Risk Management in Securing Your Data
There's been security breaches at both Convio and Salesforce of late, and it's got me thinking.
Regardless of these recent issues, I'm convinced that using outsourced vendors is a big improvement in infrastructure and security for most nonprofits over storing their data in-house. Many have very few security or backup procedures in place, and it's as likely or more likely that their data will be hacked or lost or corrupted if they store it in-house. But no method of storing your data is risk free. What's important is clearly thinking about what risks exist, and balancing those risks against other factors - like price, staff convenience, and such.
I'm not alone in thinking about this stuff - I had a great email conversation about this with Douglas Back, the Systems Manager from the Lower Manhattan Cultural Council. Douglas said:
Regardless of these recent issues, I'm convinced that using outsourced vendors is a big improvement in infrastructure and security for most nonprofits over storing their data in-house. Many have very few security or backup procedures in place, and it's as likely or more likely that their data will be hacked or lost or corrupted if they store it in-house. But no method of storing your data is risk free. What's important is clearly thinking about what risks exist, and balancing those risks against other factors - like price, staff convenience, and such.
I'm not alone in thinking about this stuff - I had a great email conversation about this with Douglas Back, the Systems Manager from the Lower Manhattan Cultural Council. Douglas said:
"Security is all about minimizing risk - the only way to eliminate risk is to not do anything at all, and then we'd all be sitting around twiddling our thumbs. But one of the issues I see constantly is that security is put on the back burner in favor of convenience. To most people, security means inconvenience for the sake of inconvenience. Of course, the amount of risk is proportional to the size of the organization, both in terms of customer/constituents and staff. At some point, the costs of having a SecurID token-based VPN outweigh the benefits of the security it provides.Like everything else, there's a tradeoff here. The key is to understand the risks, make sure you've done what you can easily do, and than weigh the tradeoffs that are left and make a decision you're comfortable with. And in fact, although it's hard to deal when it happens to you, the fact that an unlikely risk actually occurs doesn't mean that your risk mitigation strategy was bad. The fact that there's been a security breach at Convio and Salesforce doesn't suddenly change the tradeoffs between cost/ security/ functionality/ convenience for using an outsourced data vendor- unless you think they're part of a future pattern, and I don't personally see any reason to think that.
Security should be more of a consideration for anyone who uses a computer, especially workgroups that share information and resources. Non-IT people don't immediately see the benefits of having strong passwords, or limiting resource access. Those are two really small things that a small organization can do that can help secure their systems, and they're free! And there are more small things like that when combined can reduce the chances of a password-related security breach to near zero. But to someone who is looking to break into a system, they're going to seek out the weakest part and try to exploit it, be it poorly designed software, a weak password, or someone who falls for a phishing scheme. A gross oversimplification would be something like a golden triangle of security, stability, and functionality - somewhere in the middle is the right place to be. (Usability falls in there too, but who wants a golden square?)"
Subscribe through Feedburner
0 Comments:
Post a Comment
<< Home