Identify, Protect, Detect, Respond, Recover: Creating a cyber security framework for your business
Cyber-crime cases continue to escalate and diversify, as such, cyber security should be regarded as a fundamental aspect of any modern business, and subsequently be prioritised as part of its risk management profile. Yet, many businesses are slow to adapt to a shifting environment, and to adopt the necessary approaches to protect their own, and their client’s data. By choosing to ignore the ever present and possible threat of cyber-crime, businesses not only put themselves at risk of monetary loss but also reputational damage.
One of the big problems is knowing where to start. To initiate a cyber security strategy within your business it is important to be able to identify the different threats, weaknesses and risk tolerances that apply to your organisations critical IT infrastructure or data.
To manage your company’s potential risks and threats to cyber security, it is important to understand the sectors of your business specifically related to IT. When it comes to putting a strategy in place for your business the following considerations are key
Identify – Protect – Detect – Respond – Recover
In this article, we shall briefly look at how to identify the threats, and at the various components of your IT infrastructure that are vulnerable to attack
Identifying areas of your IT infrastructure/data that are currently protected and how, and that are vulnerable or at risk of cyber-attack. This involves a knowledge of the current IT security strategy (if in place), resources that support critical operations and the threats that can affect these. The key here is to not focus on a specific area but instead investigate the entire infrastructure.
Threats can be either direct or in direct, a good acronym used to identify threats to your business is STRIDE
S – Spoofing/impersonation
T – Tampering – modifying data or code
R – Repudiation – Denying performance of an action
I – Information Disclosure – access to information by an unauthorized person
D – Denial of Service – preventing or degrading access to users
E – Elevation of privileges – gaining unauthorized access
Assets will vary from business to business and can be differentiated into tangible and intangible assets, these refer to hardware, software and information assets. Threats to each of these assets are as follows
Examples of hardware include all the components that make up a PC, phones, servers, printers, monitors etc
Physical security – natural disaster, fire, theft, human error
Availability and support – if outdated hardware or software is in use unavailability of relevant parts and documentation this can be a big security concern.
Trust – this is trust that the resources you are using will deliver and that the users in your organisation are trained and, tech savvy and competent at using these resources
This is the programmes running on your your PC i.e Windows, Quickbooks, Microsoft Office, Adobe and so on.
In the current software market, developers will often rush to deliver modern tech without fully considering security concerns, instead these are often released as an update at a later stage. It is important therefore insure that the software you are choosing is the best possible solution for your requirements, that you are procuring it from a reputable source, and that data is secure and a backup is in place.
Data is often overlooked when it comes to a business compiling an inventory. Records of client information, financial transactions, trade secrets, intellectual property, research, employee information etc. can be equally, if not more valuable, than tangible assets such as hardware. Malware, phishing and ransomware are just some the external threats to your companies information. Internal threats include human error, failure of hardware and software.
Once assets and their risks are identified a business may then begin to prioritise risks, to create a custom budget for cyber security expenditure.
Aside from monetary investment in appropriate infrastructure, time should also be invested in detection and response to threats. This will ensure that your business can recover from attack with minimum downtime. While complete elimination of risk is impossible: identifying threats and preparing a backup/mitigation plan will help.