One of the biggest obstacles many small businesses face when securing their information systems is simply scoping the problem. Managing business risk is especially acute for organisations digitally transforming to be more resilient and deliver superior customer service because they are dependent on data for operation and growth.
For those who have conquered the myth that they’re not a target, understanding how to protect their data is like asking, how long is a piece of string? But defining the problem is the first step to setting reasonable expectations of risk and writing an appropriate budget.
Fortunately, a simple five-step guide shines light on where businesses should focus their energies as they straighten their cybersecurity posture and harden their systems.
Written by former Telstra cybersecurity lawyer Rachael Falk (now head of cybersecurity research at the Australian Strategic Policy Institute) and former Telstra CISO Mike Burgess (now ASIO Director-General of Security), the 5 Knows of Cybersecurity crisply articulates what organisations must know to protect their data. At its most basic, you should …
1. Know the value of your data to someone else such as a competitor or partner and its value to your organisation and customers.
2. Know who accesses your data from within your organisation and externally—including partners and vendors—and who has ‘super user’ or administrative rights to unfettered access and change or delete data.
3. Know the location of your data even if it’s with a service provider (or a third-party or subcontractor) and if it is onshore, offshore or in a cloud.
4. Know who protects your data and which security processes they use. Could you contact them in an emergency or would you have to go through someone else?
5. Know how well your data is protected around the clock by your staff, partners, service providers and third parties.
Having assessed the state of security ring-fencing your data, how much investment will protect it is a far simpler calculation.
For instance, were an attack to bankrupt your $50 million-a-year business, you might say an industry average of 2 per cent of turnover ($1,000,000 a year) is a fair ‘insurance policy’. This could include hiring a CISO who also gets most ‘bang for buck’ on cybersecurity investments. Smaller organisations might call on an outside, trusted adviser—a ‘virtual CISO or vCISO—to recommend cybersecurity investment.
A vCISO skilled in risk will help you develop a strong and resilient strategy by evaluating:
What value is my data —
A leader may feel their organisation’s data is too trivial to be of value, but all data has value to someone at some time. Imagine if your customer and prospects list got into the hands of a rival, and they could hit up your best and most promising accounts with an offer consistently below yours. Or what would be the impact if your employee salary records got into the wrong hands, and they were lured away to a competitor — along with all the knowledge of your business. Recognising that data is precious, the Federal Government tasked the Office of the Australian Information Commissioner with policing breaches in organisations covered by the Privacy Act 1988.
Who accesses my data –
Restrict your employees’ and partners’ access to your data only to what they need to do their job or provide a service. Know with whom your vendors share your data. Their need for data will also change over time, so continuously review their access levels and revoke or elevate their privileges as required. This also applies to government agency demands for data — just because a public servant requests your data doesn’t mean they have a right to it. Recognise that inanimate objects such as printers and devices also routinely access your data (and may store it invisibly or without your express knowledge). Ask yourself: “Would I be comfortable telling my customers I exposed their confidential data without good cause?” When in doubt, see professional and legal advice.
Where my data is —
Whether your data is in a locked cupboard in your office, in a cloud server in Myanmar or roving around the countryside on a tablet bouncing around on the parcel shelf in the back of a ute makes a big difference to how you safeguard it. Physical security and access plays a big part in how effectively you protect it. For data held in trust with a cloud or service provider, for instance, you need to know where it is in case you wish to move it elsewhere or respond to a legal request. It may also be necessary to know where it’s stored in the world to comply with government and customer demands. Could you identify the geographic and virtual locations of your customer and prospects lists, employee payroll, supplier price lists (with discounts), general ledger and other financial documents, board minutes and trade secrets including any sensitive customer surveys?
Who are my data protectors —
Those who defend your data must intimately know your security policies and commit to enforcing them. That applies whether they’re employees, partners, suppliers, vendors or any of their stakeholders. They should be willing to legally contract to their cybersecurity pledge to you. Ask how you would evaluate their knowledge and commitment and ways to audit them. And for devices protecting your data, ensure you have minimum standards such as multi-factor authentication and data encryption enabled. Continuously review best practices as they evolve and better solutions emerge.
How safe my data is —
Adopting a methodology such as the 5 Knows of Cybersecurity and ensuring appropriate approaches to people, processes and technologies is a good start. Smart organisations don’t rely on a single ‘silver bullet’ but adopt a ‘defence in depth’ approach to business risk. Ensure your processes meet and exceed minimum benchmarks, under what circumstances data is held and contingencies should data be breached.
By knowing what you’re protecting and understanding the business risks, you’re free to capture business opportunities, move into new markets and serve your customers with confidence.
Need more information on how the 5 Knows of Cybersecurity can empower your business to grow? Speak to OBT’s cybersecurity experts for a free, confidential consultation on 1300 886 896 or email email@example.com to arrange a confidential, free consultation to put your cybersecurity on the right path.