Balance Between Restricting and Enabling Access

A balance needs to be struck between restricting and enabling access for legitimate users because security should be implemented where practicable to comply with local data protection regulations, such as the United Kingdom General Data Protection Regulation (UK GDPR), without impeding business objectives. For a business to function, employees need access to relevant resources including personal identifiable information (PII) and business intel. However, data can be misused inadvertently or intentionally and the more people have access rights, the wider the attack surface. The vulnerabilities are twofold: the program may have security flaws that hackers can exploit; the human aspect is prone to social engineering attacks such as phishing emails or deep fakes. The company combats these by having penetration tests, quality assurance (QA), awareness training, mantraps, etc. Though vital, in software development, security engineering inevitably slows down feature development in the short term. Similarly, with user access restrictions and security procedures, bureaucracy can hijack efficiency. In short, there are tradeoffs between business objectives and security. Too much security can stifle business operations. Too little and even a compliant company can succumb to unrecoverable disruptions such as the loss of reputation, data, debilitating fines.

The role of the government is to create laws that protect the public interest, while the role of the business is to meet business objectives and be sustainable, i.e. make profit. Without the oversight of the government, a business may not be rigorous in its security processes at the expense of its customers. At the same time, it is in the business’ interest to protect customer data, business secrets and intellectual properties (IP) to maintain its reputation. Some businesses may not have the resources to have a dedicated security team and may implement rudimentary security measures as they see fit. Larger businesses with more data at risk may take a business-as-usual approach if there is no incentive to invest in security. The government’s role is to provide clear and consistent standards for businesses of various sizes and sectors to comply with. To incentivise compliance, harsh punishments are introduced such as fines and sentences of board members.

To be top-down organisational centric, the decision-making starts from the board and is trickled down to the employees, or on a larger scale from government to companies. Thanks to the board’s accountability for information security, senior management is empowered to set the tone for security in a top-down approach. A chief information security officer (CISO) keeps abreast of regulations and assesses the changing threat landscape to design, implement and enforce security policies. The security team does an internal audit with different departments to ensure compliance and correct any security gaps. Thus the planning takes place at the top and the procedures are disseminated and actioned at the bottom of the hierarchy. This approach is rigid with no feedback or involvement from the staff at the bottom until the implementation phase of the plan. It is used in bigger organisations where expertise from the top is utilised to give clear direction. It is efficient and consistent as everyone follows the same procedures, regardless of the team one is on. Anything that deviates from the rules can be quickly tracked. The downside is it may require buy-in from staff and may receive resistance. Also management may not know everything at a granular level and the solutions are not creative as it is narrow-minded and not well informed, or not flexible enough to cater for unexpected occurrences that frontline staff know how to handle.

A bottom-up user centric management style involves collaboration with employees at all levels, taking in people’s role-specific experiences and know-how. It is more democratic and motivating as staff feel valued and solutions are consultation-led. The downside is it can be slow when acquiring feedback, depending on how iterative the process is. Disagreements can impede the process and lower morale.

Depending on the situation, a company can adjust its hybrid approach and seek opinions of heads of department instead of all employees, or be more top-down or bottom-up on a sliding scale.

The first thing to do in cyber security is to know the company’s assets so management understands what needs protecting and the assets’ worth. If the value of the assets is more than the cost of safeguarding them, a company may accept the risk as investing in security might not be financially feasible. For example, a small supermarket may not be able to afford a guard and the likelihood of theft might be low. In this case, surveillance cameras may suffice. On the other hand, a national supermarket attracts more people and more bad actors. It has to ensure customers feel safe to walk in and is able to afford a guard. A vulnerability is a human or technical flaw such as a bug in the system or human carelessness. A threat is anything that can undermine the confidentiality, integrity and availability of data. Risk is the probability of a security incident. Risk can be calculated by multiplying the vulnerability by threat, and takes into consideration the frequency, existing safeguards, and potential value loss.

Without security investment, data is subject to security breaches from within. Without seniors’ backing and setting the tone, the result will be a lack of awareness training and people becoming less vigilant. The IT team will not stay up-to-date with their skills and leave the company for better prospects. There may be a lack of controls if security is not a priority or top of mind. One way to combat this is to automate processes, e.g. if an employee leaves, their account can be locked the next day automatically. Or if an employee is being terminated, HR can contact the IT team to reduce the employee’s privileges before breaking the news. There can be industrial espionage at play, to defend this, least privilege and zero trust are applied so even if a spy has access to a small area, the attack is contained.

Internal vulnerabilities can be technical such as a bug in the code, or human such as policies. There may not be a separation of duties especially in a small team due to the financial burden as the person who writes the code is the same person who runs QA tests. Interns and contractors might be given fewer access rights to the databases as their contracts are temporary. Further, temporary staff may not be fully vetted for ad-hoc time sensitive projects and may be less knowledgeable about the corporate security policy they have to follow due to the lack of training or they may feel less accountable for mistakes.

To ward off external threats infiltrating the private networks, employees can be more aware of who is around them tailgating or shoulder surfing. To combat these times of threats, a mantrap can be installed and a screen filter on phones or laptops can be used, subject to budget availability. Companies can ban unauthorised IP addresses to prevent employees from opening a phishing link. Badges lost should be reported immediately to prevent identity theft. Ultimately, humans are prone to social engineering attacks such as quid pro quo / bribery, or trusting the wrong person, being careless when talking about work in a public setting, and being caught off guard, and it is in the company’s interest to have guardrails, physical, technical or administrative, to weigh up the cost of access control against the value of assets, so to improve their security posture.