Asset-based defence – defending what really matters
02 February 2017
Cyber security is, at its core, an exercise in protecting the things that matter. The value of the assets that “matter” to you and an attacker depend on who or what you are (and who and what your attacker is). At one end of the scale an individual might be concerned about protecting their personal banking details; at the other end nation states with nuclear weapons are concerned about securing their ability to control those weapons.
Typically when cyber security professionals talk about defending assets they have thought about IT systems (“how can we protect server X, or database Y?”). But this approach to defence is typical of an IT-led approach to cyber risk which results in sub-optimal protection.
In a business context an asset is something that adds value to the business and/or would damage the business if its confidentiality, integrity or availability were compromised. For example:
- A manufacturing company may rely on sensitive intellectual property which, if stolen, would allow foreign competitors to take a similar product to market at a lower price.
- A retailer may face heavy fines and significant damage to customer loyalty if it lost its customers’ personally identifiable information.
- A multinational company’s future growth dependent on mergers and acquisitions deals could be undermined if its sensitive corporate strategy was compromised.
- A small/medium enterprise may rely on its cash flow; its financial assets are therefore really important to it.
- A power company relies on strict management of its industrial control systems to keep the lights on.
The real trick to identifying an organisation’s key assets is to really get under the skin of what makes it tick, and identify what assets really hold value. To get a comprehensive view of this requires an understanding of how different components of the business interconnect, and how different assets (data, processes, systems etc.) contribute to value creation. This will allow the organisation to identify its key assets based on business impact (i.e. an inward-looking assessment).
Conversely, looking in from an attacker’s perspective is also extremely valuable. At the same time that organisations are assessing the value of their own assets, attackers are doing the same from the outside. Understanding an attacker’s assessment of value enhances your own assessment by adding a layer of likelihood of a particular asset being attacked. For example, stolen health credentials can be resold for 10-20 times the value of compromised card data, as the criminal marketplace is flooded with card data, and health data can be monetised in more ways. This analysis can also help organisations to better understand less obvious types of data which attackers will target; for example many organisations seek to protect customer personal data, but regard raw transaction data as less sensitive.
There is a number of key advantages to identifying assets at a business level, rather than at a system level.
First and foremost is the ability to get defensive investment right. For example if your sensitive IP is sitting on a system containing 90% non-sensitive data, hardening the whole system to protect the 10% may not provide the best defence, and probably won’t be cost-effective. It also enables a more holistic assessment of controls, encompassing people and business processes as well as technical defences.
Secondly, identifying assets at a business level reinforces cyber as a business risk to senior leaders. It is much easier to get a C-suite to worry about a scenario they can relate to (‘our key competitor has our IP and they will go to market inside six months’), rather than an IT-based scenario (e.g. ‘database Y has been compromised.’)
Finally the logical follow-on from this is that if you can articulate business impact to senior leaders, then it is easier to get senior ownership and accountability of key assets. No senior leader would want to be accountable for ‘database Y,’ but they will be interested in being accountable for ensuring that their main competitor does not get hold of the company’s sensitive IP.
Cyber security is, at its core, an exercise in protecting the things that matter. Therefore, for a cyber security programme to be truly effective it should be based upon an identification and prioritisation of the organisation’s key assets. In a world where cyber security breaches are the norm, are you confident you are protecting what really matters?