The CIA Triad: Reduce the Risk of CyberAttack
As a small business owner, you have enough to worry about, let alone cyber security.
Technology is constantly evolving, compliance obligations are always shifting and are becoming more rigid with heftier consequences and attackers, as usual are exploiting anything and everything they can. Attackers are extrememly creative and resourceful.
I understand that cybersecurity is a huge topic for a small or new business owners. You have a smaller budget and less resources, so outsourcing is not always an option. You have to roll up your sleeves but with such a gigantic task ahead, it doesn’t always seem possible.
Outsourcing is pricey and free is never easy!
Don’t worry, I got you. If you have no idea where to start, consider these three concepts and apply them to your business.
Introducing the CIA Triad
Keep a simple approach by identifying your business needs according to the CIA Triad.
This is a cybersecurity framework at the most fundamental level that can help you begin to grasp what your business is legally and morally obliged to protect. All standard frameworks in the world today draw from these three elements, albeit they are more specific to the times and the attack surface we face.
Apply these questions to your business.
What must remain confidential?
what must maintain integrity?
What must be available at all times?
Let’s Dive Deeper into the Triad
Confidentiality
Confidentiality is about keeping information private and only granting access to those who are authorized and need that information. Information that you should keep confidential is information like PII (Personally Identifiable Information), trade secrets, unpublished financial information or maybe you have a confidentiality agreement with a 3rd party that your are liable to protect.
Methods to Implement Confidentiality.
- Create a confidentiality agreement to determine liability and responsibility.
- Creating a staff security awareness training is invaluable.
- Determine your Access Management method and provision appropriately (RBAC, MAC, PAM, IAM).
- Access Management also includes validating users that are requesting access to information with authentication methods.
- Encrypt storage hardware devices, your network, files and folders etc
- Implementing physical barriers might also apply to your business, such as physical locks, security cameras, security guards or turnstiles. If they don’t need to know, don’t let them in.
Integrity
“Integrity refers to the methods of ensuring that data is accurate, real, and safeguarded from unauthorised user modification or destruction“.
To paint a picture for you, there is a method of attack coined a ‘man-in-the-middle attack’. The attacker will place themselves between a client and a server for example with the intent to alter information. They could alter bank account details, times and dates, delete chunks of data, it all depends on their motive. For the sake of your business, employees and customers how do we prevent this from happening?
Methods to implement Integrity.
- A well known technique to validate and verify information is called hashing.
- Hashing creates a checksum to the original document and if anthying in that document is changed in transit or in storage, then that checksum will change, letting you know that the documents integrity has been compromised.
- Creating regular backups can help with a swift roll back of compromised information.
- Data versioning can keep everyone on the same page and create clarity.
- Access Control is back, making sure only those with authorization can access data appropriately.
Availability
Availbility sits on a spectrum depending on what kind of business you have. For example a power company will want to have access to their systems and resources 24/7 because they are responsible for the greater populations power grid and life can be lost. A mining company will also want high availability because operational downtime is immediate loss of profits.
So what are some ways that you can ensure availability for your business?
- Regular backups of data and logs.
- Backup generators and fuel.
- Load balancers are a tool to mitigate Denial of Service Attacks and protect your website and servers.
In conclusion
If you are new to everything you just read, I highly recommend keeping a simple approach by identifying your business needs according to the CIA Triad.
What must remain confidential?
What must maintain integrity?
What must be available at all times?
Identify and prioritze your most important assets and services. Focus on one task at a time. Eventually you will gain momentum and begin to understand your businesses attack surface.You will know when to outsource for help and when you just gotta roll up your sleeves.
Protect Your World
