IT security is always something of a contentious issue, especially where it impacts on the day to day operation of your business. The problem is that Information Technology is often seen as both a major source of risk as well as the main way to combat it. While it is true that properly implemented IT services will allow you a great deal of peace of mind, you may find that your focus on just one area has left you dangerously exposed in others.
Common IT Security Mistakes
The search to manage those risks still tends to lead to some common errors that are as much business-led as IT-led:
Being imprecise about terminology so that instead of discussing vulnerabilities or threats, everything gets labeled as a risk.
Developing measures and their metrics, but not defining thresholds or the subsequent actions if they are breached.
IT being seen as both the tool to secure and the primary focus, rather than paying attention to the security of business processes and their associated data.
Trust being given undue prominence without some form of check and balance.
The whole process of risk management revolves around weighing up the relative likelihood of an event happening against the impact on the business or system should it actually happen. With IT security, the safest approach is generally to assume that vulnerabilities will be exploited sooner or later and to prioritize the response accordingly. Unlike other areas of the business, there isn’t really an option to ‘do nothing’. You can find this easily leading to a siege mentality however, where any suggestion of change is seen with great suspicion.
How to Move Forward
If the solution is to beef up IT security through attention to passwords and certificate expirations, utilization of Group and Local Security Policies, and proper audit controls for administrator accounts, then that is relatively simple enough. The problem is that while many of the effects of these are felt across the business as a whole, they tend to be seen as problems that are inflicted on the business by IT, rather than part of the business’ approach to managing risk. How many of us have heard, or even said in a moment of pique: “Why can’t I use that as my password?” In that moment, IT becomes seen as the problem, not the solution.
Businesses that don’t extend the same principles of audit trails and accountability within their business processes will leave themselves open to the same risks as if they had not secured their IT. Information and Financial controls are just as vulnerable through people not following procedures. It is easy of course to call for strict auditing. Unfortunately, the result of over auditing is the same in the real world as it is in IT – that if you audit everything, you lose the important breaches in a mass of ordinary detail and performance suffers. Perhaps then we should consider the risks to data as an issue for the whole business, and act accordingly, with IT security being but one of the tools available to address the problem.