maxkabakov - Fotolia
The contradiction of post COVID-19 risk management
Security vs. usability is always a constant struggle for security teams. The rapid change to remote access during the pandemic has forced companies to revisit their risk management approach.
As the economy gradually emerges from the restrictions our communities underwent in attempt to slow the spread of COVID-19, I have been hearing about "post COVID-19 risk management." And I can't help but feel like this is a bit contradictory. Long before coronavirus, companies were faced with the question of whether to prioritize security or usability.
This pandemic forced businesses into new working environments that they didn't expect in response to an unprecedented situation. Their security practices were either mature enough to handle a massive transition and adjustment, or they were behind. For this reason, we didn't have pre COVID-19 risk management and now suddenly have post COVID-19 risk management. Many of the technological changes companies were forced to make in response to the pandemic are going to stick and mature. What we have is a new normal.
Not many -- if any -- companies had a contingency strategy up their sleeves as part of their business continuity plans for a near immediate shift to remote work for employees. They had to adjust on the fly to telework across the board, with virtual environments taking the place of offices, conference rooms and other locations that host face-to-face meetings. In many situations, companies or employees may well have opted for usability, giving priority to the need to share information over the risks involved in distributing information online. After all, business has to continue and sales teams have to be able to do their jobs. But the security questions don't go away.
Many industries face marketing and sales challenges around protecting intellectual property before it is released. In retail operations or manufacturing, for example, representatives promoting a new product want to be the first to market, but they also want to prevent a competitor from undercutting them by pilfering the idea.
Cybersecurity risk factors reimagined
Carrying sensitive or proprietary information on a laptop or other mobile media has always had risks, but that data was often protected by two-factor authentication and hardware or software encryption. Now, in an era of more virtual information exchange through online meetings and transactions, risks are exacerbated. For example, connections may not be secured, transmissions may not be fully encrypted, or users might not be assured of the security of other participants. For that matter, they may not be aware of everyone who has access to the data being shared.
Security can be layered onto virtual environments, but that can also introduce complications. On one hand, it might not provide comprehensive protections if added after applications are in use. On the other, strict security controls could make online channels more difficult to use. This could prompt some users to look for ways around those controls, which could unintentionally expose data to threats.
Businesses may find that the challenges of going almost entirely virtual during the pandemic response are accompanied by a silver lining or two. They may realize, for example, that some employees are just as productive or even more productive working remotely, or that salespeople making contact by virtual means are just as effective. Some businesses may see potential savings in building, maintenance and travel costs by moving more to a virtual model.
Risk management revisited
There isn't one rule that fits all companies for risk management; it comes down to each specific organization and its priorities. But all enterprises can address key elements of a virtual workforce, especially when reflecting on what aspects of adjusting to COVID-19 were most difficult.
Access management is among the most important risk. Who has access to certain exchanges and transactions? Should steps be taken to establish levels of permissions? Does another layer of authentication need to be added?
The question of additional security controls is another. Do online channels, regardless if they are one-to-one communications or group sessions, have appropriate encryption and other protections (including access control)? Is the data being exchanged as well protected as it would be on a hardware- and software-encrypted drive or laptop?
As usual, businesses need to address the question of security vs. usability, depending on their own circumstances. Is ease of use or the necessity of a communications channel worth the risk inherent in sharing vital information? Or should security take priority?
Risk management generally leads to one of three outcomes: accept, transfer or mitigate. You can accept the risk on the basis that the process under consideration is worth the potential consequences. You can transfer the risk by hiring a third party to protect the area of concern, or perhaps by taking out cyberinsurance. Or you can mitigate the risk by implementing security changes. The third option is usually the most difficult to manage because new security controls have a financial and procedural impact on what they're designed to protect.
Security has always been a difficult balancing act between giving too much weight to either security or usability. Now that COVID-19 has challenged the security policies and boundaries of organizations, it is key to address risk management as an ongoing facet of a business that must mature over time -- regardless of the crisis at hand.
About the author:
Jonathan Couch, senior VP of strategy at ThreatQuotient, uses his more than 25 years of experience in information security, information warfare and intelligence collection to focus on the development of people, process and technology to support the consumption, use and communication of cyberthreat intelligence. Prior to ThreatQuotient, Couch was a co-founder and VP of Threat Intelligence Services for iSIGHT Partners, where he created and managed a threat fusion center to help clients transition to intelligence-led security programs. Couch previously served in the Air Force at the NSA, Air Force Information Warfare Center, and in Saudi Arabia as the regional network engineer for the Joint Task Force (Southwest Asia).
