In a world where there is an increased expectation for transparency, privacy and that security breaches will be strictly punished, security should be at the forefront of our minds not just with what our projects deliver but also how we run our projects.
Customers often expect to be able to interact with organizations digitally and this creates additional concerns and risks. Whilst we should of course keep the clear and present cybersecurity risks front of mind, we shouldn’t ignore the broader information security risks which might have nothing to do with the particular technology or process that we’re working on. In fact, it’s an opportunity to ask some crucial questions about existing processes that may have emerged years ago that are no longer fit for purpose.
When The Website Is Secure But The Phone Line Is Not…
More years ago than I like to admit, I worked on a project for a company that was developing an online portal for its customers. Understandably there was a lot of interaction with security experts and architects, some very robust non-functional requirements, and lots and lots of testing. However, in retrospect we probably made the online processes so secure that even authorized users couldn’t access them! Having a password that expires after (say) one month is probably pretty irritating if an ‘average’ customer accesses their account once or twice per year…
This created somewhat of a dilemma in the team. There was a group of internal stakeholders representing customers who wanted to focus on ease of use. There were another group of stakeholders who had an interest in ensuring compliance and managing risk who wanted to focus on impenetrable security. The challenge, it turns out, is to find a sensible balance between the two. Perhaps you’ve experienced this on your projects too?
In examining this dilemma, two very pertinent questions were asked:
- “How else can customers engage with us?”
- “What security protocols are there via those channels?”
This turned out to be a very enlightening line of inquiry! A bit of digging found out that if a customer (or someone purporting to be the customer) rang, they’d be identified based on pieces of information that were held on file—typically things like full name, address, postal code, date of birth and so on. This sounds sensible, doesn’t it? But think broadly: who knows this information about you? Probably many of your neighbors (particularly those who you’ve invited to your birthday party) and a proportion of your colleagues too!
This wasn’t even the worst of it. The second channel of communication was post. This was a good few years ago now, and post was regularly received from customers. It turned out there was no validation whatsoever on instructions sent by post. “Ah, but we have their signature!” a stakeholder might say. “Great, and what do you compare that against, is there a master signature for each customer…?”. Awkward silence.
Cybersecurity Is Crucial: But Don’t Forget Broader Information Security
Here we were in a situation where new processes were being subjected to very sensible checks and balances that didn’t exist on other channels. This creates a useful opportunity to ask: “are we being too risk averse here? If not, do the same risks exist for other channels? And if so, shouldn’t we strengthen them too?”.
In many cases, it’ll be completely sensible to continue with a focus on cybersecurity on new stuff whilst also tightening up older processes that might not have been examined for many years. In doing so we help promote a more holistic view on risk, and help reduce the risk of fraud or information leakage. Whilst large-scale IT system breaches might mean that a huge quantity of data is compromised, and of course we should protect against this, we shouldn’t underestimate the reputational damage of one or two personal records being misappropriated for fraudulent reasons.
As with so much of what we do as business analysts, ensuring a systemic and holistic approach, working with our stakeholders to zoom out and see the ‘wood’ as well as the ‘trees’ is where we earn our crust.