What is a Comprehensive Cybersecurity Strategy? PART 2 – Identify
Cybersecurity is what we do to protect business networks and data from internal and external attacks. Depending on the type of business you are in, you may store information about your clients, payments, accounting and finance, etc. Loss of any important data to a fire or flood, a hacker, or a malware infection could have devastating consequences for your business.
How you manage your data is important in determining how you will protect it. If you have not done so, we recommend you follow the practices outlined in the National Institute of Science and Technology’s (NIST) first phase of their Cybersecurity Framework (CSF), i.e., “Identify”.
Conduct an Inventory of Your Data
The type of data will vary from business-to-business and from industry-to-industry. Most of our clients have customer records including account information, purchasing history, business legal and tax information, employee information such as payroll, direct deposit bank information, social security numbers, employee addresses, etc. Businesses and organizations in industries such as healthcare, finance, not-for-profit, etc. may store what we know as Personal Health Information (PHI) or Personal Identifiable Information (PII) for their clients. Regardless of the industry, all businesses keep “critical” records of some kind. The important thing is to know where this data is.
Assess How Your Data is Protected
Most businesses have their data stored on servers or computers throughout the organization from where it is shared with and transmitted via e-mail as needed. The second action item in identifying your information is to assess how it is protected, i.e., is it backed-up locally and in the Cloud, is it protected against viruses and malware, is it encrypted, etc. The result of this step should be the formulation of a guideline for how to handle, validate, and protect this valuable asset.
Determine Who has Access to Your Data
As you conduct the inventory, determine who has access to your data. You do not want employees finding Human Resources information of other employees and unless you run an open book business, you may not want employees outside the accounting and finance functions accessing this critical information. Similarly, you may want to limit data access rights to only employees with a “need to know” basis.
Find Out if You are Required to Comply with Regulations Protecting the Data You Have
Now that you gained insight about your critical data, you must find out if your business must comply with regulations requiring you to implement special measures to protect from and detect (more on these two topics later) unwanted attacks to your data. In addition, you must identify if there are any reporting requirements for when an unwanted loss of data occurs.
In my next blogs, I will address other phases of the NIST framework to give you an idea of how to protect your network and data.