Ensure Cyber Risk Management Doesn’t Impede Business Performance

Risk Management

Cyber security has become a priority for most organizations, and rightly so. Data breaches are a real risk, and cybercriminals aren’t going away. The “prohibition” approach (or “zero trust”), which limits access to web pages and applications, is a go-to model for data protection. But are security programs interfering with business performance? Research suggests that overzealous cyber risk management may be too much of a good thing.

User Frustration

The prohibition approach leads to frustration for users who cannot access applications. According to a survey commissioned by Bromium of 500 enterprises, 74 percent of chief information security officers (CISOs) said users were frustrated that security measures interfered with their job function. Eighty-four percent said users believed that security measures stifled innovation.

This sense of frustration affects customers and employees alike. CISOs reported frequent customer complaints about work delays caused by security measures, according to the Bromium study. After surveying 1,000 employees in the UK, researchers for Cisco found that 1 in 8 employees believed that security measures were stifling innovation and collaboration. Nearly one-fourth believed that the cost of lost business opportunities was greater than the cost of a potential cyber breach. Frustration even led some employees to bend the rules of the security policy.

Employee Complacency

The most effective Cyber Security programs can sometimes backfire in the workplace. For example, an environment of heightened security can sometimes result in employee complacency. The Cisco study found that 62 percent of employees believed their actions had a low to moderate effect on Cyber Security. More than a third reported low to moderate adherence to security policies.

Need for New Security Approaches

To strike a balance between strong security and robust business performance, organizations need to develop new approaches to security. New technologies and insights into workplace behaviors have led to some promising developments.

Behavior-Centric Security Policies

Employees respond to security risks in different ways. Instead of forcing all employees into a single security program, organizations can develop policies tailored to individual employee behavior. For example, researchers for Cisco classified employees into four behavior profiles describing attitudes toward cyber threats, ranging from “threat aware” to “bored and cynical.” User-specific security policies can protect data while accommodating these individual behaviors.

Micro-Virtualization

Certain activities, such as downloading files or opening applications, are more closely associated with cybercrime than others. To prevent a breach, security policies often restrict legitimate users from these activities. However, a new technology known as micro-virtualization can isolate these activities, trap resulting malware, and protect an organization’s network.

Micro-virtualization is an example of implementing strong security without sacrificing business performance. With this technology, there is no need to prevent users from doing their jobs, so there is no interference with innovation and collaboration.

Security Compatible with Business Performance 

In today’s cyber environment, effective data protection is a crucial concern. At the same time, security measures must not inhibit business performance and growth. New technologies and approaches to Cyber Security can both prevent breaches and allow innovation and collaboration among legitimate users.

Carefully crafted policies and procedures are a KEY ingredient to any successful cyber security program.  They need to be written and implemented in a way that is effective and flexible, but also allows the business to run unencumbered.

At Interactive Security, we often refer to cyber security programs as “living & breathing”.

https://www.computerweekly.com/news/450428565/IT-security-hindering-productivity-and-innovation-survey-shows

https://www.helpnetsecurity.com/2015/01/12/is-it-security-stifling-innovation-and-collaboration/

https://searchmobilecomputing.techtarget.com/definition/micro-virtualization

Emory Vandiver

Emory Vandiver is the Vice President of Business Operations and a Partner at Interactive Security, where he is responsible for executing the company's strategy as a premier IT Security and Compliance provider. For over 20 years Emory has worked for leading enterprises across a diverse cross section of the information technology industry. His professional passion lies in understanding client business goals, challenging the status quo and leveraging technology-based solutions to maximize client performance. He strives to bring unique insight and value to his clients' businesses, along with a superior customer experience.