we assess the business impact of a security control?
You won’t need to perform some very advanced analysis to review the business impact of a security control. You will need to understand how technology is used in your business. A good way to get this overview is to perform a simple business process mapping using SIPOC. The for each security control suggested, ask yourself 3 questions:
- What am I using this technology for?
- How would my business processes change if I introduce this control?
- How would that change profitability, creativity and efficiency at work?
Based on these 3 simple questions it is usually quite straightforward to see if the friction the security control introduces is less of a risk to your business than the problem you are trying to solve by using the control.