Our very first blog was on critical information. Critical information is at the heart of every business and it’s important to understand and address how you are securing your information. So we pulled this back out and updated it a bit. Some areas are the same but we did add in some steps to take to help understand and protect yourself.
Security starts with an awareness; an understanding. It’s an understanding of who you are as a company. What problem are you trying to solve to make the world a better place? What do you need to be successful to achieve that goal? What is that piece or pieces of information that is going to separate you from all the others out there? We can look at this as understanding your critical information.
In as simple a term as possible, critical information is that information that you determine is essential to the success of your company. Identify the information that is critical to your mission success and your company’s viability. This will be, and most likely should be, different for each company. And to dispel the notion up front, not everything is critical. Personally Identifiable Information (PII) of you and your clients could be the critical information for some businesses; details of contracts or sales strategies might be the company next door. It will be different and it can’t be everything. This might be an opportunity to come together as a company and work through this together, bring in different perspectives. For those sole proprietorships, take a break from the daily grind and reflect on your company and what it is and where you want it to go. What do you need to get there – this could help you identify your critical information.
Why is this an important first step? Until you understand that, you don’t know what it is that you really need to protect. Let’s be honest, everything requires a degree of protection, but the critical information will take on a different levels of protection and more emphasis. For some companies you may only have so much in your budget for security and by knowing your critical information, you will at least be able to prioritize that information and do your best. Attackers take time and they look to identify weaknesses. They probe and analyze the attack surface, the different points that they can get into a system and where they can get data out. If you have limited resources and only apply just enough protection to everything, then you risk losing the most important data easier, than if you layered your approach and protected your critical data and information differently then your normal company infrastructure.
So what are some steps you can take to protect yourself:
- Meet as an organization and identify or review your critical information. Not everything is critical information so a good idea would be to start listing information important to your organization and then refine the list until you have 4-6 items.
- Increase awareness. Once you have identified your list, make it known to your employees and impress upon them the importance of protecting this data. Social engineers and hackers are going to be addressed to everyone in your organization. Train them and make them alert and aware employees.
- Post your critical information list for each employee in your policy letters and at their desk. Let’s face it, sometimes people forget, and sometime you have several pieces of critical information. Let’s not play stump the chump, post your critical information in your security policies and make your employees acknowledge it. Then have each employee post it at their desk as a reminder.
- Develop measures to protect this information above and beyond your existing security measures. If you don’t have security measures in place then start with that and build from there. Limit access to who needs to know it.
- Do your own self-assessment of your security. Review and assess your security every 6-9 months. Yes, this takes time but attacks are changing every day and new vulnerabilities can exist that weren’t there before.
The best security in the world won’t protect you from everything all the time. But if you try to protect everything all the time then you may wind up protecting none of it. Your resources are important and you have to evaluate risk versus gain, and the first step is understanding yourself and your critical information.