top of page
  • gwestgate

Security Musing: The Path of Least Resistance



When IT systems are overly restrictive, it can create a bigger security risk for organizations. When users are limited in what they can do, many will try to find ways around the system to accomplish their goals. This adds additional layers of complexity that make it more difficult to secure the network or protect sensitive data from theft and misuse. In my own company, GLM West, I recently saw an example of this issue.


To set the stage, we just started our journey for fundraising and have been accepted into Newchip pre-seed accelerator program. When filling out the paperwork we were asked to provide a “public link” to our pitch deck. A public link is a URL that can be accessed by anyone on the internet. This type of link is often used to share files or resources that are not intended to be private or restricted. Our Microsoft 365 environment does not allow this type of sharing. When we set up and configure Microsoft 365 environments, we make choices that always fall on the side of more secure. I believe, in the absence of considered thought about each security option, this is the best way to configure systems. In our experience of managing the IT departments for Private Equity firms, we didn’t have a use case for public links. When a use case arises, you need to re-evaluate the option and make an informed decision on how restrictive an option should be. The ability to make an informed decision quickly by the IT department is critical. In our use case described above, the system was too restrictive. In the absence of time or good communication with an IT department, the user is stuck. The critical choice of how to accomplish their business need of sharing a document in a time-sensitive environment is tested.


What are the user choices?


Choice one: Send the document to a personal email and share it using a public link with their personal OneDrive, Gmail, or another system.


Choice two: Contact the IT department and ask for guidance.


Choice one creates issues because a critical business process has now been completed outside of the scope of corporate policies and oversite. This exposes the user as well, if there is a data discovery required and it is known that a user conducts business with their personal IT systems, they will be subject to investigation too.

Choice two sounds like an obvious right answer, however, consider the mindset of the user. The choice to call the IT department could be an emotional rollercoaster. Some of the emotions they can be going through are: Am I going to be an annoying user because I’m doing this wrong? Am I going to get through to a human being or will I have to go through an automated system? How long will it take for me to get somebody to help? Will that person be able to help me? Will that person have to delegate? How many times will I have to explain my issue? Am I going to miss the deadline for my actual work?


In our example, we were able to quickly change the IT control. Users are now able to share public links, and we have added content to our training materials about how to safely use these links and when they are appropriate.


My company, GLM West, inc., offers consulting services that can help you with this and other IT outsourcing services, check out our website for more info! https://www.glmwest.com


12 views0 comments

Comments


bottom of page