Tag Archives: RIF

safeguard your head office small business

How to secure your data when firing employees


What kind of risk are you creating when you fire the IT security officer?

When a company decides to fire a big piece of it’s work force – it’s to reduce costs in anticipation of reduced revenues. Risk management and IT governance runs a distant second and third when it’s a question of survival. The IT department is often in the line of fire, since they’re a service organization. The IT security staff may be the first to get cut since  companies view information security as a luxury, not as a must to run the business.

There is nothing in the information security policy of any organization that I have seen that talks about how to manage risk when 300 employees are being fired in a short period of time in a business unit.

What is your risk appetite?

A key part of formulating and establishing information security   policies for your organization is in deciding how much risk is   acceptable and how to minimize unacceptable risk.

This process initially involves undertaking a formal risk assessment which is a  critical part of any ISMS.  However – it’s a mistake to assume that risk assessment is a static process when the business is a dynamic process.  Risk assessment must be dynamic and continuous, moving at the front line of the business not as an after though or not at all.

The ISO 27000 standards provide some guidance on how this  risk assessment process is to be undertaken.  This guidance is   summarized and annotated below:

  • Use systematic approach to estimate magnitude of risks (risk  analysis)
  • Compare estimated risks against risk criteria to measure the  significance of the risk (risk evaluation)
  • Define the scope of the risk assessment process to improve  effectiveness (risk assessment)
  • Undertake risk assessments periodically to address changes in  assets, risk profiles, threats, safeguards, vulnerabilities and risk  appetite (risk management)
  • Risk measurement should be undertaken in a methodical manner to  produce verifiable results (risk measurement)

The stumbling block to doing continuous risk assessment is both world view (“hire a consultant once every 2 years to check us out”) and technical (“the cost of said consultant”).  We have a great  free ISO 27001 risk assessment software that can automate the process, save you money and help you respond fast to changes in the business. The software is based on the popular PTA (practical threat analysis) Professional risk assessment tool.

Tell your friends and colleagues about us. Thanks!
Share this

The danger of losing your digital assets in a down market

Any information security professional will tell you that security countermeasures are comprised of people, processes and technology.  The only problem is that good security depends on stable people, processes and technology.

A stable organization undergoing rapid and violent change is an oxymoron.

People countermeasures are a mix of security awareness training, background checks (at a depth proportional to job exposure to sensitive assets), and deterrence.  Andy Grove once said “Despite modern management theory regarding openness – a little fear in the workplace is not a bad thing”.  When a lot of employees are RIF‘d – there is a lot of anger and people who don’t identify with their employer; the security awareness training vaporizes and fear and revenge take over. Some of the security people will be the first to go, replaced by contractors who may not care one way or the other or worse – be tempted by opportunities offered by the chaos.

Processes need to be implemented in a way that ensures confidentiality, integrity and availability of customer data.  A simplistic example is a process that allows a customer service representative to  read off a full credit card number to a customer. That’s a vulnerability that can be exploited by an attacker.  In a merger or acquisition – business processes change and if one believes in Murphy’s law – never for the best.    A rule of thumb I like to use is that many security vulnerabilities lie in the cracks of systems and organizational integration – in an M&A – those cracks can look like the Grand Canyon.

Technology countermeasures are never a panacea and must always be measured for cost-effectiveness.  Today’s defense in depth strategy is to deploy multiple tools at the network perimeter and endpoint. Firewalls,  IPS and malicious content filtering at the perimeter and  removable device control and personal firewalls at the endpoints,

Although defense-depth is a sound strategy – it can develop three vulnerabilities in times of rapid organizational change.    One – most defense in depth  information security is focussed on external threats while in an  organization undergoing rapid change – the problem is internal vulnerabilities. Second – defense-in-depth means increased complexity which can result in more bugs, more configuration faults and … less security instead of more security. Three – when the security and executive staff is cut, security monitoring and surveillance is suffers – since there are less (or no) eyeballs to look at the logs and security incident monitoring systems.

Claudiu Popa, president and chief security officer of data security vendor Informatica Corp. recently told  Robert Westervelt in an interview  on searchsecurity.com that “mergers and acquisitions force IT security pros to be more aware of internal threats”.

No argument  – until the closing paragraph which had some dangerous best-practice boilerplate:

Adequate security is difficult to implement, but once an organization reaches the right level of maturity, security measures will not only save time and money, but also contribute to improved credibility and efficiency.

Correct- but for an organization firing 30% of it’s workforce over night – words like maturity, credibility and efficiency go out the door with the employees.

Tell your friends and colleagues about us. Thanks!
Share this