The 3 Fundamental InfoSec Principles

infosec-principles

The security threats to Australian SMBs are relentless, sophisticated, & ever evolving. In 2016, insights from PwC’s Global State of Information Security Survey; revealed there was a 109-percent increase in detected security incidents in Australia. Combined with the recent wave of WannaCry ransomware attacks and increasingly sophisticated phishing scams, organisations without strong cybersecurity need to take note.

However, installing a comprehensive information security platform can be a challenge for even the most tech savvy managers. Threat prevention requires strategic thought and a firm understanding of the core principles of security: confidentiality, integrity, and availability. Together, these make up the “CIA triad.”

Confidentiality

Your first objective when designing a security framework is; to prevent sensitive information from falling into the wrong hands. The surest way to achieve this is; by installing a gateway to your data that is passable only by authorised users.

For starters, creating strong and unique passwords for each application makes it difficult for hackers to guess your login credentials; reducing the chances of account hijacking. To take it a step further; setting secondary authentication factors (like a fingerprint scan or temporary SMS code) creates an additional layer of complexity, increasing the safety of your account, and by extension, your data.

Aside from authentication; confidentiality can be achieved by using a combination of data encryption and access management tools. Data encryption keeps your documents private by converting regular files into unreadable data; allowing only those with decryption keys to see the contents. Access management enables you to control who has access to which files; which is helpful for preventing outsiders from peeking in on company secrets.

Lastly, keep in mind that data confidentiality can be breached due to unaware employees. Online scams are on the rise and are convincing even more unwitting computer users to give away their login credentials and/or private information. To maintain confidentiality, establishing non-disclosure agreements and training your employees to outwit these scams; can have as much impact as strong anti-phishing software.

Integrity

When it comes to business IT; “Integrity” means data must remain unchanged during storage, transmission, and usage. Much like maintaining confidentiality; data encryption tools play a significant role in ensuring data integrity. When advanced encryption systems are applied; hackers won’t be able to tamper with the information resting in your data centres or travelling across your network.

You should also set extensive file privileges to make sure unauthorised users can’t edit your data. Microsoft Office 365, for example, allows administrators to customise access permissions for each file, folder, and subfolder. You can set it so that only accounting managers have the ability to Modify certain documents while other people can Read-only those documents.

Of course, not all threats to integrity are intentional or malicious. Authorised employees can make data entry errors; and in these cases, you’ll need version control features to restore previous edits. Also, since sudden system crashes and equipment failures can result in data corruption; having backups available will be useful for when you need a clean copy of the file.

Availability

Data adds no value to your business if it is lost, destroyed, or unresponsive. As such, the workstations used to store and process information, the network channels and applications used to access it, and the security controls used to defend it; must be functional at all times.

For example, providing adequate bandwidth and processing power is essential; if you want to spend less time waiting for websites and programs to load and more time working. You’ll also need to keep your business software and security products up-to-date; to cover up any vulnerabilities that could result in downtime.

Other factors that you should account for are floods, fires, and power outages. If any of these incidents affect your onsite data centres; it could spell the end of your business. In fact, reports found that many small businesses shut down after disaster.

To deal with these scenarios, data backup and disaster recovery plans are key. Storing your data in the cloud will keep it secure from localised disasters; as well as allow you to restore it quickly in case your primary data centres are compromised. Meanwhile, a tried and tested disaster recovery plan that specifies how to quickly restore access to critical systems; will minimise the expected revenue loss of both natural and manmade disasters.

Prioritising CIA principles

Confidentiality, integrity, and availability (CIA) are important building blocks to a solid information security program; but there are times when you should prioritise one over the others. For example, businesses that manage customer and proprietary information; need to focus on confidentiality by proactively monitoring and controlling access channels to this data.

Availability should be the focus for agencies that provide 24/7 services in high-risk, disaster-prone areas. Conversely, financial firms will need to emphasise the integrity of transactions so that; they’re not paying the wrong amounts or sending invoices to the wrong customers.

Adopt a CIA mindset

Although the security market is chock full of solutions; just remember this: Every file you produce, data set you store, and system you install must have C, I, and A to a certain degree. This may sound like simple common-sense advice; but companies that truly take it to heart withstand even the worst data breaches.

Have you attained confidentiality, integrity, and availability? At Empower IT, we make sure your business understands these concepts; and has the protections necessary to achieve them. Call us today to find out what it takes to bolster your defences.