WATCH The CIA of Data Protection – Day 25 of Cybersecurity Awareness Month
Mike Miller 00:06
We’ve recently discussed the importance of data privacy measures in our businesses and personal lives, but got me thinking about how I’m supposed to protect data as a business owner or as a managed service provider. So with us today to discuss data protection and the CIA, is Craig Taylor, CEO and co founder of CyberHoot, an online Cybersecurity Awareness training and cybersecurity program tool for MSPs to resell, and businesses to use. So Craig, how should I be protecting the data entrusted to me as a business owner?
Craig Taylor 00:39
So great question, Mike. And it’s really important in Cybersecurity Awareness Month. So cybersecurity is very much focused on protecting data and information. But the question is, and what most people don’t understand is, how are we supposed to protect that data? And really, the answer is simple. There are three main tenants that we focus on for protection of data.
And they’re known as the CIA, I use that very specifically, because everyone remembers that three letter agency and the government, whether they love it, or they’re nervous about it, that is a different story. But it’s a good way to remember data protection.
And the C stands for confidentiality, is the data accessible by only those who should have access to that data. So for example, in your business, if you have a spreadsheet on the salaries of all your employees, that shouldn’t be on a public drive for all your employees to view, it should be in an HR folder, where you make, you know, raises and decisions around hires, and salaries, and is limited to the CEO or the CFO and HR.
Integrity is what I stands for. And that is, whether the data is accurate or free from tampering.
So for example, if that spreadsheet was open, and it was used for the payment to employees of what their salary was, what if an employee got access to the spreadsheet and added a zero to their salary or something more subtle, just, you know, a few $1,000, the HR person might not recognize that and that person will give themselves a raise, and the integrity or the accuracy of the data would be suspect. And that would be that’s a problem.
The third is the most commonly understood and the one that everybody is most typically concerned about A stands for availability, is the data available when you need it. And a lot of folks say, Well, if I get a backup, and I get a ransom event, I can just restore that data. And I’ll get that availability back.
But newer ransomware puts that data on the internet affecting its confidentiality, and possibly tampers with the data affecting its integrity so that it looks like your company is doing some bad things. So all three are really in critically important for businesses. Now, there are other aspects of data and access and permissioning.
Things like identity and access management or non repudiation of actions, that’s can you prove that whoever made a change was the person who made the change, all of those things go around data, data protection, as well, but they’re the three that I want you to go take to take home with you today is the CIA confidentiality, integrity, and availability.
Mike Miller 03:16
Okay, okay. So protecting the confidentiality, integrity and availability is important to businesses. But can you give me like the top ways, like, let’s say, five, three or five ways in which businesses should go about protecting their data, in these ways, like through confidentiality, integrity, and availability?
Craig Taylor 03:39
Absolutely. So one of the best ways I’ll give you five ways or five things that every business ought to do in order to protect their, their data, and, frankly, their operations and their business, their reputation, everything, these five are sort of the minimum essential security measures that every company should take. And as a consequence of them, you’re looking to protect your data.
The very first one is a risk assessment, you should do a risk assessment. This many most companies I go to consult with in my vCISO, practices through CyberHoot who have never had a risk assessment before. And they sort of cherry pick the things they want to fix, but they don’t know if they’re the most important or the most dangerous or why they’re doing it. It’s just their, their choice.
A risk assessment really codifies it and puts it into a method of analysis that allows you to rank order the threats, you face, the risks you face, and then plan over time how to remediate that. So that’s your number one.
The second is you can’t really do a risk assessment on your own. You need a seasoned professional. If you said, Oh, my daughter broke her arm. Let me try and fix it. You wouldn’t do that you’d go to a doctor. So you should go to a vCISO or chief information security officer. Not a full time one that you hire yourself because you won’t find them and they’re too expensive, but you should hire a vCISO. So and I’ll be shameless plug CyberHoot has a series of vCISO standing by to help your company out with these kinds of things, we always start with a risk assessment. And some of the later things I’m going to mention, but that chief information security officer helps you build a cybersecurity program that fits your business, it’s right sized for you. And for your current cybersecurity maturity.
Many times people will say, Oh, I need a next generation firewall, or I need this technology or that technology. And it’s like saying, when you go to the emergency room, you’ve been in a car accident and you’re bleeding. The doctor says, oh, you should have your cholesterol checked, makes no sense because you’re not there. In that moment, that’s not going to help you at all. Certainly in the long run, it does, but at the moment, you need to stop the bleeding. And most companies I walk into have a number of critical risks that need to be addressed long before they check cholesterol or do some of these higher order higher, more mature activities.
The third tip is to begin Cybersecurity Awareness training with your employees, consultants and contractors. Without awareness, these people are just ticking time bombs for clicking on a phishing attack, giving up their credentials to a hacker buying gift cards out the wazoo sending a wire transfer to the wrong person. There’s just so many different hacks that are out there today with hackers, you know, COVID has led to a lot more hackers a lot more free time to attack us all attacks are going through the roof.
So you need to train your employees on how to spot and avoid those forms of attack. Forth, once you train them on how to spot phishing, it makes a world of difference if you even test them one time with a phishing test, to make sure they apply their knowledge, I have very important cases where I’ve been training a company for three years, the first test I ran, they failed miserably, and they passed every single test. Since then. They didn’t apply their employees did not apply their knowledge.
So testing them at least once or once a quarter is our recommendation. And again, CyberHoot does all of that govern your employees with policies. We talked about discretionary mandatory controls earlier in another podcast and discretion is up to the employee. And that’s where governance policies create the set of requirements for your employees to choose wisely, when they’re signing up for an online service, and they can pick a password at their own discretion, they should follow your governance policy that says 14 or more characters in length, not their favorite eight or nine character password, because that will lead to a breach of that Software as a Service website.
So Mike, in summary, a risk assessment, a virtual chief information security officer awareness training, test your employees and govern them. Those five are the part and parcel of our CyberHoot vCISO program in case folks are interested in that. And if you start with these things, you’re on your way to building a basic minimum essential security program that you can then augment over time with additional controls and protections that will help protect your company and lower the chance that she’ll be breached and your data will not be available and not it might be changed, the CIA of your data protection will will be protected.
Mike Miller 08:05
Okay, so protect your data is confidentiality, integrity, and availability by hiring a CyberHoot vCISO to help you do it.
Craig Taylor 08:15
Yes, we’d love it to be CyberHoot but any vCISO as long as they’re, you know, they come with great recommendations. But yes, we we’d like you to hire us but we have there. You just need that outside assistance to make it work properly for your company.
Mike Miller 08:29