Confidentiality, Integrity and Availability – A Deep Dive…
Information is becoming an increasingly valuable commodity, and for a business, it presents not only value but a responsibility too. You may have all the necessary guards in place to protect your data, however not all information is digital. Trade secrets, good old printed paper and various other physical threats like USB keys all provide unique challenges to implementing thorough protection throughout a business.
Threats can have varying levels of effects, but breaches can provide good reason for termination, and lost revenue may not be the only result. Legal action, compensation and ongoing loss of reputation, and even a lot of expensive PR to get a business on track again, may all be required.
With Scandinavian firm Norsk Hydro announcing in a BBC interview that they spent £45 million restoring their business after a ransomware attack took out tens of thousands of computers throughout the company’s 170 sites, there is proof in the logic of investing in information security, no matter your industry.
With all information security decisions, you can boil them down to three key themes: Confidentiality, integrity and availability.
This helps secure a business’s most valuable information; trade secrets, customer data, analytics, etc. from prying eyes in order to protect a business’s future success.
Keeping vital information secret is important because once a secret has been outed, it becomes very hard to close Pandora’s Box. Even if the leak is found and deleted, the nature of the internet means that there is a very high likelihood that any leaks will be copied and distributed so quickly and frequently, that the information will never be fully removed.
Simply put, the easiest way to provide information confidentiality is ensuring only people who should have access to certain data, have access. However, this simple sentence can take a lot of complicated principles to enact.
Grouping information into classes of severity (if leaked) and planning steps accordingly, like using permissions to decide who has what levels of access, can help mitigate the risks attached. However, permissions are only as secure as the person holding them. Provide special training for those in the know on information security best practices. This could include password design, social engineering (phishing) prevention or implementing solutions like biometrics and air gapped computers (not connected to the internet) or even keeping hard copies locked away so there is no chance of digital access.
If files must be accessed digitally, which is the case for most, encryption is widely used to prevent hackers from plucking the data as it travels through internet cables from A-B. Encryption comes at the cost of increasing the size of the data but, depending on the exact standard of
encryption, can take the fastest computers hundreds of years to crack.
This refers to ensuring the authenticity of information; that information is not altered and is from the assumed source. There are two specific sub-categories: System and data integrity.
Data integrity means taking steps to ensure your data can’t be altered by a third party. One simple example of ‘Data Integrity Risk Mitigation‘ that you are probably using without realising is that every time Microsoft Office asks you if you want to ‘Enable Editing’ in a document, it is preventing you from making what could possibly be unintended alterations.
This can be a hard thing to keep on track of, especially when working with suppliers and partners. With the constant toing-and-froing of files between associates, an accidental edit could mean a change to a spreadsheet or document that changes a price or date of delivery that could have significant consequences to both parties.
Human error would usually fall under data integrity, as the slip of a finger can cause mistypes or the deletion of important data, and while you can put every measure in place remember, “Pobody’s nerfect.”
At times, an employee may not be at fault, but the way they interact with their system may be the root cause. Preventing this could include regular maintenance, using file permissions (so only approved employees have access to the data) or using hashes to verify the integrity of the information. Hashes can give users a quick ‘summary’ of the information contained using a combination of letters and numbers unique to that document. This can then be compared with other versions of the document and if the hashes are identical, you know the documents are too.
Maintaining systems and keeping them protected so that neither employees nor hackers can manipulate the data is vital to protecting the integrity of your information. The NHS’s WannaCry attack several years ago was the result of missing security updates that may have prevented the attack in the first place.
Our third tenet deals with the availability of your information, or how your staff gain access to the data. Challenges present themselves via ‘Acts of God’ like flooding or forest fires, and other disasters to failed or stolen hard drives.
Disaster Recovery Plans, or DRPs, are essential for the continual success of a business that suffers outages from hackers, the environment and anything in between.
Creating redundancies in your system will help prevent small scale issues like a blown server. These redundancies are usually some form of back-up, but depending on the size and scope of the business, these can require very different systems.
The established solution for SOHO businesses is keeping all data copied on to a hard drive and placed somewhere secure, so that in the case of a computer failing, the data on it can be replaced quickly.
For larger offices, RAID servers are a common solution to duplicate your information over one or several drives. Depending on configuration, RAID systems have the ability to build in their own redundancy by copying data to several RAID drives in case one fails.
Even larger businesses tend to opt for Failover Cluster solutions that geographically separate servers, so that a business can switch in case of scheduled downtime, an extended power cut or even a DDoS attack.
These would in no way replace any cyber security tools like firewalls or DDoS prevention services, as they all work in tandem to create a secure network that limits the chance of unwanted access, while ensuring all data is still available if the main repository is corrupted.
We use the Information Security Risk Assessment as the basis of all information security planning. This document should be updated regularly and include all of your information assets, both digital and physical, and from there you can start planning how to mitigate the risks associated with each asset. You can download a free Information Security Risk Assessment Pack here.
Just because a particular threat is mentioned under one of the headings above, does not mean it wouldn’t be applicable to the others. Cyber security tools are just as vital to protecting integrity as well as the availability and confidentiality of the information, and your information security tools will be the same. Rather than wasting time deciding which of the three principles a particular risk should be allocated to, focus on what can be done to most prevent the risk in question.