undefined | Better HN

0 pointslrvick7y ago0 comments

Camp #2 is naive and dangerous thinking if your company protects anything of value. Even if every employee is honest today, one of them can be extorted tomorrow. If you allow your employees easy access to substantial value without hard technical controls to enforce accountability then you are creating a situation where someone has reason to threaten or harm your employees.

Gas stations have "Never more than $200 in the drawer" for a reason. Criminals knowing that is the case deters most of them and if it doesn't you are out $200 at most.

0 comments

seventhtiger7y ago

As an information security analyst for an organization that deals with highly valuable info assets, I agree. The comment you replied to sounded like how employees argue for less security. They don't understand the scope or environment of information security.

95% isn't nearly secure enough. You're actually looking for the one malicious agent among thousands. If you conduct contracting bids, you have to realize that at any moment your employees can be offered incentive to leak, and their leaks will cost millions of dollars.

So when we apply our strict need to know policies and data transfer tracking, it's not about trusting individual employees. It's about finding a needle in a haystack.

j / k navigate · click thread line to collapse

0 pointslrvick7y ago0 comments

Gas stations have "Never more than $200 in the drawer" for a reason. Criminals knowing that is the case deters most of them and if it doesn't you are out $200 at most.

0 comments

seventhtiger7y ago

So when we apply our strict need to know policies and data transfer tracking, it's not about trusting individual employees. It's about finding a needle in a haystack.

j / k navigate · click thread line to collapse