There is more to security than just having a product in place, even if it is the “right” product. Information security and risk mitigation is about knowing what needs to be protected, the cost of that protection, and any potential cost if there is a loss. (That is, the risk becomes theft or another type of breach.)
Often, we feel compelled to put into place sophisticated and difficult to operate solutions to give us the warm fuzzies, but in fact those can lead us down the wrong path. If you can’t manage the security you put into place, all you’ve done is wasted your time and probably decreased security in the meantime.
Fortunately, there are relatively simple security solutions to big problems-so long as we are willing to accept that we can’t perfectly secure our businesses, we can only “mostly” secure our business. And we also have to realize that we need to put into place the right systems and practices first-solving a problem with technology right off the bat never works, and I say that as “the IT guy”.
Let’s take accounting as an example. In a company with no controls, an employee may perform all accounting tasks. They receive customer checks, enter them in to the A/R system, deposit the check, receive vendor invoices, enter them in to the A/P system, and cut checks for payment. (Scary right? Well, these companies are out there. In fact, there are probably more of them than not.)
So, being wise to the ways of the world, you use Separation of Duties (SoD) to place a control into the process. You have employee A doing A/R and employee B doing A/P. Great! Of course, you aren’t perfectly protected. You are “mostly” protected, with the “mostly” coming into play in that you are not preventing losses, but merely limiting them. Consider this:
Threat 1. Employee A can take a customer’s cash and run for it.
Threat 2. Employee B can print a company check and run for it.
Threat 3. Employee A and Employee B can collude to embezzle money.
So you are at risk, but you have placed limits on that risk. (This is a world of risk mitigation, not risk prevention. Welcome aboard.) If you’re smart, you have a receipt and receipt reconciliation system in place to limit your risk from Threat 1 to a day or two. For Threat 2, you need to monitor checks and cash. Threat 3 has the same need as Threat 2: You need to monitor checks and cash.
And now that we know the relatively simple need, we can put into place the technology: Monitoring checks and cash has become much easier with online banking via your online bank’s alerts for large withdraw/cashed amounts, or–better yet–via a dashboard view with www.mint.com (which will also integrate with your iPhone), you will know rather quickly when something happens. Did you stop it? No. Did you limit it? Yes.
Notice that we can limit risk here with relatively low cost but effective solutions, but only because we acknowledge that we are LIMITING risk, not eliminating it. Knowing the difference will help clarify a lot for you when you work to protect your organization.
And of course we can help with this. We take a problem and work with you to trace it back to the actual business problem-and that’s the problem we help you solve. It’s not the technology. It’s the system, the process, and the people. Technology just helps you get more leverage.