Home Opinion Protecting Critical Information Assets from Intruders and Insiders

Protecting Critical Information Assets from Intruders and Insiders

Protecting Critical Information Assets from Intruders and Insiders
0
Get started on your cybersecurity degree at American Military University.

By Susan Hoffman
Contributor, InCyberDefense

Organizations commonly have various information assets that should never be revealed to the general public or to competitors. Typically, these information assets consist of:

  • Proprietary information concerning operations and strategy
  • Documents concerning research and development about new products or services
  • Lists of current and prospective customers
  • Private customer data such as names, addresses and Social Security numbers
  • Legal/compliance documents
  • Sales materials
  • Financial information

The most critical information assets, however, vary from one entity to another. For example, a hospital will want to protect confidential information concerning its patients to conform with federal regulations. Similarly, retail organizations guard their customer records and manufacturers want to protect their intellectual property.

Unfortunately, information assets are vulnerable to theft. Valuable information may be stolen by hackers who gain access into the organization’s network or by a disgruntled ex-employee who wants revenge for being fired. Sometimes, the hacker sells the information for a profit on the Dark Web or the ex-employee offers that information to a competitor, hoping to be hired for a new job.

In more advanced cases, criminal syndicates or even government agencies with large financial resources may seek proprietary information. According to McKinsey & Company, “the attacks can be simple or sophisticated, the objectives varying from immediate financial reward to competitive or even geopolitical advantage.”

Protecting Information Assets in the Internet of Things Age

Today’s information assurance analysts are constantly kept busy identifying risks and analyzing potential threats. These security threats involve problems with anything that could interfere with normal company operations: hardware, software, internal employees and hackers.

Also, the Internet of Things (IoT) has made it even more difficult to protect proprietary data. With the increased use of remote mobile devices such as smartphones and tablets, hackers can set up fake hotspots in public venues, infect mobile devices with malware or send emails with links to ransomware. Similarly, an insider could insert a thumb drive into a laptop, copy information onto the thumb drive and take it to a competitor.

Although organizations have the option of buying cyber insurance to protect themselves from the damage of a cyber breach, this insurance is an extra expense. Smaller business may not have extra funds for this form of protection.

Controlling Information Assets that Need the Highest Level of Protection

Ideally, wise companies should identify their information assets, perform regular risk assessments and take the necessary steps to protect their information from theft. Although it is difficult to guard critical information from an advanced persistent threat (the work done by a hacker who will try for years to break into a network until he or she succeeds), security risks can be monitored and mitigated.

What are the best ways to control information assets? Consider the following questions:

  • Which information would cause financial or public relations damage if it became known by a competitor or the public?
  • Have security policies been established about what information to share with others?
  • Do employees’ postings on social media sites give any clues to privileged information?
  • Which employees have access to critical information?
  • For employees who have been fired, what is the procedure for promptly ensuring they do not have access to proprietary information through backdoor accounts?
  • How is access to proprietary information controlled?
  • Have regular security scans been implemented to detect unusual employee activity?
  • If information is copied by a user, does the process require authentication?
  • Are there backup copies of information available if servers and end user devices are compromised?

Determining what information can be considered critical to an organization requires dedicated effort and the hiring of highly capable employees for risk assessment and protection. Today’s organizations cannot afford security breaches and they also do not want the embarrassment of being publicly disgraced on social media sites.

Comments

comments