Cyber Security Basics
TL:DR: Businesses looking to improve their cyber-security posture will often quickly find themselves overwhelmed by a market full of technically complex products and services, making it hard to know where to start. Cyber basics for business are about understanding what information the business has, what protection that information needs with reference to business operations, and applying appropriate technical and procedural controls.
* There is a step below basics – essentials i.e. use a good password (not Password123), but this is not that blog.
The cyber security market is full of vendors selling next-generation tools and services, all powered by blockchain, machine learning and AI, not to mention the managed service providers, consultants, and systems integrators to help get systems installed and working. The world is full of people emphasising the importance of cyber security, and cyber hygiene, full of throw away advice lines like “treat your passwords like your underwear”1 – a quick google search found over 24 million results.
But how do businesses know which advice is right for them, let alone which product to buy, process to implement or partner to work with to achieve cyber security from this range of products and services? Particularly when the challenges each business faces are unique to that business. This has led us to a different opinion of what the basics of cyber-security are:
We believe that the basics of cyber-security resolve around understanding cyber for that business, i.e. what information the business has, the importance of the information for the business, and therefore how it needs to be protected. Any cyber-security solution should reduce business friction, and add value to the company over the long term.
If done correctly this means that any time and effort, (and consequently money) a business puts into cyber-security, will be appropriate for that business – there is little point in an organisation spending thousands in keeping marketing copy private, if it is already available on the internet as part of a current campaign, whereas accounting information, HR data or other information might be much more important to protect. Therefore we use a simple 3 step model to implement the basics of cyber-security:
1. Step 1: What and Where. Identify all information resources in the business
2. Step 2: Why and How. Evaluate the relative importance of these information resources to the business within a risk and threat based framework.
3. Step 3: Select and implement. Select, design and deploy appropriate protection for the information assets.
Step 1 – What and Where: Identify what information resources are important to the organisation, and where that information is stored or transmitted.
Key to the process is identifying all the information that a business relies upon to enable its operations. Whether it’s customer data, payroll information, or manufacturing trade secrets, it is vital to understand all of the information critical to helping the business achieve its objectives.
This step is relatively straight forwards, and at a high level can be completed quickly and cheaply. A simple list or table is probably enough to do this, with an example shown below for a generic company:
Note that we are not looking at controls at this stage i.e. backups, passwords, encryption etc, but what and where is the business information. You could add further columns in to describe the role of the information in the company etc.
Whilst this step may seem trivial, it is the most important step, and the foundation cyber security.
Step 2 – Why and How: Why is this information important to the business, and how important is it? This can be divided into two steps:
Step 2a: Working through the list in Step 1, we must assess the importance of this information for the business and categorise it accordingly. We do this by assessing if it is important in one of three categories:
- Confidentiality: is it an issue if this information falls into the hands of the wrong people?
- Integrity: is it an issue if this information is altered secretly or without authorisation?
- Availability: is it an issue if the information / system is not available for use?
The so-called ‘CIA-triad’ is a simple method to help us understand why the information is important to the business. Below the information resources from step one have been assessed against CIA, and classified as High, Medium or Low importance for the business.
Note that this will likely be different for every company, this example business does not rely on email for time sensitive communication (low availability importance), but email must be trustworthy and private when it is used (high confidentiality and integrity).
Step 2b: After identifying how the information needs protecting, an impact level or importance should be assigned to it, based on the value / impact to the business if there was an incident that affects that information. This can be for each of the CIA, or just a single impact value, using as many tiers as the business feels it needs. For our example only an overall impact score was used, using 3 tiers:
Here the value / costs of an issue with the information should be introduced if possible, allowing a business think about how much it is appropriate to spend to protect the information – there is no point spending more protecting the information that it is worth to the business. If possible the likelihood of an incident should be included with the impact to give a risk score and allow better prioritisation.
Step 3 Select and deploy appropriate protection
Finally appropriate controls should be implemented, to meet the business need at an appropriate cost. These may include technical controls such as implementing strong authentication (good passwords and multi-factor authentication), keeping systems up to date or backing-up important information. Or process based controls such as requiring 2 different members of staff to approve large financial transactions. There are a number of great sources to work through and implement essential controls, which I wont repeat here. A good start would be to look at Cyber Essentials (a NCSC backed scheme in the UK) or theCIS Critical Controls, rather than a more detailed or technical framework like ISO 27000, PCI DSS or NIST cybersecurity framework (though all have their place).
Cyber basics for business are about understanding what information the business has, what protection that information needs with reference to business operations, and applying appropriate technical and procedural controls. The exact controls required depend on business need, specifically the value or cost associated with that information. For small organisations cyber essentials are a good place to start, and larger organisations may want to look at the CIS Critical Controls. Remember cyber-security is not a checkbox exercise, of installing equipment or buying services to keep an auditor happy, but about securing information appropriately to improve business operations.
Clear Cut Cyber specialises in helping businesses understand what cyber-security means for them, what controls are required and developing a plan to implement them in a way that reduces business friction and adds value. If you would like to discuss this further with us please contact us [email protected]
Critical Controls: https://www.cisecurity.org/controls/
Cyber Essentials: https://www.cyberessentials.ncsc.gov.uk/
NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
ISO 27000: https://www.itgovernance.co.uk/iso27000-family
PCI DSS: https://www.pcisecuritystandards.org/pci_security/