It is important that there be collaboration between employees, suppliers, and partners, but one must weigh the risk of giving people who are not employees access to your systems, as data can easily be lost through theft, carelessness, or malware. How could you measure such risk and apply due diligence when making the decision to do so?
When the American banking giant Wachovia failed in the Great Recession, the bank was taken over by Wells Fargo. The two bank’s employees could not send encrypted email between each other, because Wachovia used Lotus Notes and Wells Fargo used Microsoft Outlook (Exchange). It is possible to send encrypted mail between these two email systems, but not easy for the end user to do so. Rather than address this problem, the bank chose to ignore it for several years, deeming it not worth the effort, since all the employees would eventually more to the domain WellsFargo.com.
Here is an instance of a company choosing productivity over security. It would have been more secure for the bank—a business that deals in highly-private financial matters—to send emails encrypted. But it would have been less productive to do so, given the definition of productivity we give below.
How could Wells Fargo have approached this issue? Like any other business decision, that should be considered on risk-versus-reward (cost-versus-benefit) basis.
If you want a mechanical approach for determining this, you could grant access only when reward > risk. That is what the auditors would say. To do this, you would need to translate risk and reward into numbers.
The reward of granting access is increased productivity. Productivity is:
The definition of “output” varies. It could be the number of support calls handled, sales dollar amount, widgets built, shorter time-to-market, and so forth.
What about risk? If you follow the COBIT 5 framework for governance, you know that the company is supposed to keep a risk profile. That means each type of data is assigned a score based on how it would impact the business, if this data were lost. So you can quantify risk.
If you don’t want to resort to mathematics, just keep this thinking in mind, as you make these decisions. Here are some inputs to that model.
The benefits of using collaboration are fairly obvious. People working on the same project should have access to the same data and be able to communicate easily. But what are some of the risks?
Some software is built with collaboration in mind. An example of that is Oracle Primavera, which is project management software designed to manage large construction projects. Such projects have many subcontractors. Each of these subcontractors is assigned tasks and must report on their status. If they are engineers, then they have to submit engineering changes to the prime contractor for approval. It is more efficient to give contractors access to the system, so they can enter this data themselves. (Plus it is more accurate, since someone does not have to keypunch this into a computer, making the mistakes that come from such double entry.) But granting access entails higher risks for reasons cited above.
There are ways to mitigate the risk associated with collaboration. These include:
This is a basic outline of the risk-versus-reward decision you face when determining whether to give contractors access to corporate systems to boost collaboration. You could adopt a mechanical approach to this or, without having to pull out pencil and paper, just move forward, in a risk-averse manner, cognizant of what data could be lost and take measures to reduce the risk of that.
To help you get started here is a practical checklist including recommendations on securely deploying servers which is critical to network security as servers are where most of your company’s valuable data reside.
Sign-up for email updates...