(Post 5 of the 12-week Information Security Management blog series)
If your organization conducts business within a few industries, there are federal laws and regulations that require the protection of sensitive information. Information related to personal health information, payment card transactions, and financial investments all have federal regulations that govern the protection of that information. Private businesses who work for the government also must comply with government information protection laws. But what if these categories do not apply to your company? What value is there in applying cybersecurity to your organization?
I wrote a couple weeks ago about analyzing risks in your organization. Before you can analyze risks, it is first important to identify what has value to your organization. Specifically, what things would cause significant impact to your organization if they were to be lost. These are assets that, if lost, would impact what my grad-school professor, Pete Wood calls the “Three Big ‘Rs'”: revenue, recovery, and reputation. Determining this information is part of what is called business impact analysis, or BIA, and it is one of the early phases of contingency planning.
Computer Weekly explains that conducting a BIA is critical to identifying how a disaster could negatively impact your company. In my previous article about thinking of cybersecurity as business security, I explained that these disasters can come in many natural and man-made forms, both technical and not. In addition to helping to understand how an incident could impact your organization, BIA also seeks to identify what should be worthy of protecting. This is where companies who are not legally required to implement cybersecurity can pinpoint the value in doing so anyway.
For example, the location of your office or storefront is critical to the success of your company, there is value in preserving your ability to stay at that location. If your company is critically dependent on a server, desktop computers, or an externally hosted website then there is value in protecting those assets. Alternatively, if your company depends heavily on its good reputation and trust, then there is value in protecting that.
Adopting cybersecurity principals and practices addresses all of the above assets and more. Not only does cybersecurity implement technical controls, like intrusion detection systems, firewalls, and anti-malware solutions, cybersecurity also involves planning for disaster. A large portion of what is involved in information protection are non-technical security measures. You might be surprised to learn that information security controls include locks on your office doors, security cameras, security alarm systems, fire prevention systems, and the creation of plans and policies. While all these things do in-fact protect computers and information, they also serve double-duty to protect many other areas of concern to your business.
One might not think a mechanic could benefit much from cybersecurity, but mechanic who implements cybersecurity can benefit from knowing that he or she has taken measures to protect their valuable client information, company website, or even financial records. That mechanic can also benefit from identifying the assets that are most critical to the continued success of the company and subsequently applying measures to protect those assets. Moreover, if the mechanic has a disaster recovery plan and a business continuity plan, he or she will be prepared in the event that critical asset is lost whether that asset is a computer, tools, or even the entire shop.