You’ve invested in security solutions to protect your business from cyber attacks. But you also know that no solution is 100% bulletproof – the attackers are going to find their way in somehow. With that in mind, are you sure that you’re adequately protecting the right assets from intruders?
According to F-Secure principal security consultant Tom Van de Wiele, who works with companies on improving their security posture, for too many organizations, the answer turns out to be no.
“Most companies don’t really know what they should be protecting, and what it is that is worth protecting,” Van de Wiele said on a recent podcast episode. According to him, this is one of the reasons breaches are so common. “So that means that if you don’t really know who you’re up against, you’re not going to be successful in trying and detecting ways of people trying to get to the things that are the most important to your business.”
Obviously you need to protect your entire network. But not everything in your network is equally sensitive. So how do you know which assets justify additional controls? Here are three ways to find out.
- Identify your so-called “crown jewels.” These are the mission-critical assets that are integral to the success of your business. Figuring out what those are, where they are located, and then making sure you protect them with an enhanced level of security, is critical. This might include employee information, intellectual property, business plans, or customer PII (personally identifiable information).
- Identify other sensitive data that doesn’t necessarily fall under the category of “crown jewels.” For example, customer lists or yet-to-be-released press releases and company results. These are items which the leak of wouldn’t necessarily put an end to your organization, but could do harm to your business or reputation.
- Figure out your threat model. Which kinds of attackers are most likely to target your business, and what assets are these attackers after? Could your organization be of interest to a motivated, skilled attacker with a specific purpose in mind? Or is your most likely attacker an opportunistic criminal just looking for the quickest way to monetize data? This relates in large part to the industry you are in. For example, the healthcare industry commonly experiences attacks on patient data; POS system intrusions are common in the hospitality industry; and manufacturing firms commonly experience targeted attacks going after intellectual property.
“One does not have the resources or the budget, nor the people, to be able to protect everything,” Van de Wiele says. “Not everything is as important, worth protecting. So that means figuring out what the worst case scenarios are, figuring out who you’re up against, as part of a threat model, is really the key to success here.”
And just how do attackers go after the assets that are of interest to them? Detailed examples can be found in our story of a targeted attack in the manufacturing industry. The attackers’ goal: to sabotage a pulp plant’s manufacturing process so they can demand a fee to restore it. Read all about their search for the company assets in The Hunt.