Security and Inclusivity | Matt Copperwaite

I do a lot of thinking about second and third order effects, and how poor security controls impacts the culture of a business and in particular can reduce inclusivity.

By way of an example of this, and the common Cyber Security control that most annoys me, is the way accounts expire after not being used for some time. Without digging in to the background too much it comes about because in business it’s often difficult to have a reliable leavers process. This leads to user accounts existing long after its owner has left the business.

Automatic blocking of accounts will always be inexact and this is the cause of inclusivity problems. You will identify common absences from work such, such as maternity, or stress.

The true answer in this scenario is to get accounts blocked as part of the leavers process, making it as important as ensuring they’re no-longer being paid. This will have a big impact on reducing the risk to your business.

There will still be edge cases, and it’s worth including additional steps to detect long-lived accounts. You can also apply an human action of verifying if the account is still needed. You could even automate this by sending an e-mail to a line manager that explains the risks and impact, asking them to click a link if the account can be blocked.

If you were that person coming back to work after time off from stress. Having to go through a support number, prove their identity, and get their account unlocked. Turning that excitement to disapointment. Does that represent your business? Should that represent your business?

And this is far from the only control that has this kind of impact.

When presented with a risk, as IT people we think about the controls we have available to us and the mitigation may seem obvious. It takes time and research to identify the impact of it and further time and work to fix the underlying problems. Although without that work the change is to effect the culture of the business.

This makes one of the true Cyber Security responsibilities to ensure that security controls are reasonable, equitable, and justified.