We are currently in the middle of a digital revolution which continues to grow with each passing day. Not surprisingly, we are generating and consuming information at an astounding rate, contributing to the information explosion and leaving behind an extensive information footprint in digital, physical and spoken formats. This trend is set to continue: global data volumes are forecast to reach 44 trillion gigabytes by 2020.
In today’s “Information Age”, data has become an extremely valuable asset. Nowadays, information is used to compete and succeed in a global market. In fact, intangible information assets can represent 80% or more of an organization’s total value. With that being said, organizations must prioritize the protection of their mission-critical information assets. These assets require clear ownership and heightened protection due to the risks to which they are exposed.
What Are Your Mission-Critical Information Assets?
For centuries, organizations have been acquiring, producing, leasing, licensing and selling assets. Accounted for in financial statements, these assets represent an organization’s wealth and financial stability. This makes them vulnerable to theft and fraud. As a priority organizations should focus on those assets that are of the highest value and risk – commonly referred to by business leaders as the “crown jewels”.
Assets such as property, plant and equipment are tangible whereas information is an intangible asset. There are two types of intangible assets:
- Legal – such as trade secrets, copyrights and customer lists
- Competitive – such as company culture, collaboration activities and customer relationships
Both types are essential drivers of competitive advantage and shareholder value today. It’s common to view the value or importance of information by using a simple classification chart (e.g., negligible, low, moderate and high); however, mission-critical information assets represent only the very tip of the highest layer. Information of high business value or impact could still register as “high” or “critical” but not necessarily be designated as mission-critical. Traditional risk assessment approaches would not identify this information separately, so mission-critical information assets typically require a different approach to identification.
At the Information Security Forum (ISF), we refer to information assets with a high value and business impact rating as “mission-critical information assets”. When identifying mission-critical information assets, organizations should take into account the extent to which:
- The information asset contributes to, or supports, business value (e.g., business revenue; competitive advantage; operational effectiveness; and legal, regulatory or contractual compliance)
- The business could be impacted in the event of the confidentiality, integrity or availability of the information asset being compromised, considering any financial, operational, legal/ regulatory compliance, reputational, or health and safety implications.
Valuable Information Brings Added Risk
Data breaches are happening with greater frequency, and are compromising larger volumes of data, than ever before. As breaches continue, and the number of compromised records grows, organizations are being subjected to stronger financial penalties, greater legislative and regulatory scrutiny, and tangible reputational damage. For organizations that suffer an incident, responding in an intelligent and confident manner is becoming essential.
Business leaders often consider the value of mission-critical information assets, but fail to recognize the extent to which these assets are exposed to threats and the potential business impact should they be compromised. These assets often attract the attention of highly motivated, capable and well-funded adversarial threats, such as unscrupulous competitors, nation states and organized criminal groups. The extensive footprint of these assets provides more opportunities for attackers to gain access.
Recent ISF research found that different types of mission-critical information assets will often require innovative, advanced and sometimes unique protection approaches, supported by a range of security controls. Unfortunately, many organizations simply do not know what their mission-critical information assets are, where these assets reside or who is responsible for them. Few organizations have given focused attention to defining their mission-critical information assets across the enterprise. As a result, these assets are frequently incorrectly classified and poorly managed.
The Global Impact of EU Data Protection Reform
I’d like to move now to take a look at what regulators and legislators are doing and I’m going to focus on the European Union (EU) General Data Protection Regulation (GDPR).
Most governments have created, or are currently in the process of creating, regulations that impose conditions on the protection and use of Personally Identifiable Information (PII), with penalties for organizations who fail to sufficiently protect it. As a result, businesses need to treat privacy as both a compliance and business risk issue, in order to reduce regulatory sanctions and commercial impacts such as reputational damage and consequential loss of customers due to privacy breaches.
Back in January 2012, a two-part data protection reform was proposed and this Regulation will officially go into effect in May of 2018. It will certainly have an international reach, affecting any organization that handles the personal data of EU residents. From a standpoint of doing business in Europe, EU reform means that anybody who is handling European data in any way, shape or form will know exactly what they need to do and what they can get away with.
The Regulation aims to establish the same data protection levels for all EU residents and clarify blurred lines of responsibility and will have a strong focus on how organizations handle personal data. Organizations face several challenges in preparing for the reform, including a lack of awareness among major internal stakeholders. The benefits of the Regulation will create numerous compliance requirements, from which few organizations will completely escape. However, organizations will benefit from the EU-wide consistency introduced by the reform and will avoid having to navigate the current array of often-contradictory national data protection laws. There will also be international benefits as countries in other regions are devoting more attention to the protection of mission-critical assets. The Regulation has the potential to serve as a robust, scalable and exportable regime that could become a global benchmark.
Because of the effort required to report data breaches, it is absolutely essential that organizations prepare in advance. For many, this will require a more coherent incident response process along with closer cooperation between multiple departments, in particular legal. This coherence is essential, as Data Protection Authority’s (DPAs) will want to see a transparent rationale for remediation actions taken in response to a data breach. ISF members have the benefit of an information security incident management framework that helps members build and improve their incident response capability and members should be well placed to deal with the implementation of the regulation.
The cost of non-compliance will increase, not only from new sanctions and fines but also from the court of public opinion. Reporting requirements will steadily push more data breaches into public view, creating reputational risks that many organizations have thus far avoided. Organizations that establish themselves as trusted data protectors will benefit commercially.
With reform on the horizon, organizations planning to do business in Europe, or those already doing business in Europe, must get an immediate handle on what data they are collecting on European individuals. They should also know where is it coming from, what is it being used for, where and how is it being stored, who is responsible for it and who has access to it.
Move Beyond Conventional Protection
Mission-critical information assets demand and justify additional investment to ensure these assets are adequately protected. However, greater protection does not just mean performing additional security activities or purchasing more security products. To protect mission-critical information assets, including the footprint, a range of different protection approaches are likely to be needed for different types of mission-critical information asset. Information security practitioners have to think and plan beyond existing protection capabilities and security controls to provide owners of these information assets with protection that is:
- Balanced, providing a mixture of informative, preventative and detective security controls that complement each other
- Comprehensive, providing protection before, during and after threat events materialize into security incidents
- End-to-end, covering the complete information life cycle.
This will enable organizations to match the protection provided with the sophistication of threats to mission-critical information assets. Organizations should also consider controls that are:
- Automated, to complement manual security controls and help ensure greater levels of protection can be maintained
- Fast, operating in real time, supporting decisions that need to be made immediately
- Resilient, being resistant to direct attack by highly capable and committed threats.
While the need to provide mission-critical information assets with specialized protection can appear obvious, organizations often experience difficulties in identifying these assets, evaluating the extent of their exposure to adversarial threats and understanding the true level of risk to the organization. Consequently, many organizations do not adequately protect their mission-critical information assets and are vulnerable to a range of attacks, including serious cyber-attacks.
In contrast, ISF research has revealed that some organizations demonstrated “good practice”, providing the necessary high levels of protection for mission-critical information assets. These ISF members invest time and resources in a range of security activities, which form part of a broader set of good practices in information risk management and information security.
Cyber Resilience is Crucial
Every organization must assume they will eventually incur severe impacts from unpredictable cyber threats. Planning for resilient incident response in the aftermath of a breach is imperative. Traditional risk management is insufficient. It’s important to learn from the cautionary tales of past breaches, not only to build better defenses, but also better responses. Business, government, and personal security are now so interconnected, resilience is important to withstanding direct attacks as well as the ripple effects that pass through interdependent systems.
I urge organizations to establish a crisis management plan that includes the formation of a Cyber Resilience Team. This team, made up of experienced security professionals, should be charged with thoroughly investigating each incident and ensuring that all relevant players communicate effectively. This is the only way a comprehensive and collaborative recovery plan can be implemented in a timely fashion.
Today’s most successful, and cyber-resilient organizations, are appointing a coordinator, such as a Director of Cyber Security or a Chief Digital Officer (CDO), to oversee all activities in cyberspace and to apprise the board of its responsibilities for operating in cyberspace. This coordinator also highlights the board’s obligations to establish cyber resilience programs that protect the organization’s mission-critical assets and preserve shareholder value. Such efforts are especially important due to all of the legal facets of doing business in cyberspace.
Take it to the Board
Finally, information risk must be elevated to a board-level issue and given the same attention afforded to other risk management practices. Organizations face a daunting array of challenges interconnected with cybersecurity: the insatiable appetite for speed and agility, the growing dependence on complex supply chains, and the rapid emergence of new technologies. Cyber security chiefs must drive collaboration across the entire enterprise, bringing business and marketing needs into alignment with IT strategy. IT must transform the security conversation so it will resonate with leading decision-makers while also supporting the organization’s business objectives.
Given the rapid pace of business and technology, and the myriad elements beyond the C-suite’s control, traditional risk management simply isn’t agile enough to deal with the perils of cyberspace activity. Enterprise risk management must build on a foundation of preparedness to create risk resilience by evaluating threat vectors from a position of business acceptability and risk profiling. Leading the enterprise to a position of readiness, resilience and responsiveness is the surest way to secure mission-critical assets and protect people.
Successful cyber security programs require careful planning and sustained effort throughout the enterprise, with executives leading the charge. Organizations that sow and fertilize a deeply rooted culture of security are most likely to be resilient and competitive in the face of ongoing threats and challenges. As the players, targets, and stakes shift in response to geopolitical and financial forces, leadership must remain vigilant—keeping up on trends and emerging threats, drawing lessons from incidents at other companies, reassessing plans and priorities, and collaborating closely with security experts.