Embed from Getty Images
There are two radically different approaches to something like security: assume that you can prevent something from happening or assume that the worst is going to happen, how are you going to recover.
The first approach (“prevention”) is a wonderful thing. You spend thousands or millions of dollars in preventative measures:
- anit-virus everywhere
- clamp down on security so that no one has admin access to anything
- prevent people from installing their own software
I mean, there are a lot of things you can do to reduce the chance that something will slip through. But it’s all going to go up in smoke if you haven’t planned for that slippage.
- A recent article described how, in thirty seconds, you can retrieve the password from a locked desktop. So, you lock your desktop as you go to the bathroom. Someone needs just thirty seconds and they can retrieve your password before you get back to your desk. (This works on Macs as well as PCs.)
- Hackers have managed to get millions of userid/password combinations from sites that have been hacked for years. Since people re-use their passwords … a lot … they most likely have your password.
So, the people that are sitting in their ivory tower thinking about all of the preventative measures that they’ve put in place? Well, the earthquake is happening, the tower is collapsing and they have no idea what to do.
Those other guys, the ones that aren’t as obsessed with preventing the problem, but are more obsessed about how to recover from the problem? They’re better off. They can recover from a ransomware attack. They can revoke/disable accounts quickly and can reset passwords very fast. They allow people to use the thousands of dollars in hardware at their desk in an effective manner and yet are able to recover from problems quickly.
Why the difference? Well, there are a couple of things. One viewpoint is looking at how rigid they can make the system. The other viewpoint is looking at how resilient they can make the system. There is one more ‘R’ word that both sides looked at: risk. One approach is to minimize risk as much as possible even if it significantly impacts the business. The other approach looks at minimizing risk up to the point where there is a minimal business impact.
To be honest, the world is not so cookie cutter that you can say that there is a single answer for everyone. Every business needs to look at the options and decide what level of risk they want to assume and how much that is going to impact the business. Within an organization, there may be different levels of risk that can/should be assumed. For instance, some parts of an organization may be locked down because the risk needs to be minimized as much as possible. Other parts of the organization do not need that level of risk mitigation so the stringent measures associated with one group are not applicable.
I guess what it comes down to is making a conscious decision about what you are doing and not just following down a path because it’s easier to do so.