Every business needs to protect its information assets from accidental or malicious data breach. With the threat of GDPR fines looming large, there are a number of practical steps you can take to protect your information assets and reduce the risks to your business.
We are now living in the age of GDPR. Since the regulation became enforceable in May 2018, we have already seen the Information Commissioner’s Office announce its intention to fine British Airways £183 million and Marriott International £99 million for massive breaches the organisations suffered in 2018. All businesses need to take protecting their information assets seriously – any size of data breach has the potential to cause significant financial, operational and reputational damage. In order to reduce the risks to your business, you need to take steps to protect your information assets.
The Financial Conduct Authority (FCA) published an industry insights document in March 2019 with the aim of improving cybersecurity practices amongst regulated firms. At Six Degrees we work with FCA regulated firms to keep them safe from data breach, and there is value we can add to the FCA’s document that will help all businesses improve their cybersecurity posture.
In previous blog posts we expanded upon the FCA’s guidance on how to implement cybersecurity governance best practices, and delved into the importance of asset management. Understanding the importance of asset management is one thing, but knowing how to protect your information assets is another. In this latest cybersecurity insights blog post we’ll build on the insights the FCA offers in section four of its document: protect your assets accordingly.
How to Protect Your Information Assets
As we covered in a previous blog post, all information assets are classified in terms of their confidentiality, integrity and availability:
- Confidentiality is the privacy of an information asset, and who is authorised to access it;
- Integrity is the consistency and accuracy of an information asset; and
- Availability is the ability for the appropriate audience to access the information asset.
Effective cybersecurity policies, standards, procedures and controls will protect the confidentiality, integrity and availability of your information assets. This in turn will reduce the risk of your business suffering financial, operational or reputational damage as a result of an accidental or malicious data breach.
The FCA’s industry insights document provided five insights and best practices that will help businesses protect their information assets. We will expand upon these one at a time.
Invest In Training
Effective cybersecurity training is an important, but often overlooked element of your business’ GDPR and ISO 27001 compliance regimes. Getting it right requires more than just the occasional presentation or online course and exam. Your cybersecurity training needs to influence behavioural change, and the only way of truly driving this is through top-down board-level engagement.
Partner with a cybersecurity specialist and carry out behavioural analysis through workshop sessions. On the basis of findings from these workshop sessions, carry out targeted training on a ‘little and often’ basis. Include security at home, adding value for users and extending the cybersecurity conversation beyond the office. Remember, security professionals are not the bad guys – they should be integrated as part of business as usual, and they should always be helpful and approachable.
Manage Your Third-Party Suppliers
Supply chain compromises are a key threat vector for most businesses. You may control your own data, but when you pass it on to third party supplier contracts, and they subcontract again to their vendors and suppliers, you may well lose visibility and control over where your data is being stored and how it is being used.
Carry out a robust assessment of all suppliers that handle personally identifiable information (PII) through an annual questionnaire. This should cover their entire business, and should comprise the first step of any procurement process along with a request to see evidence of secure practices through a right to audit.
At a high level there is little to add to the FCA’s advice around encryption; not all data requires the same level of protection, so apply encryption controls appropriately for each level of data classification. Apply risk management principles to determine the potential impact of any data being exposed, and remember that when systems are highly interconnected and interdependent, you are only as strong as your weakest link.
Be Aware of Your Vulnerabilities
In order to be aware of your potential vulnerabilities, you will need to carry out regular vulnerability scans overseen by a governance committee. Establish provisions to apply patches on both a scheduled and emergency basis, in order to ensure that you can address security flaws as soon as vendors release remedial patches.
Back up your vulnerability scanning with regular independent penetration testing. In an ideal world, penetration testing should take place every time there is a significant change to your IT infrastructure – whether it’s adding an application server, updating your remote access method or any change that affects your network topography. Security should be built in from the start, with penetration testing carried out prior to go-live.
You may also want to consider implementing an outsourced cybersecurity operations centre (CSOC) that will combine real-time monitoring with intelligent human analysis by experienced security professionals to recognise unusual log patterns and proactively alert on developing cyber threats.
Make Cybersecurity Part of Your Change Management Process
Most businesses have a change advisory board. In today’s hostile cybersecurity landscape, security must have a place at the table. Cybersecurity should be a key consideration at the outset of every change request, and all change management processes should be reviewed from both a security and a business perspective.
Keeping you information assets secure is a key aspect of any business’ cybersecurity preparedness, but the truth is that staying safe from cyber-threats is a constant challenge. If you’re keen to benchmark your business’ cybersecurity preparedness, take our cybersecurity quiz. It only takes five minutes, and will give you a snapshot of where you are and what steps you can take to improve your cybersecurity posture.
- Take our cybersecurity quiz to benchmark your cybersecurity preparedness
- Download your free Cybersecurity Threats and Vulnerabilities whitepaper
- Register for a free penetration testing training session