Think security, think CIA – but we’re not talking spies and sleuths
The threat of cyber-attack is increasing every year, and only recently have we read about Dixon Carphone’s huge data breach last year. It’s bad for customers and it’s bad for business.
According to figures published by the Online Trust Alliance, 2017 was the worst yet in terms attacks on organisations. Attacks doubled from 82,000 incidents in 2016 to over 159,000 – and that’s just the ones we know about.
Keeping up to date with the latest cyber security threats is challenging to say the least. The time between vulnerability disclosure and attack launch is getting shorter all the time, and it’s easy for a hacker to change a line of code, and then fire off another – ever so slightly different – attack.
Effective cyber security is knowing what’s important to you and protecting it to the best of your abilities. One way to make things clearer is to break it down into three elements. The acronym might have already been taken by a well-known US institution but at least ‘CIA’ is memorable.
For our purposes, we’re taking about Confidentiality, Integrity and Availability.
- Confidentiality is all about privacy and works on the basis of ‘least privilege’. Only those who require access to specific information should be granted it, and measures need to be put in place to ensure sensitive data is prevented from falling into the wrong hands. The more critical the information, the stronger the security measures need to be.Measures that support confidentiality can include data encryption, IDs and passwords, two-factor authentication, biometric verification and keeping secure and unsecured networks apart, which could even include having a stand-alone computer disconnected from the internet.
- The integrity of information is essential, and organisations need to take the necessary steps to ensure that it remains accurate throughout its entire life cycle. Access privileges and version control are always useful to prevent unwanted changes or deletion of data and back-ups should be taken at regular intervals to ensure that any data can be restored.
- Availability is all about how you keep your business up and running. Keeping operational is critical and you need to ensure that those who need access to hardware, software, equipment or even information can maintain this access at any time. Disaster planning is essential for this and organisations need to plan ahead to prevent any loss of availability, should the worst happen. Examples of disaster planning include preparing to deal with cyber-attacks (such as DDoS), data centre power loss or even potential natural disasters such as a flood or severe storm.
CIA also applies to GDPR. A key principle of the new regulations is that you have to process personal data securely by means of ‘appropriate technical and organisational measures’ – this is called the ‘security principle’. Any measures must therefore ensure the confidentiality, integrity and availability of your systems and services and the personal data you process within them. These measures must also enable you to restore access and availability to personal data in a timely manner in the event of a physical or technical incident and businesses also need to ensure that they have appropriate processes in place to test the effectiveness of measures and undertake any required improvements.
All three of the CIA elements are required to ensure you remain protected. If one aspect fails, it could provide a way in for hackers to compromise your network and your data. However, the mix between the three parts is down to an individual company, the project or asset it is being deployed on. Some companies may value confidentiality above all, others may place most value on availability.
Whatever the combination, it’s important that the CIA triad is considered at all times and by doing so you protect your organisation against a range of threats, without having to spend too much time away from your core business.
Technology is no longer just an enabler; it is now the beating heart of most businesses and if it fails, the consequences can be terminal.