In this second part (read part one here), we’ll take a look at the value of confidentiality, integrity and availability. It will help you to consider just what is important to you and where you should concentrate your efforts when it comes to protecting yourself or your business.
More and more of our lives are being transformed in line with the information age. Whether you track your health with your smartwatch or check your home security cameras from the other side of the world, we all create massive amounts of data about ourselves.
There are so many rewards from living this way – saving money, time and generally making life much more convenient. Unfortunately, nothing is free and ‘helpful’ digital services can expose us to a certain amount of risk. What isn’t clear is just how much risk we are exposed to when we use the new banking app on our phone, backup photos to the cloud or broadcast our location for friends to see. Large enterprises follow complex frameworks to figure this out but these frameworks can also be simplified and applied to small businesses and individuals.
There are three key questions that need to be answered in order for anyone to protect their data:
- What needs to be protected?
- What about it needs protecting?
- Who / What does it need to be protected from?
When I ask what needs protected I’m referring to anything in your online life that you value. You can start with intangible assets like your privacy as an individual or your reputation as a small business. From there you can derive hard assets by asking yourself the question, ‘what data do I have that could harm my reputation as a small business?’ This could be anything from financial data to internal emails. For someone protecting their personal privacy they can ask, ‘what would really harm my privacy?’ Typically this would be the loss of personal data such as private messages and browsing activity.
Now that you know what your high-risk data is you can derive a physical asset. This is typically the device that stores the data, or is used to access the app or portal where the sensitive information is shared. These assets will include such devices as your laptop, mobile phone or the company server.
Now that you know what needs to be protected you must identify what it is about it you want to protect. The CIA triad is often referred to when assessing this. This is not about the well-known U.S. intelligence agency but the three key factors of any data that needs protecting. Confidentiality, Integrity and Availability.
Confidentiality ensures that access to your data is restricted to those who have permission to access it; Integrity ensures that your data stays accurate and consistent; and Availability ensures that your data is always ready to use when you need it. For example, you may want to protect the integrity of your financial information as it acts as a record of business success that needs to be reviewed, whereas, the confidentiality of your internal emails may be far more important than their integrity.
Finally, cyber-attacks generally fall into one of two categories. An attack can be one that leaks your personal data and so compromises the confidentiality of your data, or an attack can be purely developed to cause disruption, compromising the integrity and availability of your data. There have been well publicised cases of both instances occurring recently which has raised awareness of certain risks but also perhaps instilled a general fear of hacking, cyber attacks and data breaches. In this series we’ll try and ease some of those worries and help you not fall prey to such attacks.
Daniel B Brown is a cyber security consultant at FarrPoint.
In the next article of this series, he will look at just how much protection is needed before addressing the best ways you can protect yourself and your company.