Screen Shadows šµš¼āāļø
Four years unseen, the hackers played,
A ghostly dance, their plans were laid.
Names and numbers, spoils so bright,
Passport dreams took sudden flight.
- CS
Picture this: In 2018, Marriott International faced a cybersecurity nightmare when a colossal data breach exposed up to 500 million guests' personal details. This digital disaster traced its roots to the 2016 merger with Starwood Hotels, where a crucial misstep occurred: Starwood's IT systems were left vulnerable and not fully woven into Marriott's security fabric.
The insult to injury was that hackers had been lurking in Starwood's reservation systems since 2014, a shadowy presence overlooked during Marriott's acquisition. The oversight proved costly, granting cyber thieves a criminalās paradise of data, from passport numbers to payment details.
Recognised as one of history's most extensive data breaches, the fallout was profound for Marriottāa staggering $30 million in damage control, a stock plummet of 5%, over $1 billion in revenue losses, a flurry of lawsuits, and a hefty Ā£18.4 million fine from UK regulators.
Marriott's ordeal with Starwood's legacy systems serves as a stark reminder of the dire consequences of underestimating cybersecurity's pivotal role in mergers and acquisitions.
TL;DR āļø
Security isn't freeāit's a vital investment for safeguarding a company's crown jewels: its data. Identifying what to protect is step one, categorising data from "must-guard-with-our-lives" to "okay-to-share." This isn't just about state-of-the-art tech; it's perhaps more importantly about the goldmine of data accessed through them.
For businesses, it's about securing the protect surface, whether itās confidential strategic plans or intellectual property. In the government realm, think classified levels, from "Top Secret" nuclear codes to everyday recruitment flyers. The guardians? Data owners decide what's sensitive, while data custodians keep it safe.
Bottom lineāSecurity is pricey, but knowing what's crucial ensures we're not throwing money into a digital black hole. Let's invest wisely, protecting what truly matters.
šØ Security Briefing šØ
Security is not FREE.
Yeah, obvious, I know, but I think itās important that people understand it can be expensive to implement security, and even big companies donāt have a bottomless pit of funds they can just reach into and use for whatever they wish.
We need to know exactly which assets are worth the expense of securing due to the very nature of their sensitivity. How do we do this? Well, we first need to identify all of our assets (which also include information and data). Then, weāll need to classify them accordingly from the most critical to the least critical. Hereās what weāll cover:
What is the difference between an asset, information and data?
What the deal is about identifying assets.
What data classifications are; and
How we typically define them in companies.
Without further adieuā¦
Asset Classification Decoded šØš¼āš»
ASSETS, INFORMATION, & DATA are often used interchangeably in everyday cybersecurity vernacular, but they are technically distinct.
Letās start in reverse order for a more logical explanation:
What do we mean by āDataā?
In the world of cybersecurity, grasping the distinction between data and information is akin to understanding the difference between a sack of flour and a loaf of bread. Data, in its true essence, is like that sack of flourāraw, unrefined, and without much use in its current state. These can be numbers, characters, or snapshots šø from the world around us, essentially the building blocks that lack inherent meaning on their own. For example, a sequence of numbers might seem like random gibberish until itās processed and given context.
So, why do we sometimes talk about data and information as if they're one and the same? It's partly because the distinction can seem a bit academic when we're casually discussing how businesses or technologies use "data" to improve or "inform" decisions. In practice, the line between the two blurs as we process and analyse data to extract value from it, turning it into information seamlessly as part of our analytical protocols.
In essence, while data and information serve different roles in the cycle of understanding and decision-making, their close relationship in the process of analysis and interpretation often leads to the two terms being used interchangeably.
Remember, thoughāappreciating the journey from data to information is key to recognising the value hidden in the vast cyber seas we navigate daily.
What do we mean by āInformationā?
So we take this data, sift it, knead it, and finally bake it within the oven of our processing methodologies, and it transforms it into information. This information, much like our loaf of bread, is palatable, useful, and ready to be consumed to satisfy our hunger for knowledge. It's the analysis, structuring, and contextualisation of data that gives it the significance we hope for, turning raw figures into insights on trends, behaviours, or operational metrics that inform decisions.
A commonly referenced example of information is āPersonally identifiable informationā or PII, for short. This is any information that can identify an individual. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-122 provides a more formal definition:
Any information about an individual maintained by an agency, including
(1) any information that can be used to distinguish or trace an individualās identity, such as name, social security number, date and place of birth, motherās maiden name, or biometric records; and
(2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
Woah, so you can see that something as innocuous as your name is considered PII, which companies have a key responsibility to protect!
āHmm, but how effective are they at doing this?ā I hear you cynically mutterā¦ Well, Iāll let you be the judge of that.
Diving a bit deeper, letās talk about proprietary information. This is the secret sauce or the unique recipe that organisations guard with their very lifeās blood. It's the magic formula, like Coca-Cola's "Merchandise 7X" š„š or KFC's blend of 11 herbs and spices šš. These arenāt just random concoctions but carefully curated secrets that provide these companies with their competitive edge. Just as these recipes are only ever known by a few employees at any given time and kept away from prying eyes, so too must all organisations protect their proprietary informationābe it software codes, technical blueprints, or business methodologiesāfrom the purview of their competitors.
NB: For the avoidance of doubt, when I refer to data Iāll be effectively referring to information as well.
What do we mean by āAssetsā?
When we talk about 'assets', we're really just talking about all the things a company wants to keep safe. This includes everything you can touch, like computers and servers and even the stuff you can't, like the masses of data they have stored.
Data is to a library's books as Hardware is to the library's shelves.
IDENTIFYING YOUR ASSETS is the preliminary task we must do before we get anywhere.
Now, thereās something called the data lifecycle š, which describes the journey of data from its initial collection to its eventual destruction. It involves six key phases: acquisition (collecting data), storage (keeping it securely), use (utilising the data), sharing (distributing it appropriately), archival (storing it long-term for future reference), and destruction (safely disposing of data when it's no longer needed). This is the journey data takes we must protect it from the cradle to the grave.
One of the first steps in the lifecycle we must consider is to identify and classify our information and assets.
Within a companyās security policy, an organisation will often guide us on how to classify different types of data, which weāll come to in a moment; hang tight š. But what is the stance on the data itself? Should we pinpoint and monitor all of it as rigorously as we do our physical assets?
Well, it's not a straightforward yes or no. Many organisations possess data so vital that its loss, corruption, or exposure could spell disaster. Picture a healthcare provider's patient records going awry. The repercussions of such incidents could be dire, plunging the entity into turmoil. To avoid such scenarios from happening, exhaustive efforts are made to pinpoint and keep tabs on this critical data, often resulting in embedding metadata (virtual sticky notes containing key details) within files or records for easier trackingāweāll worry about that one at a later time. Just comprehend the high-level concept for now.
DATA CLASSIFICATIONS are simply ways to organise data based on its criticality or sensitivity. They may also be referred to as ASSET CLASSIFICATIONS, which, in reality, is the more all-encompassing term. We tend to use the former because, for most companies in the 21st century, their most prized possessions are not the computers and hardware they use to facilitate business but the data that is viewed and accessed by them.
With that in mind, if a confidential document resides on the CEOās laptop, then that device (including its hard drive, should it be taken out) merits enhanced protection. Generally, the security level assigned to an asset (such as a laptop or a removable drive) holding or working with data should match the highest value of data contained within it.
For example, in a private company where an asset contains information ranging from public to sensitive and confidential, it should be tagged with the most secure classification and safeguarded appropriatelyā¦ Comprendo? Bueno! šŖ
In the digital world, information is like the lifeblood of any organisation, pumping through its veins and keeping it alive. However, not all information is created equal. It's often sorted into categories depending on how sensitive or critical it is. Think of sensitivity as how much of a storm would brew if certain pieces of information ended up in the wrong handsāthat's the kind of hot water organisations like Equifax, Sina Weibo, and Marriott International found themselves in when their sensitive data was splashed across the headlines.
On the flip side, we've got criticality. This is about figuring out which pieces of information are the pillars holding up the organisation. If these were to vanish or get tampered with, it's like pulling the rug from under the organisation's feet. If sensitivity is hot water, criticality is boiling water. š¦
A stark example is Code Spaces, which had to shut its doors for good back in 2014. Why? Because critical data it depended on got wiped out in a cyber-attack. Without this data, it was game over. So, as we continue to traverse the connected highways of cybersecurity, understanding the difference between sensitive and critical information not only helps guard against potential threats but also ensures the lights stay on.
CLASSIFICATIONS DEFINED in companies are typically dependent on whether weāre talking about a Private Entity or a Public Entity (i.e. Governmental Agencies).
For commercial or private companies, the common levels of sensitivity (with examples) from the highest to the lowest are as follows:
ConfidentialāMerger and acquisition plans: This is business-critical, and leaks could jeopardise competitive advantage.
PrivateāEmployee personal information: This includes information like your phone number, home address, or email that you might not necessarily want publicly listed.
SensitiveāProprietary software code: This could be the cornerstone of a company's new (non-flagship) product.
PublicāAnnual reports: Often published on a company's website for investor transparency.
For governmental entities such as the UK Ministry of Defencešļø, sensitivity levels are categorised as:
Top SecretāThis involves information that, if disclosed, could cause exceptionally grave damage to national security, such as nuclear weapon launch codes. The UK's Developed Vetting (DV) is the highest level of security clearance, and for good reason. Unsurprisingly, individuals with DV clearance often need to operate with minimal oversight, which explains the need for such stringent checks.
SecretāDetails of military technologies in development could give adversaries an unfair advantage.
ConfidentialāPersonnel records of soldiers while less critical than undercover identities, they still need protection.
Controlled Unclassified InformationāNon-sensitive logistical plans are things like supply chain management.
UnclassifiedāRecruitment materials designed to attract new enlistees.
The maestros behind these data classifications are the data owners, who decide on the appropriate classification level based on the dataās value and sensitivity. Meanwhile, the data custodians play the crucial role of maintaining the data and its assigned security level, ensuring the data's integrity, confidentiality, and availability are preserved as per the owners' directives.
Conclusion
I wasnāt entirely honest earlier. I said the UKās DV is the highest level of security clearance in the nation, but thatās not technically correct. There is a level of clearance above that which only a very small number of people hold, and thatās enhanced-Developed Vetting (eDV). I can only imagine what kind of lives they live. Anyway, I digress.
Security is often a very costly expense, and data identification and its subsequent classification help us direct our efforts to where they matter most. So, if time and funds are going to be wasted, it wonāt be on our watch!