By now, everyone in the business world has heard the buzzword Cyber Security, but what does it actually mean for your company? It may shock you to learn that it is as much of a risk management issue as it is a technological one.
Often, Cyber Security is one of those concepts that is so poorly understood by so many business owners that it has become a goldmine for vendors, insurance companies, IT personnel, or almost anyone with the bare minimum of knowledge to claim they have a new product or service to help you “secure” your business. Federal and State regulations make it even more of a quagmire as you start digging into the specifics related to your industries. This means that basing your company’s Cyber Security strategy solely according to what type of systems and services are available is the wrong approach — the proverbial cart before the horse scenario. All too often, we speak to companies who believe they are fine because they have “xyz system” or a Cyber Insurance Policy.
Like all successful industries, the miscreants that conduct cyber-attacks are constantly adapting to the new technologies touting new approaches to security. This rapidly changing threat environment makes it incredibly difficult for a company to have a defensible security strategy based solely on one-size-fits-all security technology. Unfortunately, no matter how much money and resources are spent on securing your systems, your company’s information can never be truly secure. The best possible Cyber Security strategy is one that is contextually defensible given your specific industry and the nature of information which you are trying to secure.
So where do you start? In short, you have to identify your most exploitable information – your “crown jewels,” and be prepared with your response if those are stolen. This is accomplished by running a worst case scenario exercise. Gather all your executives, decision makers and stake holders into a meeting and discuss the following scenario:
Over the weekend, someone hacked into your system, encrypted all your data, stole a completely up-to-date copy of every piece of information on your IT system and published it in a searchable format somewhere on the internet:
Identify immediate impacts on ongoing operations.
a. Can we recover and start operations again?
b. How long will recovery take?
c. What is it going to cost?
2. Identify impacts resulting from the publication of your data, deciding which pieces of information will cause any of the following repercussions:
a. We are going to jail its that sensitive.
b. We are going to pay a fine – how big?
c. We are going to lose all our customers.
d. We are going to lose some of our customers.
e. We are going to be embarrassed.
f. We don’t care if that is public.
Once all the “crown jewels” have been identified, rate them based on how big of an impact they will have in the event of loss or publication. Split out the regulatory issues from the operational ones. The results of this exercise will now become the actual strategic specification list you use to go to the next step.
Next, start removing potential risks by having a frank discussion on whether you really need all the “crown jewels.” Essentially, the best way to protect against data loss is by not having the data to lose. For example, why do you have folders on the network that has all your employment and health information for all your employees? Rather than trying to protect the information, get rid of it.
Whatever is left over must now be protected by systems and policies, and then insured against in the event of loss. Any regulatory issues will be dealt with using guidelines from regulatory bodies and the rest will be handled according to criticality and business impact determined in your worst-case-scenario exercise.
In summary, you must identify your exploitable information, clean up and discard unnecessary data, and only then engage with vendors and insurance companies to endeavor to protect and insure your industry specific data.