Why security needs equality
Charles Sweeney, CEO, Bloxx
The need for there to be a common standard within business is driven by a strong human emotion for equality. This is especially true as workforces fragment and become more geographically disparate. From HR to finance policies, equality is adhered to – there is a commonality across the board. And yet, when it comes to security, there are multiple and varying policies across locations, teams and devices. It might not seem like such a big deal, after all no harm, no foul right? If we lived in a picture perfect world, then perhaps this would be the case. But we don’t. We live in a world where cyber criminals are always seemingly one step ahead, constantly evolving their methods of attack and actively seeking vulnerabilities.
As a result, there is a real and present danger that these ‘idiosyncrasies’ introduce business risk. Often people don’t realise that there is disparity within the organisation until someone asks them to drill down into their BYOD policy. BYOD might seem like easy pickings, but it is a perfect example of how inequality in security policies can create vulnerabilities. For example, employees might not use their device whilst at work, but they could well prefer to do their lunchtime web browsing on their smart phone. Is that device on or off network? Do the same rules apply to the content and websites that they are able to access? If not, what is to stop them accessing something inappropriate, flashing it around, someone getting offended and shooting off an email to HR?
The list of examples isn’t just contained to devices. As a former IT programmer, I know only too well that there are different groups within the organisation to which different rules apply. Often the policy setters themselves are more relaxed about their own access. After all, they can argue that they need access to a wide range of information, devices and applications in order to keep the corporate ‘lights on.’ Or sometimes you find that management have a more laissez-faire approach to their own access, but people on the shop floor are more restricted.
Regardless of whether it is a device on network that shouldn’t be or a CEO clicking on what they believe to be a reputable site with the best of intentions. The fact is, danger lurks everywhere. They could unwittingly open the door for a piece of malware to sweep the network. Yet at a different site, it might never have happened as either access would have been restricted or if a technology deployed on the front line to protect the organisation.
Clearly a fragmented policy is better than no policy at all, but the fact remains that inequality is rife within organisations, especially those with mobile workers and/or multiple locations because they lack the ability to centrally manage and apply policies. As companies look to embrace the cloud, this risk becomes extrapolated across even more potential touchpoints. Companies need to be able to centrally manage and apply policies. The danger is that if you don’t have a helicopter view how do you know that if you address a vulnerability at one location, you don’t introduce a new one at a different office?
There are several good reasons why equality is a strong human emotion. But one of the most critical is that is that it protects us. Amongst all the daily hype security teams have to wade through, equality is a strong guiding principle for a robust security policy.