The CEO’s Cybersecurity Playbook
Managing information technology is about managing potential risk against business efficiency. The CIA Triad can be used to articulate cybersecurity risk in the language of the business.
This article by Kyle Milaschewski originally appeared in Industrial Cybersecurity Pulse.
As our society continues to modernize and advance at an ever-quickening pace, it is getting harder for business owners and executives to not know and understand how information technology impacts their business. Regardless of the services provided by a company, a web presence and easy access to email are minimum operational requirements from day one. Simply by introducing email to your company, you have opened the possibility of a cybersecurity threat that could impact your bottom line.
How Does This Affect Your Profitability?
Managing information technology is about managing potential risk against business efficiency. The business owner does not need to understand how the technology functions but should always understand how their technology decisions impacts the Adjusted Gross Revenue (AGR) of your company—not doing enough to protect your business is often more damaging to the bottom line than doing too much. This is why it is important that the C-suite understands the core theory of cybersecurity, which can be easily explained through what is known as the CIA triad.
The CIA Triad: Confidentiality, Integrity, and Availability
Every technology decision executives make will somehow influence at least one aspect of the CIA triad. Here is a breakdown of the basic meaning of each aspect of the CIA triad:
Confidentiality — Your data is protected from being viewed or manipulated by individuals who should not have the ability to view or manipulate your data. This could be simple, such as accounting employees having access to HR data, even though those duties should be separated. Or it could be more complex, such as encrypting all your laptops so that if they are lost or stolen, the data on them is not compromised.
Integrity — Your data is protected from being manipulated, deleted, or altered without knowledge of the changes being made. The data held by a business must always be trustworthy. The technical aspects of integrity typically include strong backups, strong change control, keeping your data encrypted when in transit, and a separation of job duties.
Availability— Your data is always accessible to those who have the rights to access it: without availability there is no revenue stream. It also exists as the check and balance to the extremes of confidentiality and integrity, wherein security measures become too strict, and it impacts employees’ ability to perform their job duties. Some basic technical aspects of availability would be the theory of “High Availability,” meaning layers of redundancy in your business platforms, as well as implementing Single Sign-On with multi-factor authentication to keep those platforms secure, but not require employees to memorize a dozen different passwords.
How to Use These Ideas
Try asking yourselves the following questions every time you make a technology-based decision or purchase. Keep in mind that these are real-world scenarios based on experiences Steel Root has observed over time.
- Will this decision allow employees to view information they should not be able to view?
Example: HR documents are stored on a server, there are no security permissions applied, and any employee can access the information. The receptionist looks at the HR files and complains to management about what they find in the files.
Example: You (the business owner) give your old computer to a new employee; the new employee uses an account with local administrator privileges that can access your old data and pulls up hiring data of employees that was stored on the machine.
- Will this decision provide a vector for non-employees to access company information?
Example: You purchase a new web platform with a public-facing sign-in page. The public web platform requires additional security measures to remain secure, and data was stolen because the new platform was not properly secured.
Example: You elect to not introduce spam and phishing prevention for your email accounts, which results in a significant ransomware event.
- Is the nature of my data regulated? Am I compliant in all locations in which I do business?
Example: You are a Massachusetts registered business, requiring compliance with 201 CMR 17.
Example: Your business generates >$24MM per year and is registered as a business entity in California, requiring compliance with CCPA.
- Will this decision allow employees to expunge data they should not be able to?
Example: Your finance department can delete QuickBooks backups as they are stored in the same location as the company file, and they should not be able to manage backups. An employee “cleans out” the folder when the disk fills up and all company financial data is lost.
Example: Customer service agents can delete purchase and sales orders but are not responsible for accounting. An agent exacts personal retribution against an important client by deleting all purchase and sales orders, resulting in a loss of the client’s present and future business.
- Will this decision allow employees to manage data in a way they should not be able to?
Example: “Privilege Creep.” One of your first hires is promoted from sales to president of HR. You provide them access to the HR information without removing access to the sales information. Your employee now has access to a portion of your business they no longer need access to and uses improper department data to carry out their HR job duties.
Example: Your employees have access and control over backups as a cost-savings measure; the backups are routinely deleted when the server runs out of space. A new employee is tasked with this maintenance and instead deletes all company directories. All data is lost because the backups were improperly managed in the same location as the corporate data.
- Will this decision allow non-employees to access and manipulate my data?
Example: You have a Bring Your Own Device (BYOD) policy for accessing company email without a phone password policy. Your employee has a toddler who can access your employee’s phone and while playing with the device, deletes critical business emails. This causes the employee to miss a critical priority client correspondence ultimately resulting in a loss of contract.
Example: You fire an employee who has access to critical intellectual property and has been working for your business on personal devices under a BYOD policy. On exit, the data is not collected from the personal devices. The employee goes to work for a competitor and provides the IP to your competitor.
- Will this decision restrict employees from accomplishing their job duties?
Example: A policy that all system passwords be different, complex, and long, without providing a tool to manage these passwords. The employee now spends 15+ minutes per day “logging in,” while simultaneously increasing IT staff utilization for routine password resets. The cost of lost time and human capital is likely to exceed the cost of a password-management system.
Example: Insufficient backup strategies (see Integrity violations above) cause an extended outage after data is accidentally lost due to hardware failure; rather than a return-to-operation measured in hours, it is measured in days. The company potentially becomes insolvent when it runs out of capital and misses a payday.
- Will this decision (or indecision) impact the technical functionality of my business?
Example: Not sufficiently investing in hardware or platform performance. What was purchased five years ago to serve the company may not efficiently serve the company today. A simple rule of thumb to follow is that for every 100 employees, if you can save them five minutes per day, you will save about $50k per year on the bottom line.
Example: Using an email system provided by your webhost rather than an industry standard vendor, preventing your business from properly scaling as new positions are created. The expense of a future migration, and resolution of technical support issues on a proprietary platform, is often greater than investing early in the correct platform, such as Office 365 or Gmail.
Pulling It All Together
It is important to realize that for every decision you make regarding one aspect of the CIA triad, it is likely to affect the other two aspects. While we broke down many of the scenarios here as specific to one aspect, several of our examples, in fact, involve many other aspects of the triad, most likely and most notably the business theory around high-availability platforms and data backups.
The critical piece of understanding that we hope to pass on through all of this is that good security and good information technology should always accomplish two things:
- Increasing the AGR of your business through the efficiency and integrity of your business and building on client trust through the safe management of their personal information.
- Acting as a co-insurance that prevents risk from disrupting your business, rather than transferring it to another entity, such as an insurance company, or worse, your investors.
It is important to acknowledge that “future-proofing” is an impossible endeavor, and that the field of technology is an ever-shifting game—what works today, may not work tomorrow. That’s why technology should always be a business enabler as well as a flexible piece of your business that retains the ability to evolve according to each new situation.