How much security is too much security? It can be difficult striking the right balance. CISO Nadine Hoogerwerf shares four considerations for identifying the right levels of security for your business.
Determining whether the information security you have implemented is enough is perhaps the hardest task of anyone working in the field. Some may think the more, the better, but that isn't necessarily the case for all organizations. Security can have a negative impact on the user-friendliness of tools and processes, and may as a consequence have a effect productivity. Furthermore, and as you probably know, security is not cheap.
So how can you determine how much security is enough? There are four things to consider.
1. The value of the data or assets to you
If your organization lost control over the data or assets, how would this impact your business? Would it have an impact on critical (production) processes, or on your competitive advantage?
For example, a law firm would be unable to conduct business with clients if it were to lose access to its CRM software. Depending on the outcome of data loss, it should be clear exactly what level of encryption or protection needs to be in play when managing data or access to systems.
2. The value of the data or assets to malicious attackers?
What does a hacker has to gain from access to your data or assets. Will it give them direct access to sensitive data and can it be used to manipulate further financial gain from your organization? Perhaps it could provide an advantage in a geopolitical conflict, or be used to blackmail people or set up effective phishing campaigns.
The value of the data/assets determines how much the hackers are willing to invest in gaining control over it. The higher the value, the more they will spend on the attack and, naturally, the more security you need.
3. The value of the data to the data subjects
The data subjects are, for example, your clients, patients or citizens. If their data is stolen, it may not have a negative impact solely on your organization, but also on your stakeholders personally. The loss of their data may harm their privacy, be used to extort them or even lead to their identity being stolen. In the EU, personal information that is considered sensitive by the GDPR requires extra protection by law.
4. The cost of security
This includes the direct and indirect costs associated with the implementation of security measures. Keep in mind that a security tool needs to be purchased, implemented and maintained. Furthermore, security (especially when implemented poorly) could have a negative impact on the productivity of the organization.
Tools to help you get it right
Depending on the sensitivity of the data in an email or file, Zivver Secure Email proposes or enforces (depending on the preference of your organization) the appropriate security level. For example, MFA can be required for a sensitive email containing patient data, but not for email invitation to your favorite colleague on a coffee date.
Adjusting security levels to align with what is truly needed is a challenge. Too much will hurt, too little might hurt a lot more, so it is important to get it right. Find out how we can help you strike the balance to get picture perfect security for your entire organization.
