It takes businesses an incredible average of 206 days to identify a data breach and a further 73 days to contain it.
Statistics for data loss are just as sobering. With 58% of small businesses not having a backup plan and 70% of small firms going out of business within a year of a major data incident.
The CIA Triad provides the three simple principles for data security. Employing all three components means your information is protected with good security, but when we lose any of them it becomes a vulnerability that a bad actor could exploit.
1. Confidentiality
Minimise who has access to your data, working on the principle of “least privilege”. Logically enough, the fewer people that have access to your or your client data, the more secure it is.
It’s vital to recognise that employee movements also impact access to your data and systems. Whether they are moving teams or leaving the business entirely, it’s important that their access is updated or revoked to reflect their new relationship with the business. Too many times access remains in place to confidential folders or old accounts are left active.
2. Integrity
Don’t just reduce who has access, limit who can manipulate the data. While confidentiality dictates who has access at all; integrity can take this one step further and divide up access between those who can view the data and those who can modify (and delete!) your data.
Verify the changes that have been made to your data, or that changes have not been made to your data.
Minimise the use of data duplication, a major culprit of this is forwarding copies of documents to internal staff. While sending a digital copy to external parties is often unavoidable, within your own business you should endeavour to send links to the master document location to reduce the chance that the wrong document will be edited, or one edit overwritten with another.
3. Availability
Consider how you reliably get access to your data, not just in normal operations but consider if there was a data loss incident or an extended outage.
Your daily operations have to be supported by the infrastructure you invest in, invest too little and you will adversely affect staff productivity (and conversely if you invest too much you won’t see the return on that investment).
Beyond this you must contemplate what your business’ appetite for downtime is and structure your business continuity around that. Can your business survive — or will your clients tolerate — downtime of a week if that’s how long it takes to regain access to your information in case of a major data incident?
Don’t forget about your cloud services either. Cloud is a great way of making many of the daily issues a problem for someone else, however you still need to consider the security of your data in the cloud as well as how you will get access to this data if your provider ever has an extended outage.
Tying it all together
Concentrate on one aspect of the CIA Triad at a time and recognise that sometimes there’s a trade-off; tighter security might lead to more complicated and thus slower access (availability). Identify the most critical component(s) for your business and put more focus on them, without neglecting the other(s).
If you follow the guidelines behind the CIA Triad, then you’ll have good data security as well as a plan of action and peace of mind if anything unfortunate does happen to your vital business information.
There are a lot more subtleties to the CIA Triad and data security in general, so do reach out to your technology partner for more details.