When you think of a cybersecurity incident, what do you think of? Do you think of a teenager in the former Soviet Union wearing a hoodie and stealing cryptocurrency while frantically typing? An email spammer trying to convince your grandma that she won a free iPhone if only she will click a link? A nation state hacker using top secret technology to steal classified data from rival countries? If so, you might think that your business doesn’t need to focus on cybersecurity.
But what about when an employee leaves your company and you realize after they’re gone that they were the one who owns your social media platforms? Or a teammate loses their personal iPhone that they will occasionally check work emails on? Or what about when a coworker is organizing the shared Google Drive folder and deletes a folder they thought was unnecessary but actually had important information within it?
Hollywood has convinced us that cybersecurity is all about stopping the bad guys from causing damage, but in reality it’s all about surviving your company’s worst day. One framework that cybersecurity professionals utilize is the CIA triad–Confidentiality: where only those who need to have access to your data can access it; Integrity: where you can trust that the data is what it is supposed to be; and Availability: where you can access the data when and where you need it.
Let’s dive into confidentiality first, and how that applies to a small business. Think about what secrets your company holds: passwords, client financial information, nondisclosure agreements, and even internal company communications. Essentially, think of any information that you would not want the general public, competitors, or hackers to know. How do we ensure confidentiality of this information? First things first, we need to ensure proper access control through strong passwords, multi-factor authentication, and role-based access control. From there, we need to encrypt. Whether this is end-to-end encryption through emails, messages, or texts, or whether it is encrypted file storage (AKA data at rest), it is critical to add an additional layer of complexity to prevent anyone from just reading your data as it comes across their screen.
Out of the three aspects of the CIA triad, confidentiality is the most tricky to implement for a non-security professional, requiring knowledge on encryption and password best practices in a world where what made sense five years ago is dangerously obsolete now. Hedgerow Cybersecurity consulting keeps tabs on the best confidentiality practices, and can ensure that your data is properly protected from unauthorized individuals.
Next is integrity. We want to make sure that the data that we have is the correct data. On the surface this seems pretty straightforward. Shouldn’t it be obvious if a file has been corrupted or that text has been modified? Perhaps on occasion. But if you’ve ever sent a document or given a presentation where it quickly became apparent that version control was not done, you know that it isn’t always so easy. This is where version control logs, file hashing (a digital signature that is completely different every time a document is modified, no matter how small of a change), and maintaining an up-to-date backup to revert back to the last good version come into play.
Does your company track document changes or conduct data backups? If not, Hedgerow can help. These setups seem simple, but implementing it on a business-wide scale takes deliberate attention that can be hard to prioritize. The problem is, you can’t afford not to.
Finally, we close with availability. This one is easiest to understand from a surface level. Accidental deletions, account lockouts, and inadequate permission assignment all can cause data availability issues. Many of the controls for confidentiality and integrity roll over nicely into availability. Data backups for accidental deletions or ransomware. Appropriate access control for account lockouts and permissions.
What is Hedgerow’s most commonly seen availability incident? An admin or account holder leaves the company and takes his or her login access when they leave. Google or Meta are unable to help because, at least how they see it, the legitimate owner still has the password. We can help you review your access controls to ensure that the right people have the right level of access and ownership.
Cybersecurity doesn’t play out like a spy movie. It is the careful set up and maintenance of policies, tools, and procedures. It requires constant vigilance and attention to ensure the confidentiality, integrity, and availability of your business’s most important data. By focusing on the CIA triad, you can have the added confidence that your business’s worst day will not be its last.