Think Security, Think CIA – But We’re Not Talking Spies and Sleuths

The cyber-attack threat landscape is constantly evolving, according to Richard Gaudin, Commercial Director, Logicalis Managed Security Services. 

We read frequently about its impact on customers such as the recent Dixons Carphone huge data breach last year. It’s bad for customers and it’s bad for business.

According to recently published figures for the UK by the Online Trust Alliance, 2017 was the worst yet in terms of attacks on organisations. Attacks doubled from 82,000 incidents in 2016 to over 159,000 - and that’s just the ones we know about.

Keeping up to date with the latest cyber security threats is challenging to say the least. The time between vulnerability disclosure and attack launch is getting shorter all the time, and it’s easy for a hacker to change a line of code, and then fire off another - ever so slightly different - attack.

Effective cyber security is knowing what’s important to you and protecting it to the best of your abilities. One way to make things clearer is to break it down into three elements. The acronym might have already been taken by a well-known US institution but at least ‘CIA’ is memorable.

For our purposes, we’re taking about data protection as Confidentiality, Integrity and Availability

Confidentiality is all about privacy and works on the basis of ‘least privilege’. Only those who require access to specific information should be granted it, and measures need to be put in place to ensure sensitive data is prevented from falling into the wrong hands – which includes internal employees. The more critical the information, the stronger the security measures need to be.

Measures that support confidentiality can include data encryption, privileged access management, multi factor authentication, biometric verification and keeping secure and unsecured networks apart, which could even include having a stand-alone computer disconnected from the internet.

Integrity of data is essential, you must be confident that information that you are creating and sharing across your business and out to your customers remains as you intended throughout its entire life cycle. Technologies such as digital signing, version control and use of the blockchain are useful ways to prevent unwanted changes or deletion of data.

It is also critical to ensure that the originator and receiver of information are the intended individuals. Many breaches have happened where the threat comes from someone pretending to be a known contact. This can be dealt with by using strong encryption key tools and also through educating your employees about security and drive their behaviours to improve your security posture.

Availability is all about making sure that the right people can always access the data at the required moments. Remaining operational is critical and you need to ensure that those who need access to business information can maintain this access at all times. Business continuity planning is essential for this and organisations need to plan ahead to prevent any loss of availability, should the worst happen. Examples of disaster planning include preparing to deal with cyber-attacks (such as DDoS), data centre power loss or even potential natural disasters such as a flood or severe storm.

Confidentiality, Integrity and Availability are key elements to ensuring compliance with the General Data Protection Regulation. A key principle of the new regulation is that you have to process personal data securely by means of ‘appropriate technical and organisational measures’ – this is called the ‘security principle’.

All three of the CIA elements are required to ensure you remain protected. If one aspect fails, it could provide a way in for hackers to compromise your network and your data.

Technology is no longer just an enabler; it is now the beating heart of most businesses and if it fails, the consequences can be terminal. With this is mind, Logicalis will be expanding further on the CIA pillars and how businesses can best protect themselves, their systems and their data.