Cybersecurity Tip of The Day #15

Instead of taking something away, find a safer solution to accomplish the same mission

Security programs of all sizes struggle with unapproved usage of tools and data or general unsafe business practices that require a response. While many issues may be the case of someone using the wrong tool or service, several others are the result of it being the only practical option available.

If this is the case within your organization, document the risk, but don't be too swift to block access to the tool, service, or process. After all, you're here to support the business, therefore it's in everyone's best interest if the security program instead works with business stakeholders and/or the IT department to offer a new, safer tool in place of one presenting a risk.

There is definitely a risk tolerance factor that needs to be accounted for with this line of thinking. To suggest leaving an unprotected service open that an employee may be storing thousands of federally protected records on is irresponsible. However, if the issue discovered is much smaller and the business can accept a small amount of risk until a better and safer solution can be offered it should be the preferred method of resolution.

#cybersecurity #riskmanagement