Many medium to large companies spend large amounts of cash creating a secure infrastructure that will safeguard their intellectual property.
Even businesses that may not seem like prime hacking targets, say a furniture manufacturer, can be sitting atop a mountain of valuable data, from customer financial details to personally identifiable information (PII).
But how do leaders identify what their most valuable digital company assets are?
An often-overlooked component of a company’s IT protection strategy is the asset identification phase.
Think like a hacker
To start, it can be helpful for leaders to step outside of their organization and look in:
- What information at my company would be most valuable to outside parties?
- What systems are critical to ongoing business operations?
- What systems have the easiest entry path?
What can hackers profit from?
In all but ideological cases, hackers want information that they can profit from. Customer financial data is often a key target and can include customer demographic data, bank account, and credit card numbers. Also, many high-tech companies have significant data on research and development efforts and product innovations that could be extremely valuable to hackers and competitors.
What information is critical to business operations?
Business leaders should be prepared to take a hard look at the information that – if stolen – would cause significant harm to ongoing business operations. In addition, if customer data were stolen, what might that do to the company’s reputation?
As an example, a 2013 data breach at U.S. retail chain Target resulted in 41 million compromised Target customers and cost the company $18.5 million, not to mention the damage to Target’s reputation. For its part, Target offered free credit monitoring services to consumers affected by the breach.
By and large, high-value company resources that warrant the highest levels of protection are those systems and information that would cause the most significant amount of financial damage if it were compromised. Leaders must consider loss when honestly evaluating which systems require the most protection.
People: the most vulnerable company asset
Employees can be among a company’s most valuable assets and unfortunately, are often the easiest to target. Anyone who has had to sit through their company’s mandatory cyber-awareness training can attest to the lengths that some organizations will go to in order to safeguard these “soft targets.”
After all, an industry report by information security company Shred-it found that 47 percent of business leaders said human error such as accidental loss of a device or document by an employee had caused a data breach at their organization.
Still, there is a certain hierarchy to employees that would make some more valuable hacking targets over others:
Employees with expertise
An employees’ key knowledge of company processes, operations, materials, and capabilities can make certain key individuals more attractive targets.
Employees with access
An employees’ ability to access particular facilities or networks within the organization can also make them a more favorable target.
Employees with influence
Reserved for leadership or C-suite executives, certain employees have the authority to access a treasure-trove of sensitive company data. This fact alone makes them highly vulnerable targets.
Creating an asset matrix
The identification of valuable assets into an asset matrix should be a priority for IT personnel tasked with protecting sensitive company data.
Often, security researchers state that such a matrix should include the asset name, a description, its primary business functionality, the IT unit responsible for overseeing it, potential attackers, mitigation strategies, date of last assessment, level of value, and level of risk.
Many larger companies can perform this task in-house. However, for smaller to medium-sized businesses, there are many B2B companies that perform this task for a cost. After all, the last two decades have seen a massive increase in organizations’ digital assets, from documents, PDFs and logos, to photographic images that all need to be not only safeguarded but managed and distributed so that the company can function.
Developing a threat matrix
If the asset matrix is created in-house, the IT security team will then perform a deep dive into specific asset vulnerabilities. This information can and does change as the nature of the threats change. For instance, some hacking groups may become more prominent over time, or a particular asset may increase or decrease in importance and value.
With this in mind, the threat matrix is a living document that should be updated periodically to meet the changing conditions. Both the asset matrix and the threat matric should be regularly assessed by IT security experts for changes that may impact company performance.
By this logic, the asset matrix and threat matrix are perhaps two of the most important digital documents at a company and should themselves be protected with the highest level of security.
Were a hacker to compromise either document, they could potentially have a convenient shopping list of what the company considers its most valuable assets.
Continuity of business after an attack
The final piece of any effective IT security strategy is a business continuity plan, which allows the business to maintain operations in the event of a loss of resources resulting from a natural disaster, ransomware, or a cyberattack. The IT departments at forward-thinking companies even run mock exercises about how to respond to attacks to better prepare the incident response team.
Companies have moved well into the era of paperless operations. This makes many company assets digital and susceptible to attack. Business leaders need to take a hard look at what resources within their company would cause severe financial damage if those resources were lost or stolen. Starting there, companies can then identify what hackers want and how to protect it from them.
Asset identification and protection should be a huge piece of any companies’ IT security strategy.