In the previous instalment of the guide, I covered confidentiality of your data – the C in the often referred to CIA (Confidentiality, Integrity and Availability) triad of cyber security. In this final part of the guide to cyber security I’m going to be looking at the I and the A in the acronym – the integrity and availability of your business data.
It’s fair to say that most people and many companies tend to focus solely on keeping their sensitive data confidential and safe from third parties. The integrity and the availability of data is easily overlooked, but these are just as important, especially for businesses.
So what is data integrity? It means that your data is trustworthy and that it has not been tampered with or changed by unauthorised, possibly malicious, intruders. Making sure that your data maintains its integrity involves ensuring it is consistent, accurate and reliable throughout its entire lifecycle. This is generally more important for businesses than for individuals. Take for example, the ‘Salami Attack’. The attacker makes tiny, incremental changes to transactional data, for example, taking fractions of a penny from millions of transactions. These attacks are difficult to spot and when conducted on a large enough scale, can add up to substantial losses. The financial implications, which could be huge, are only the tip of the iceberg. The reputational damage and loss of trust in a company could prove even more costly in the long run.
So how can we protect the integrity of our data? Firstly a company should have a clear data protection policy in place, make sure that it’s employees are fully aware of the value of it’s data and the potential harm any malicious access could cause. Businesses should be limiting access to only those who need it – a need-to-know access model. Secondly, make use of cryptography. Any data that is moving over the internet should be protected by TLS (transport layer security) encryption. This is a protocol that provides privacy and ensures data integrity when two applications are talking to each other. Online transactions are a good example of why data integrity is so important; imagine the implications of a transaction for £100 being changed to £10,000 whilst that data is in transit. TLS would stop an attacker from intercepting your transaction and changing the data.
The good news is that TLS is fairly widely used and is present in most web browsers and applications these days, but if you are in any doubt check first. Make sure you are sending email or data using TLS-enabled web services – look for the little green lock in your address bar or, if you are not using a browser, check that the app you are using supports TLS, also consider using a VPN (virtual private network). There are also widely used, free, public encryption applications available such as the popular email encryption tool PGP (Pretty Good Privacy).
If your data is at rest and currently being stored on the likes of a flash drive or a computer then you should protect it with AES (Advanced Encryption Standard) encryption. Physical level encryption makes sure that even if the physical device your data resides on is compromised (e.g. stolen) your data is still protecteced.
Now we come to data availability. It’s all very well having your information secure, rendering it illegible and meaningless to interlopers, but at some point you will need it to be understood by you or your intended recipient. In order for your business to operate, you need to make sure that authorised people can access your data when you need them to.
Availability is often overlooked when it comes to data. This is proven by the widely successful ransomware attacks that have swept through the world’s networks. These attacks hold access to your data to ransom, demanding money for its safe release. The well known Denial of Service works on a similar premise but instead overwhelms your resources so that you and others cannot access them. The damage of these attacks can range greatly, from a couple of minutes of interuption to your internet connection to the irreversible loss of critical data your business relies on to opertate. The impact is both reputational and financial as loss of your public systems can be hard to cover. The impact to individuals can be the loss of irreplaceable data like family photos and creative and academic works.
How can you defend yourself against such attacks and make sure you maintain the availability of your data? Back up your data in multiple locations. Ideally your data should always be available in three places. The first is production data. This is the main source of your data, for example, data held on your laptop or your server’s hard drive. Secondly, an on-site backup that is constantly replicating the primary main source of your information and finally an off-site back up that can be updated anywhere from hourly to monthly. This last one protects you against bigger incidents such as water or fire damage, theft and ransomware.
You should also give some consideration to whether your on-site backup needs to be kept separate from your main network because in the event of a Ransomware or DDoS attack it will mean you have a full, clean copy of your data that has not been infiltrated or corrupted. In a business, technical controls should be further bolstered by having a policy in place that focuses on controlling how your data is handled. This should make people in the company much more aware of the key risks posed to the organisations by cyber attack and loss or ransom of your data.
Across these five articles I have given you some idea of how you can best stay safe online and keep your data out of harm’s way (read parts one, two, three and four). Despite all this, and having the best back-ups and controls in place, by far the biggest threats to your data security are mistakes being made by users. Also, although it might sound like the realms of only big business, having an incident response plan in place can massively reduce the impact of an attack for everyone including SME’s and private users.
Be careful what you click when online or when opening emails, and don’t be the person who falls for a phishing attack that installs malware or wipes your hard drive. Follow the simple hints and tips I’ve detailed and keep yourself, your hardware and your security knowledge up to date. Small businesses should look to implement the UK governments Cyber Essentials and 10 Steps to Cyber Security, which aim to protect businesses against the most common cyber attacks. Larger organisations should look towards implementing an Information Security Manageent System such as ISO 27001.
The threats are constantly changing and developing but if you stay abreast of these and tread with caution, you can continue to safely enjoy all the benefits and opportunities that the digital world brings.
Daniel B Brown is a security consultant at FarrPoint.