The backbone of modern business is based on information. Investments are made to use digital process to serve clients quicker. Digital information availability strongly affects the efficiency with which processes are performed.
Nowadays, it is normal that businesses have different types of data stored either at the company’s data centre or on the cloud. A company may have a billing system, business records, CRM systems, emails, web servers, production systems, HR systems, ERP systems and much more, sharing a common set of servers. As a result, concerns are brought up about who should have access to different subsets of all this information.
The Three Pillars
One of the first issues that is brought up is confidentiality. It is not wise to have business records published for all to see. Indeed, data protection laws restrict what personal data is made publicly available.
Confidentiality pulls in a different direction to availability. While confidentiality is about segregating information according to its sensitivity and restricting it accordingly, availability is concerned with making information accessible and available.
There is a third consideration that needs to be address and this is integrity. What is the use of all the data if we are not sure that it is accurate and reliable? Integrity includes authenticity; non-repudiation and accountability, meaning that information has not changed in an unauthorized manner and that the origin of the data can be traced and associated to a particular user.
This triumvirate of forces forms a balance in order to allow information to flow to those who are allowed to see it, be changed by those who are allowed to change it and restrict it to anyone else. The balance is never easy to find. There are always risks involved. The only secure system is a system that is switched off, disconnected and locked up. But that kind of a system is not useful to anyone. As a result certain risks have to be taken in order to balance Availability, Integrity and Confidentiality.
As an example, one particularly easy to understand risk is the possibility of hardware failure. When hardware fails, availability is affected. During the system design phase and on regular intervals thereafter, one has to weigh the cost of not having the information system available against the cost of having a fail-over system. In the majority of cases, losing information is catastrophic to the business concerned.
Another example is the risk that arises from the fact that systems are connected to networks and in many cases to the Internet. Operating systems and software applications are not perfect. Vulnerabilities are discovered during their lifetime and these are usually repaired through security updates. Vulnerabilities are like master keys to your system. They open the gate to hackers and give them access to information that should not be available to them. This breaks Confidentiality and may affect Integrity as well, depending if the hacker changed any information or not.
Complacency and Vulnerability
Vulnerabilities are a major concern for those who have confidential information on their networks. A leak in information can be the ruin of a business. So how can one mitigate against such threats?
There are a number of steps one should take towards protecting data, from the setting up of firewalls, to antivirus scanners to company security policies. Each of these protects the network from different angles and threats.
There is also the Vulnerability Scan and the Web Application Scan. These scanners look at a system from outside of the network and attempt to break in, exposing any vulnerability. Such scans have to be performed on a regular basis. One cannot fall into complacency just because a scan returned no detected vulnerabilities in the past.
As new vulnerabilities are discovered, security updates are made available and systems fixed, follow-up scans are required to ensure the highest level of Confidentiality, Integrity and Availability.
In Malta, vulnerability scanning is particularly relevant to the financial services and the i-gaming industries, since these handle sensitive data round the clock. Complacency and the lack of active action against vulnerabilities is a sure way to lead a company into crosshairs of hackers. This will expose the company to huge fines as well as possible bankruptcy. For sure, a company that loses sensitive data will lose its clients’ confidence.
Carmelo Romano holds a Masters Degree in Information Security from the University of Liverpool and is the Managing Director of Clever Solutions Ltd, exclusive Maltese partners of nSense, Nordic leaders in security assessments.