Controls when you don't have control

Last night I was talking with a friend about the security of his accounting business. In this post I reflect on what that discussion made me think about.

Security controls can involve a measure of imposition, and of voluntary participation.

Some things you can't control.

You can ask employees working from home to follow your rules, but you can't enforce them all.

Which leaves you in a weird position. Because you have rules, and you do want them to followed.

It's not that you want to protect your company against your employees. It's that this trust relationship you are building with them can be abused, and not only by them.

You have obligations towards your customers. You have custody over their data, over their private information.

If an incident were to happen, you want to be able to keep a straight face. You want to know that you put a reasonable amount of effort in protecting what's theirs.

We put so much emphasis on preventive controls that we forget that it's only the tip of the iceberg.

Deterrent controls help discourage rule breaking. And detective controls help identify an issue where preventative controls have failed.

Together, they help you compensate for the absence of preventive controls.

Draft a clear, concise policy that explains the rules you want to enforce. Communicate about this policy and have people sign it. Keep a log of the actions you are trying to control. Review those logs to identify any discrepancy.

When you can't prevent, detect.

I hope you found this valuable

I send out an e-mail whenever I publish new content. It's free. No spam. Unsubscribe whenever you want.