Cyber Security Measures vs. Productivity: Who Wins?

Cyber Security Measures

If you feel like you are in a battle with your cyber security team to get access to the files and systems you need to get work done, you’re not alone. It unfortunately happens far too often that security comes at the cost of productivity. But it IS possible to create and maintain your cyber security WITHOUT disrupting normal business operations. That’s actually the approach Intrust IT takes with all our managed services and enterprise clients.

Your Tech Team Should Not Be the Enemy

Here’s the way new cyber security measures often roll out in an organization. Your team has had access to a system (since forever). The company announces some new security protocols to limit data access only to the teams that actually need it (and have been trained to protect it). You raise concerns that doing so will break something in your system but are reassured it will all be fine. The launch date comes. Everything breaks and then you (and the tech team) spend two days trying to fix it before putting everything back the way it was for your team so you can get back to business.

Here’s are two hard truths about this scenario:

  1. It doesn’t need to happen. With the right preparation, strategy and infrastructure planning, 95 percent of cyber security measures can roll out without any disruption in your day-to-day work. It takes a team with the right knowledge, experience and time to do so. (In-house IT teams almost always lack the latter even if they have the former.)

  2. Outages will happen. No amount of planning and experience in the world can make outages 100 percent preventable. In all likelihood, your business grew in fits and starts with technology systems put in place by multiple people and teams over time with little to no documentation about what is connected to where. Sometimes an outage is the first and only symptom you get that there’s a problem. That said, repairing the outage should be brief and frictionless for your team. First, you restore to a point before the change immediately! Then you review the data to find a solution before you try implementing the security protocol again.

There IS Such a Thing as Too Much Security

No, that's not a typo. People are always surprised to hear this (especially from a cyber security consultant) but you CAN have too much cyber security. 

Imagine a wood door with a regular doorknob and lock. That’s not very secure. Now make it a steel door instead of wood and add a deadbolt — much more secure. What about adding three more deadbolts each with different keys… you can keep putting on more and more locks. But then how long is it going to take you to open the door each time you need to and what risk is there if a key gets lost? You see the point. How much is too much?

There’s no magic bullet, no one right answer. It depends on each company’s circumstances and their risk tolerance.

Finding Your Risk Tolerance

There are several factors that play into a business’s risk tolerance, including:

  • The nature of the business
  • What fines or penalties could you face (regulatory factors)? 
  • How much business is created, stored or paid for online?

Financial service firms will have a much lower risk tolerance than someone in the T-shirt printing business. Both need cyber security, but the T-shirt printer will be fine with the steel door and deadbolt. The financial services company will need tighter measures that may slow work to an acceptable degree for the sake of security.

Cyber Security Is NOT Optional

There is no business that can do without cyber security measures. Let me say that another way. If you do nothing, you will get hacked. 

Your business does not have to be big or well known or even making good money to be targeted. Sure, some cyber criminals target specific businesses to go after and scour their systems for vulnerabilities to exploit. But most are simply running a computer program that scans through everything, everywhere and then automatically attacks any weakness it finds. They don’t even need to know your business name to put you out of business.

Some companies think that if they have cyber insurance, they don’t need to do anything else. But after a breach, you might find that you can’t get cyber insurance or your premiums spike. Or worse, your cyber insurance may not pay out. One company is currently in court claiming their client’s hack was an “act of terrorism by a nation state” and therefore not covered. Insurers may also try to deny a claim if they believe the company did not take steps to protect itself. And then, of course, not all cyber insurance covers the same things (read your policies).

Finding the Balance for Productive Cyber Security

Our approach to cyber security at Intrust is simple, effective and keeps your business operations in mind. There are four basic steps:

  1. A review of your systems and network to identify your needs and vulnerabilities
  2. Frank and open discussions — not just with decision makers, but your whole team — to understand your company’s risk tolerance and operational needs and to educate them about the need for cyber security measures
  3. Reviewing industry-standard frameworks or the controls that should be applied for every tool or application you use
  4. Creating a cyber security plan that makes you more secure within your risk tolerance without getting in the way of doing business

Those industry-standard frameworks are key to this process, most notably the Center for Internet Security (CIS) and National Institute of Standards and Technology (NIST). These organizations provide continuously revised benchmarks to make software applications more secure. 

You can’t get more “in the weeds” than CIS benchmarks. It’s as detailed as “for Windows server 19  turn setting 27 off.” There are hundreds of such recommendations for thousands of applications. We consider them all for the tools your business needs and create a framework for your cyber security that either meets these standards or knowingly deviates from them for specific business reasons that we have discussed and documented.

Not every IT support company has access to CIS benchmarks (it’s a membership organization and a significant investment for IT firms) and not all that do use these frameworks in their cyber security planning. At Intrust, we have at least three team members 100 percent dedicated to cyber security, along with support systems that integrate cyber security measures from the ground up. That’s part of our commitment to our clients and why we can confidently offer our Million Dollar Cyber Security Guarantee.

Let us show you how simple and effective our cyber security approach can be for your business. Contact us or book a meeting to discuss your needs and goals.

Dave Hatter

Dave Hatter

Dave Hatter (CISSP, CCSP, CCSLP, Security+, Network+) is a cyber security consultant, writer, educator and on-air media contributor. See hundreds of Dave’s expert interviews on cyber security on his YouTube channel, or tune in to 55KRC every Friday morning at 6:30 for his “Tech Friday” segment.

Get This Free Resource to Protect Your Business

Checklist: "14 Non-Technical Things You Can Do Today to Protect Your Business from Cyber Crime"

Share this Blog