… Do you know them?
You are going to need to have some cyber security plan in place irrespective of the size of your organisation. The CSA has hinted at a need for all businesses to have some baseline security measures in place.
As an executive, do you know where to start in putting together a proper cybersecurity plan? For a guide, I am going to highlight the 3 principles that should inform your decision on measures to take. These 3 (Confidentiality, Integrity and Availability) are popularly referred to in the industry as the CIA Triad, and should help set every objective in your organisation’s security management plan.
In the framework of these pillars sits the organisation’s assets. And assets here can be your organisation’s application, systems and the data itself. In the vulnerability management cycle, which of course is a continuous one, there’s a need to identify all assets in your organisation. It’s after this that you can begin the process of prioritising of threats. In analysing the possible breach types, carefully turn to the aforementioned 3 pillars. See which of them is applicable for each identified asset.
Mind you, cybersecurity cannot be left for the IT department to just get some software to install. There is a need for business owners and top management to understand the basics in order to make meaningful contributions toward achieving a robust environment.
Any cybersecurity measure or solution that does not seem to directly or indirectly provide any protection against Confidentiality, Integrity, or Availability breeches is flawed. Let’s delve a bit into the 3 and what they really mean.
Yes, information and its sources abound these days; but not everyone is supposed to see everything, right? A company’s data is a valuable asset for business continuity and growth. In fact, your data contain information about the very business strategy you are undertaking. One of the lures of cyber-attacks is to get information about your business that can be used to undermine, damage your reputation, or request a ransom payment and other moves against you.
Your organisational data comprises various things, and it’s good to categorise your data so as to know how to protect them.
Some information you have stored on your database are those that talk about the various interactions you have with clients, suppliers, agencies and so on. This is usually referred to as transactional data. These are day to day interactions which keep the business running. Do you want such information about your business out there in the open? Obviously, no!
What about trade secrets, strategies, patents or any other information that serves as your organisation’s bedrock. Would you want to share this to the public? You know information like that going out will either cause you to lose valuable customers or give competitors an advantage over you. We refer to this as intellectual property.
Next to consider is your financial information; this may include your price modelling charts, bank statements, profit & loss, payroll, etc. You also don’t want this falling into the wrong hands.
Also, note that various equipment and applications gather information on a regular basis. And such information also needs to be protected against unauthorised access.
Under the Confidentiality arm of cybersecurity measures, you want to ensure that only persons authorised can have access to specific information. Oftentimes we focus on external threats when thinking of confidentiality, but the greater threat is within where a little carelessness can lead to exposure of sensitive information.
Let me give you a personal experience. During one of my HRM &Payroll solution implementations for a well-known state agency, we had to transfer the payroll administration from the accounts department to the HR Department. At the time, account officers were divulging people’s take-homes to other employees in the organisation. Within the HR department, only the head of HR was given permission in the system to view the MDs and top management’s payroll details.
Data is as good as what it communicates. Even authorised people can mistakenly or otherwise cause harm to information, and thus changes must be made to the overall communication or input as and when required.
Let me give you a practical example. If the MD of the company is not cautioned or prevented by a matter of principle and goes into a storage room full of paper records with a hot cup of coffee in hand, the possibilities are that he might accidentally spill the hot coffee while drinking and reviewing the files. A section of information on the document can be damaged or distorted, making it difficult to see – andhence can’t be used for any meaningful input to decision-making.
In another scenario, an authorised person can intentionally change figures and update the stored information. This when retrieved later will not be true information as that originally stored. So you want to ensure that information – in whichever state it might be, processing, in transit or stored – is protected against tampering.
The company-identified asset has to be in an accessible condition when required for use. If, for example, the data stored can’t be accessed to make timely decisions when needed, then it’s of no use. When confidentiality is upheld, integrity ensured and the data can’t be accessed, then the entire security strategy has failed.
Oftentimes, the non-availability may result from poor maintenance of equipment, application and systems. It’s important to check from time to time to see how accessible your stored data can be. And remember to have a proper backup plan in place.
Understanding these 3 underpinnings will help stakeholders have a fruitful discourse to create the right organisational cybersecurity strategic plan.