I have been reading a lot of articles lately about information being stolen by foreign intelligence agencies, e-mail systems getting hacked into and millions of dollars of intellectual capital lost Here are some current examples of this happening:
http://www.csmonitor.com/USA/2010/0125/US-oil-industry-hit-by-cyberattacks-Was-China-involved
http://www.msnbc.msn.com/id/34923887/ns/technology_and_science-security/
This led me to think about the activities we should be doing to reduce the risk of things like this from happening to our companies or ourselves. There are some very simple common sense things that can be done to protect information that you care about.
I have broken this down into three basic steps:
Step 1: Understand what you need to protect
The first (and most important) thing that you need to do is identify what information is critical to your company and what information you legally need to protect. Really take the time to think about it. Most state privacy breach laws state that you need to protect peoples names in association with their Social Security Numbers, any account numbers that have a PIN and any credit card numbers. These are easy ones, but how about your customer contact lists? new product ideas? customer order histories? etc… What information do you really need to ensure that you don’t lose and doesn’t get out of your control? In addition to data loss, think about data integrity. When you open a spreadsheet, how confident are you that someone has not accidentally or intentionally changed some numbers? How important are the decisions you make from your data. The controls you place around preserving the integrity of data need to match its importance.
Step 2: Inventory where it is stored
The next thing to do is to identify where all of this information is located. In addition to the primary location, system or application, also identify where copies, backups, extracts and derivatives are stored. You may have great security around your PeopleSoft system, for example, but store all the reports that are generated out of it on a share drive that is readable by everyone. Ask yourself these questions:
- Are there any reports, spreadsheets or extracts produced by core systems that contain critical information?
- Is the same level of security placed on these reports, spreadsheets or extracts as on the original information itself?
- Where do you store and how do you protect your system backups?
- Could someone gain access to a system backup and restore the information to their computer?
- Can you reduce the number of locations that your critical information or copies of it are stored?
- Are you relying on third parties to protect your information when it is in their systems? Do they have the appropriate security controls in their environment?
Step 3: Align security controls with business risk
Finally, assess the security controls that you are using to protect your information. You should align your controls across systems based on the value of the information you are trying to protect. You must take a holistic view of your data and approach its protection aligned with its risk of loss or corruption wherever it is stored. Do not haphazardly place security controls on systems just because they have some checkboxes in their setup screens to allow them to do fun things like expire passwords, disable accounts after failed attempts, etc... Don't apply extra security where it is not needed.
Know what information you want to protect and protect all locations that this information is stored consistently. Your information chain will break at its weakest link.
The bottom line is that if you know exactly what you need to protect, have identified and minimized the locations that this information is stored and are confident that the controls in place to access or modify that information are appropriate, you have significantly reduced the chances that your information will be lost, stolen or altered.
