With the number of ransomware attacks making headlines, companies big and small are all too aware of the importance of cybersecurity. The challenge is that every company has a unique set of assets and systems. Knowing how best to protect these assets requires understanding their value. This is why asset management and strong governance is the starting point for cybersecurity.
Unless you know what, you’re defending and what those assets are worth, there’s a good chance you’ll be spending either too much or too little on cybersecurity – both options can put the company at risk. In this article we discuss how to classify your assets and how this defines what cybersecurity solutions and policies need to be implemented.
What assets are you protecting and why?
Asset management helps you to understand what your assets are, where they are, and what role they serve in the company. Key questions to ask are “How critical is an asset to business? What happens if it is no longer available?” Physical assets such as servers, switches or routers are relatively easy to identify, but companies shouldn’t forget about including software systems and programs and also take into consideration the role of employees. Especially the importance of training employees on cybersecurity.
When you start to uncover the answers to those questions, you gain a better understanding of what you’re protecting and why, as well as how much you should be spending on cybersecurity.
Working from the inventory of assets, the next step is to classify them into secret, private and public. Secret refers to any data that has the potential to cause major harm to a company if it were to get out in the public domain. Private is considered internal information that typically only employees or management would have access to. Lastly, public information is anything that is in the public domain. This is considered the lowest category of risk.
A mistake companies often make is to assign equal value to everything. The problem with this approach is that you could be spending $10 000 a year to defend information which is already in the public domain which is essentially a waste of money. Alternatively, spending $10 000 a year to protect an asset that’s worth $1 million is money well spent. This is why knowing the importance and value of the assets you’re defending is vital.
How employees can aid asset protection
For many companies, because of the industry they operate in or because of the clients they serve, protecting assets is closely tied to compliance. They have to report on how they manage confidentiality, integrity and availability (CIA) of information, and have policies and procedures in place to secure that information. The document that describes this is known as a WISP (Written Information Security Policy).
Most companies have a WISP, but just having the document is not enough to ensure compliance. If the company is not following through on policies such as annual cybersecurity training or implementing MFA (multi-factor-authentication) as they said they would, then not only will the company not stand up to an audit, they’re also placing themselves at risk.
Because cyber threats are constantly evolving, it is important to train employees from a technical as well as a people and process point of view. This means training employees to look beyond the obvious and known threats such as phishing emails asking them to click on a link. A threat could come from within and not even be malicious. An employee might simply not understand that what they’re doing is putting the company at risk.
No company wants to be found guilty of non-compliance, especially if it’s going to impact their ability to grow as a business. It’s important therefore to understand how governance helps create better cybersecurity.
Governance as the blueprint for better cybersecurity
Having the right cybersecurity tools is only part of the solution, companies need to know how to apply the tools to protect their assets. Having a WISP and using that as the rules of the road, helps to govern how cybersecurity is implemented. As an example: Governance would include password policies or procedures to shut off access once an employee has left the company.
It’s much easier implementing cybersecurity when there are guidelines to follow, compared to trying to adapt because a non-compliance issue has been flagged, or a company has discovered assets that aren’t adequately protected.
Cybersecurity and compliance are set to grow in importance in all industries. One only has to look at the detail cybersecurity insurance policies go into today, compared to a few years ago. Policy documents and questionnaires used to be a single page. Now they’re several pages long and require in-depth information on how companies manage their cybersecurity.
Governance is all about understanding what assets you have, what their role is in the company, and what their value is. It’s only when you know this information that you can make informed decisions on how best to protect those assets.
To learn more listen to a recent AMA (Ask me anything) podcast with Michael O’Hara, privacy and cybersecurity consultant. He discusses governance and asset management in more detail and shares examples from working in cybersecurity for more than 30 years. Or contact Logically to find out how to improve governance for better cybersecurity.