(Post 2 of the 12-week Information Security Management blog series)
When I ask people what they think is involved in cybersecurity, I almost unanimously receive a reply stating that its purpose is to stop hackers. While this is partially true, if this explanation is to be taken at face-value and that is all that cybersecurity is about, then why would anybody or any organization who does not consider themselves to be a target of hacking even consider cybersecurity important? Why would a mechanic, a local diner, or a dog walker ever think they would be a target of hacking? In all honestly, none of these businesses probably do not have anything worth stealing. This argument holds weight, if you accept this explanation of cybersecurity in its most basic form, considering that in 2014, only 18% of all data breaches involved innocuous information being stolen. Data breaches target valuable and sensitive information.
University of Maryland University College states that cybersecurity “focuses on protecting computers, networks, programs, and data from unintended or unauthorized access, change, or destruction.” Protecting against hackers certainly fits within this definition, but it does not fulfill it. Cybersecurity seeks to protect all of your computer and network resources from any threat that would change or destroy your resources and that would involve unauthorized or unintended access to your data and systems. One might think “well, that seams rather broad” and they would be correct. While hackers and even malware are scary to think about and even should be considered real threats to any person or organization with even a single computer, they are not the only thing that threatens your data and IT assets.
In cybersecurity, a threat is simply anything that can damage information or information systems. NIATEC classifies threats to data, networks, and computers into four categories: human intentional, human unintentional, environmental natural, and environmental fabricated. I state these categories here because I wish to illustrate that there are many more things that can jeopardize your IT resources than just hackers. For example, the following is a non-conclusive list of threats by category:
- Human intentional
- Hackers
- Disgruntled employees
- Malicious software (virus, Trojan horse, etc.)
- Human unintentional
- Careless employees
- Accidental unauthorized access by a customer
- Environmental natural
- Fire (natural)
- Flood
- Dust bunnies
- Environmental fabricated
- Fire (arson)
As you can see, there are more types of non-technical threats than there are technical threats. In fact, many of these threats to your data, your network, and your computer systems also pose a threat to many other parts of your organization, if not to the entirety of the organization. While we’re on the subject of things that impact your organization, exactly how dependent is your business on the computers that you utilize, the network they communicate through, and the data that they process and store? If you haven’t already connected the dots here, please let me assist you. I’d be willing to bet that computers are likely to be essential to the success of your company. Your organization probably uses them for communication, financial management, storage of records, issuing billing statements and processing payments, hosting a company website, and likely for killing time while doodling in paint.
You may be wondering “How exactly does cybersecurity help defend against natural disasters or careless employees?” That is precisely the question I hope you would be asking at this point. Let me answer it as plainly as I can. In addition to utilizing special technical tools to protect and secure networks and systems, cybersecurity also involves disaster recovery planning, business continuity planning in preparation for emergencies, creation and review of both policies and processes, risk analysis, vulnerability analysis, and development and implementation of training for users of organizations’ IT assets. All these things work together to improve the durability of an organization against many events and conditions that would threaten the overall ability of that organization to continue to operate.
The decision about whether or not to embrace and implement cybersecurity should be given similar weight and importance as the decision about whether or not to insure your business. Organizations that think they do not have a need for cybersecurity, I can only assume, either deal only in cash and keep records on paper ledgers or they do not understand all the issues that cybersecurity addresses and how it can protect their organization while protecting information systems. Some organizations might even think they cannot afford the costly technological tools and employees required to implement cybersecurity in their organizations. While it is true that technical means of protecting and securing networks and data can quickly become a financial black hole, those means may not be necessary or even valuable to all organization. An individual or small team of employees can feasibly develop a disaster recovery plan, business continuity plan, formalized policies and processes, and implement user training while utilizing only free resources found in the Internet. Alternatively, more professionally prepared versions of these can be had for less than the cost of a single part-time, minimum-wage employee’s salary. Combined with basic anti-malware software and firewall software, having these various documents can mean the very difference between your organization surviving a major loss or being run out of business and could even help prevent the loss from occurring in the first place.
You’ve made a lot of great points. Cybersecurity isn’t just about defending IT assets from hackers, it’s about enabling business functionality in a wholistic sense. Equally important, cybersecurity isn’t just about the technical controls that a business can implement to defend the network; it’s also about the people and processes combined with technical controls that make defense-in-depth. Without people with the right skill sets, experience and motivation, or processes that are consistent, thorough and repeatable, a network and supported business functions cannot effectively be maintained or defended. Finally, it is incredibly important that all cybersecurity business decisions are put in the context of risk. Without understanding the threats, vulnerabilities and probabilities of cyber events and incidents, an organization cannot effectively or efficiently apply people, process or technical resources to maintain and defend the business.