I’m going to direct the majority of my blogs to mid-level and small businesses; niche companies; start-ups and others who have a passion and a vision to do wonderful things and bring wonderful new ideas and concepts into the world. They are driven and seek to do things better, but they may not have the time or energy to focus on a critical aspect of their success – security. They are counting pennies at every corner; an investment in a new anti-virus program or data security platform is one more thing that prevents them from getting out of the red. These blogs are things to help you; help you increase your awareness and limit your exposure. And it should ultimately help you be in a better position to protect your property and your bottom line.
Security starts with an awareness; an understanding. It’s an understanding of who you are as a company. What problem are you trying to solve to make the world a better place? What do you need to be successful to achieve that goal? What is that piece or pieces of information that is going to separate you from all the others out there? We can look at this as understanding your critical information.
In as simple a term as possible, critical information is that information that you determine is essential to the success of your company. Identify the information that is critical to your mission success and your company’s viability. This will be, and most likely should be, different for each company. And to dispel the notion up front, not everything is critical. Personally Identifiable Information (PII) of you and your clients could be the critical information for some businesses; details of contracts or sales strategies might be the company next door. It will be different and it can’t be everything. This might be an opportunity to come together as a company and work through this together, bring in different perspectives. For those who’s business consist of one person, take a break from the daily grind and reflect on your company and what it is and where you want it to go. What do you need to get there – this could help you identify your critical information.
Why is this an important first step? Until you understand that, you don’t know what it is that you really need to protect. Let’s be honest, everything requires a degree of protection, but the critical information will take on a different levels of protection and more emphasis. For some companies you may only have so much in your budget for security and by knowing your critical information, you will at least be able to prioritize that information and do your best. Attackers take time and they look to identify weaknesses. They probe and analyze the attack surface, the different points that they can get into a system and where they can get data out. If you have limited resources and only apply just enough protection to everything, then you risk losing the most important data easier, then if you layered your approach and protected your critical data and information differently then your normal company infrastructure.
Perhaps an overly simplistic way to think about it is your home. Your home is important and may decide that protecting your family and the property within your home requires not only a door lock and a deadbolt, but also a security system. This means you have a second layer of security that reinforces your first layer (lock and deadbolt), but provides another layer that adds alarms and detection systems, as well as an alert to the local police or fire departments. Your flat screen, computer systems, and other valuables are protected with another layers. But you also have other valuables that are sentimental and are important to your family which may consist of memories and family history or jewelry that has been passed down. You deem that if nothing else, you can replace the electronics, but you can’t replace the memories. This may be your critical information. And you are going to add yet another layer of protection to ensure that even if someone breaks into your house and defeats the alarm system or even accepts that the alarm will go off, that there is no way that they will steal your memories and history. So you apply another special layer of protection to this property. This process is part of identifying your critical information and applying security to protect it.
Yes, through this process it may mean some things may get compromised. That’s a hard truth. The best security in the world won’t protect you from everything all the time. But if you try to protect everything all the time then you may wind up protecting none of it. Your resources are important and you have to evaluate risk versus gain, and the first step is understanding yourself and your critical information.