It seems like there is a report in the news every week of a big corporate being hacked or a company where you probably have an internet account having its user details or worse stolen [Yahoo, LinkedIn, Ebay, AOL, and so on]. So, the big question is, what do I do to prevent my organisation joining that list?
The first thing to accept is that for the most determined hackers, there’s not much you can do to stop them. If they want to get into your network, they eventually will. Your job is to make it as hard as possible to get in, to prevent the 99.9% of those that are less determined and to make sure that your critical data has the best protection. The problem is that it can be quite expensive, so the challenge is to get the balance right between the risk to your business and the amount you spend on implementing and running security.
Determining the right balance is about understanding your potential data risks and the impacts, e.g. what would happen if that data was stolen, or that website was defaced? Would we break regulatory requirements, e.g. GDPR? What would be the impact on our reputation? What would the cost to our business be, both to remediate the damage and in terms of lost business? The answers to such questions differ depending on the types of data, and it is those answers that determine where and how much you spend on security. You typically don’t need gold standard security everywhere. You usually (and this is a rough guide) need bronze where to be hacked in some way would be an inconvenience and a bit embarrassing, silver where to be hacked would cause you manageable disruption and some embarrassment, and gold where you are liable to fines, significant business disruption or serious reputational damage, i.e. where your business is put at risk.
How do you go about determining the right balance? By understanding your business and its exposure to different types of risk, by classifying your data accordingly, by determining your risk appetite, and then by applying the levels of security you need.
Published by Paul Yewman on behalf of John Mayall – CISO, Independant Consultant and Interim Chief Architect.