Cybersecurity seems to dominate our lives. So much of our lives are dependent upon the Internet as we use connected devices to manage our shopping, finances and communications. The amount of data consumed and copied worldwide in 2010 was about 2 zettabytes. The amount predicted for 2024 is 147 zettabytes – almost 7500% growth in 14 years! Data is an asset and protecting that data requires intentionality, effort and resources. We tend to think of the actions that we take to protect our assets as “security.”
Unfortunately, most people think of security in terms of absolutes – something is either secure or it’s not. Here’s an example. Say you have a shed, and you padlock the door. In your mind, that shed is “secure” but in reality, the shed is only a degree more secure than is was before you attached the lock. A determined actor can bypass that lock in a number of ways:
- They can pick the lock – most Master locks can be picked in less than a minute.
- They can use bolt cutters.
- They could simply remove the entire door.
- They could use a saw and cut through the side of the shed.
The point is, even though you may have believed that your shed was secure, in reality, the lock did nothing more than serve as a deterrent for most threats while not preventing a determined actor from gaining access. The lock doesn’t absolutely protect the shed.
Security, therefore, is not an absolute state. Security is in reality the steps taken to reduce a risk from an initial state to a state that is acceptable. The idea of what level of risk is acceptable varies from person to person and from business to business. Even with a business, the level of risk that is acceptable for one asset may not be the same level that is acceptable for another.
Risk can be addressed in four basic ways:
- Reduce risk – through the use of technical and administrative controls.
- Avoid the risk – just don’t engage in the activity that creates the risk.
- Transfer the risk – outsource or purchase insurance.
- Accept the risk – understand what’s at stake and be willing to deal with the result.
There is a golden rule in security – never spend more to secure an asset than the asset is worth! Here’s what that means. Say you have a $3000 laptop (we will consider only the value of the hardware here). A business might spend a few dollars a month for a low jack type service to monitor the location of that laptop in case it gets lost or stolen. The laptop might have a 36-month lifetime with the low jack service costing $5 per month. The $180 dollars invested to reduce the risk of loss works for the business. This protection doesn’t violate the rule.
Now consider that same laptop being secured by paying a private security agency to guard the device 24 x 7 to protect it from theft or loss. That service would end up costing the business 100x more than the value of the laptop! I know it’s a far-fetched example but scenarios like this happen all the time.
So how much security is enough? The answer based upon the golden rule is “just enough.” Applying too many security controls to an asset of little value complicates business operations, wastes resources and dilutes the effectiveness of the security team in securing the more critical business assets. Unfortunately, we are generally very bad at determining the value of our assets and therefore prioritizing the risks to those assets. Far too much time, money and effort are spent protecting things that really don’t matter while the crown jewels lie unprotected.
As we work to grow our businesses, we should think about security in terms of doing the right things to reduce risk to levels that the business can accept. The trick is determining what those risks are and what level of risk we are willing to accept. Security is not a switch that one flips. Just because an asset has had security controls applied to it, does not mean that asset is fully protected. Any organization can experience a security incident. All we can do is do our best to prioritize our risk and implement sensible security controls to best protect our assets. Remember – there is no such thing as absolute security!