Let’s start by asking why someone would want to break into your network. When hacking first started back in the 80’s it was generally done for bragging rights. Hackers have now found that there is money to be made from information. It is easy to understand that stolen credit card information could be used to buy things and trade secrets could be ransomed or sold to a competitor but other information like email accounts, addresses, transaction history, etc. also have value.
Cybersecurity is simply how we protect ourselves against the threats we face in a connected world. The news is full of cybersecurity failures such as Target, Home Depot, Anthem, etc. The most common response to these intrusions are “If the big companies can’t defend themselves, then I have no chance!” or “The Bad-Guys are only after the big companies, they will never come after a small company like mine.” While both of these comments have merit, automated attacks make all companies, no matter their size, a target. Everyone needs to protect themselves but you need a logical approach.
In February 2014 the National Institute of Standards and Technology (NIST) came out with their Cybersecurity Framework. This framework is a good guide on how you can protect yourself. The Framework Core consists of five Functions: Identify, Protect, Detect, Respond, and Recover.
Let’s start with Identify. Before you can protect your network, you have to know what is in your network. Asset Management means you know all of your connections to the internet, all of your firewalls, routers, servers, network storage devices, workstations, printers, etc. Most of this seems pretty simple. But you must also know what operating systems are running, what applications are installed, as well as the versions and patching levels. It is also necessary to know where your data is located and the sensitivity of that data.
The first step to successful cybersecurity is having a complete and accurate network map. This should show the physical and logical infrastructure and their locations. An inventory of all your equipment will complement the network map showing the details of exactly what you have. A good starting place for this may be the depreciation schedules.
But even if you know the equipment and its location, you still need to know what data is on that equipment. There are lots of solutions to scan your network and look for the hardware and software that is loaded and running, known as IT Asset Management (ITAM) software. Spiceworks is a popular, and free, application that can do a lot of this but you may want to opt for more robust systems or ones without some of the nuisance of a free application. ITAM software should be run periodically to determine if there is unauthorized hardware or software present on your network.
Along with the hardware and the software you need to identify where the data is stored. As we know, not all information is created equal. You must have a process to classify the data you are storing in order to protect it properly. You may decide that all your data is critical and that you are going to protect all of it equally. This may be OK if you have limited data in a single location but when resources must be spent to protect data in multiple locations then you may need to classify it in order to allocate those resources properly. Data is generally classified in 3 buckets: Client Data, Company Data, and Public Data. Client Data may need to be classified with more granularity. Credit card information, social security numbers, bank accounts, etc. may need more attention than your customers’ name but you have to remember, it is not your data. It is your customers’ data and loss of that data could have a major impact on your reputation as well as the impact on their lives. Company data may be data that you share with your employees but don’t want the public to know. This may be a trade secret or plans for expansion. You employees may need to know this but you don’t want your competition to know. This could be important to your company’s survival so it is important to protect it, but unlike client information, this is your own data.
Gathering all this information is a great first step. For example you may find other benefits from this project. You may find that you have software that you are paying for that no one uses or multiple software being purchased to accomplish the same thing. You may even find that there are better ways to organize your data to save storage. The bottom line is you need to know what you have in IT in order to administer it properly, not just protect it from cyber-criminals.