In Standard 3, Mr Howard and I had a deal. He’d delivery 6
lashes to my palm and I will forsake all homework. That worked out happily for
me as I got the freedom on afternoons to play until the sun went down and after
a short while there was no major pain from the morning ritual.
My school work suffered of course but my reasoning was that remaining in the A stream was a good enough result for the all the fun I had during the term. I spent my afternoons playing cricket, climbing trees, pitching marbles, going to funerals as my school was next to a church, playing at other friends’ houses and on the whole having a blast of a time.
I ignored the initial ignominy of doing something that was considered a breach in order to gain a reward that I considered important. After some time Mr Howard just did not bother with the lashes and I continued to enjoy my schools days.
If that perspective is applied to business and Information Security, there will be an assessment of the penalty for breaching a law/standard against a commercial gain. The cost of losing customer data might be high in terms of trust, reputation and goodwill but the cost of a fine for not putting a control in place might be affordable.
The resolving of risk vs. reward comes up often in the discussion of Cloud services. Hosting information in a supplier’s network can seem full of risks. There are the laws and standards to consider where obligatory prescriptive controls can have punitive actions attached. There are risks to the information’s Confidentiality, Integrity and Availability from the systems’ architecture, suppliers’ InfoSec cultures and the paucity of contracts.
Cloud services provide a menu of functions that many businesses are not willing to fund in house. Getting an analysis of the demographic information contained in records of your customers’ purchases can lead to higher profits. The protection of that data during exchange is prescribed but a business might decide that a costly level of encryption might be overkill and accept the risk of fines when viewed against the commercial advantage of outsourcing.
Companies must recognise they have a duty of care towards their customers as data in the wrong hands can be dangerous. Businesses are always seeking advantages to enhance profits and are quick to accept technology that supports that effort. When laws and standards lag behind innovation, organisations must keep their customers safety paramount while exercising judgement on ‘good enough’ security practices.
Comments