Expert Commentary

Understand the Layers of Cyber-Security and What Data Needs Protecting

As the Internet of Things (IoT) and interoperability facilitate the increasing collection, storage, and distribution of huge amounts of data, it has become clear that not all data is created equal. While organizations may produce comparable amounts of data, the sensitivity of the data may vary substantially and so will the cyber-security needed.

Cyber and Privacy Risk and Insurance
March 2017

With an ever-increasing number of people utilizing the IoT and participating actively in cyber-space, it has to be determined what kinds of data need the most protection. Proactive measures aimed at preventing cyber-attacks are often regarded as unnecessary time and resource drains with little return. Additionally, it seems that, within organizations, properly carrying out security protocols is often a thankless job. This reality makes employee compliance even more difficult since cyber-security is an area of regular business operation that really only gets noticed once something goes wrong.

Unsurprisingly, I have found that this is an especially prevalent attitude among people that have never experienced the devastating consequences of a breach firsthand. However, preventive measures are most effective when paired with adequate detection and resilience protocols that fit the sensitivity of the data in question.

Levels of Cyber-Security

When confronted with the risks of being online, aiming for a fail-proof approach to cyber-security is simply not realistic. Investing all resources in prevention minimizes an organization's ability to efficiently spot and respond to a breach if or when it occurs. A primary step in developing a data protection plan is figuring out what data you have is the most important and where it is stored.

To illustrate, there is a huge difference in sensitivity and importance between biometric marker data like fingerprints in a government office and a grocery store's inventory list. It only makes sense that the efforts we take are appropriate in matching the types of data we want to keep safe. This is an especially salient point when it comes to the public sector, health care, legal offices, and human resource departments.

So, once you identify and locate your most important data, try to figure out where the doors to it are. That is, are there any immediately glaring vulnerabilities in your security system that make it easy for someone to access this data? Many cyber-security experts, including myself, like to illustrate the layers of cyber-security with a house.

Let's say your house is filled with valuables, representing your most important data. And let's also say that you have some valuables that you store in your front yard since they are not so valuable that you must store them in your house. You have a fence, a gate, a locking front door, locking windows, and an alarm system that sounds off in the event of an intrusion.

In this setup, the fence is a preliminary layer of defense with the alarm system being the final and strongest layer of defense. Now, even though this house seems pretty secure, all of the security controls need the active participation of its residents for maximum efficiency.

For example, how good is an alarm system at alerting a family and the police to a break in if it's turned off? Is a front door a useful security measure if it's left unlocked or ajar? Or what if a family relies on the white picket fence alone for protection, deciding to leave some valuables out in the open? In real life, I think the average person is pretty good at doing what he or she can to keep their home as secure as possible. However, "cyber-homes" tend to be left much more open to attack, often without the users' knowledge or awareness.

Fixing the Perimeter

There are a few main reasons for this that I encounter when conducting security assessments. The following returns to our house analogy.

  • Organizations invest way too much in the fence and disregard the other tiers. It's sometimes like a house with no front door, no security system, lots of valuables, and surrounded by a giant wall. Yes, the giant wall is going to prevent a large number of attacks, and that's great. The issue is that this initial barrier is not going to necessarily deter all cyber-criminals and hackers, and, when they do manage to get around this first layer of cyber-security, there is nothing standing between them and your data. Furthermore, there are often no reliable or consistent controls to detect an attack once it has occurred.
  • Organizations don't actively and consistently keep their doors and windows locked. So, in this situation, the middle layers of cyber-security are not being maintained effectively. Even if the safeguards are there, they are not being used properly. This level is directly connected to issues of employee compliance, software update automation, and ongoing training. Think of it as someone jumping the fence. Now, how do we keep them from getting in the door? Employees clicking on malicious links and being unaware of phishing scams are ways in which this level of protection is not effective.
  • The alarm system is turned off, doesn't work, is not used properly, or is ignored. Imagine waking up in the middle of the night to your house's alarm sounding and, in response, you calmly turn it off and doze back to sleep. I don't think anyone would be comfortable doing this; however, this is often exactly what happens with organizations that invest in the best cyber-attack detection systems. Even when that alarm sounds, it's often ignored by IT and upper management.

Why? Again, I think that many organizations trust their perimeter security (that fence) way too much. Tied with the mentality of "That could never happen to me" or "My data isn't that valuable anyway," even the best alarm system isn't effective without external support. While a good wall may deter the majority of bad guys, you have to account for the determined cyber-criminals that really value your data. And, no matter how good your wall is today, it might not be great tomorrow. Technology is always evolving and with it, cyber-crime. To stay ahead, organizations have to stay apprised of the latest trends.

Conclusion

When creating or assessing a current cyber-security strategy, keep in mind that mitigating risk is more important than trying to avoid it all together. Of course, preventive measures are important, and cyber-attacks are not necessarily inevitable, but investing appropriately in all the protection tiers is crucial. Too much focus on one level is detrimental to your overall security. Prevention, detection, and response are all equally important in developing a cyber-security strategy that fits the value and sensitivity of your data. 

Opinions expressed in Expert Commentary articles are those of the author and are not necessarily held by the author's employer or IRMI. Expert Commentary articles and other IRMI Online content do not purport to provide legal, accounting, or other professional advice or opinion. If such advice is needed, consult with your attorney, accountant, or other qualified adviser.

Like This Article?

IRMI Update

Dive into thought-provoking industry commentary every other week, including links to free articles from industry experts. Discover practical risk management tips, insight on important case law and be the first to receive important news regarding IRMI products and events.

Learn More