Screen Shadows 🕵🏼♂️
Four years unseen, the hackers played,
A ghostly dance, their plans were laid.
Names and numbers, spoils so bright,
Passport dreams took sudden flight.
- CS
Picture this: In 2018, Marriott International faced a cybersecurity nightmare when a colossal data breach exposed up to 500 million guests' personal details. This digital disaster traced its roots to the 2016 merger with Starwood Hotels, where a crucial misstep occurred: Starwood's IT systems were left vulnerable and not fully woven into Marriott's security fabric.
The insult to injury was that hackers had been lurking in Starwood's reservation systems since 2014, a shadowy presence overlooked during Marriott's acquisition. The oversight proved costly, granting cyber thieves a criminal’s paradise of data, from passport numbers to payment details.
Recognised as one of history's most extensive data breaches, the fallout was profound for Marriott—a staggering $30 million in damage control, a stock plummet of 5%, over $1 billion in revenue losses, a flurry of lawsuits, and a hefty £18.4 million fine from UK regulators.
Marriott's ordeal with Starwood's legacy systems serves as a stark reminder of the dire consequences of underestimating cybersecurity's pivotal role in mergers and acquisitions.
TL;DR ⌛️
Security isn't free—it's a vital investment for safeguarding a company's crown jewels: its data. Identifying what to protect is step one, categorising data from "must-guard-with-our-lives" to "okay-to-share." This isn't just about state-of-the-art tech; it's perhaps more importantly about the goldmine of data accessed through them.
For businesses, it's about securing the protect surface, whether it’s confidential strategic plans or intellectual property. In the government realm, think classified levels, from "Top Secret" nuclear codes to everyday recruitment flyers. The guardians? Data owners decide what's sensitive, while data custodians keep it safe.
Bottom line—Security is pricey, but knowing what's crucial ensures we're not throwing money into a digital black hole. Let's invest wisely, protecting what truly matters.
🚨 Security Briefing 🚨
Security is not FREE.
Yeah, obvious, I know, but I think it’s important that people understand it can be expensive to implement security, and even big companies don’t have a bottomless pit of funds they can just reach into and use for whatever they wish.
We need to know exactly which assets are worth the expense of securing due to the very nature of their sensitivity. How do we do this? Well, we first need to identify all of our assets (which also include information and data). Then, we’ll need to classify them accordingly from the most critical to the least critical. Here’s what we’ll cover:
What is the difference between an asset, information and data?
What the deal is about identifying assets.
What data classifications are; and
How we typically define them in companies.
Without further adieu…
Asset Classification Decoded 👨🏼💻
ASSETS, INFORMATION, & DATA are often used interchangeably in everyday cybersecurity vernacular, but they are technically distinct.
Let’s start in reverse order for a more logical explanation:
What do we mean by ‘Data’?
In the world of cybersecurity, grasping the distinction between data and information is akin to understanding the difference between a sack of flour and a loaf of bread. Data, in its true essence, is like that sack of flour—raw, unrefined, and without much use in its current state. These can be numbers, characters, or snapshots 📸 from the world around us, essentially the building blocks that lack inherent meaning on their own. For example, a sequence of numbers might seem like random gibberish until it’s processed and given context.
So, why do we sometimes talk about data and information as if they're one and the same? It's partly because the distinction can seem a bit academic when we're casually discussing how businesses or technologies use "data" to improve or "inform" decisions. In practice, the line between the two blurs as we process and analyse data to extract value from it, turning it into information seamlessly as part of our analytical protocols.
In essence, while data and information serve different roles in the cycle of understanding and decision-making, their close relationship in the process of analysis and interpretation often leads to the two terms being used interchangeably.
Remember, though—appreciating the journey from data to information is key to recognising the value hidden in the vast cyber seas we navigate daily.
What do we mean by ‘Information’?
So we take this data, sift it, knead it, and finally bake it within the oven of our processing methodologies, and it transforms it into information. This information, much like our loaf of bread, is palatable, useful, and ready to be consumed to satisfy our hunger for knowledge. It's the analysis, structuring, and contextualisation of data that gives it the significance we hope for, turning raw figures into insights on trends, behaviours, or operational metrics that inform decisions.
A commonly referenced example of information is ‘Personally identifiable information’ or PII, for short. This is any information that can identify an individual. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-122 provides a more formal definition:
Any information about an individual maintained by an agency, including
(1) any information that can be used to distinguish or trace an individual’s identity, such as name, social security number, date and place of birth, mother’s maiden name, or biometric records; and
(2) any other information that is linked or linkable to an individual, such as medical, educational, financial, and employment information.
Woah, so you can see that something as innocuous as your name is considered PII, which companies have a key responsibility to protect!
“Hmm, but how effective are they at doing this?” I hear you cynically mutter… Well, I’ll let you be the judge of that.
Diving a bit deeper, let’s talk about proprietary information. This is the secret sauce or the unique recipe that organisations guard with their very life’s blood. It's the magic formula, like Coca-Cola's "Merchandise 7X" 🥃📋 or KFC's blend of 11 herbs and spices 🐔📋. These aren’t just random concoctions but carefully curated secrets that provide these companies with their competitive edge. Just as these recipes are only ever known by a few employees at any given time and kept away from prying eyes, so too must all organisations protect their proprietary information—be it software codes, technical blueprints, or business methodologies—from the purview of their competitors.
NB: For the avoidance of doubt, when I refer to data I’ll be effectively referring to information as well.
What do we mean by ‘Assets’?
When we talk about 'assets', we're really just talking about all the things a company wants to keep safe. This includes everything you can touch, like computers and servers and even the stuff you can't, like the masses of data they have stored.
Data is to a library's books as Hardware is to the library's shelves.
IDENTIFYING YOUR ASSETS is the preliminary task we must do before we get anywhere.
Now, there’s something called the data lifecycle 🔄, which describes the journey of data from its initial collection to its eventual destruction. It involves six key phases: acquisition (collecting data), storage (keeping it securely), use (utilising the data), sharing (distributing it appropriately), archival (storing it long-term for future reference), and destruction (safely disposing of data when it's no longer needed). This is the journey data takes we must protect it from the cradle to the grave.
One of the first steps in the lifecycle we must consider is to identify and classify our information and assets.
Within a company’s security policy, an organisation will often guide us on how to classify different types of data, which we’ll come to in a moment; hang tight 🐒. But what is the stance on the data itself? Should we pinpoint and monitor all of it as rigorously as we do our physical assets?
Well, it's not a straightforward yes or no. Many organisations possess data so vital that its loss, corruption, or exposure could spell disaster. Picture a healthcare provider's patient records going awry. The repercussions of such incidents could be dire, plunging the entity into turmoil. To avoid such scenarios from happening, exhaustive efforts are made to pinpoint and keep tabs on this critical data, often resulting in embedding metadata (virtual sticky notes containing key details) within files or records for easier tracking—we’ll worry about that one at a later time. Just comprehend the high-level concept for now.
DATA CLASSIFICATIONS are simply ways to organise data based on its criticality or sensitivity. They may also be referred to as ASSET CLASSIFICATIONS, which, in reality, is the more all-encompassing term. We tend to use the former because, for most companies in the 21st century, their most prized possessions are not the computers and hardware they use to facilitate business but the data that is viewed and accessed by them.
With that in mind, if a confidential document resides on the CEO’s laptop, then that device (including its hard drive, should it be taken out) merits enhanced protection. Generally, the security level assigned to an asset (such as a laptop or a removable drive) holding or working with data should match the highest value of data contained within it.
For example, in a private company where an asset contains information ranging from public to sensitive and confidential, it should be tagged with the most secure classification and safeguarded appropriately… Comprendo? Bueno! 🪇
In the digital world, information is like the lifeblood of any organisation, pumping through its veins and keeping it alive. However, not all information is created equal. It's often sorted into categories depending on how sensitive or critical it is. Think of sensitivity as how much of a storm would brew if certain pieces of information ended up in the wrong hands—that's the kind of hot water organisations like Equifax, Sina Weibo, and Marriott International found themselves in when their sensitive data was splashed across the headlines.
On the flip side, we've got criticality. This is about figuring out which pieces of information are the pillars holding up the organisation. If these were to vanish or get tampered with, it's like pulling the rug from under the organisation's feet. If sensitivity is hot water, criticality is boiling water. 💦
A stark example is Code Spaces, which had to shut its doors for good back in 2014. Why? Because critical data it depended on got wiped out in a cyber-attack. Without this data, it was game over. So, as we continue to traverse the connected highways of cybersecurity, understanding the difference between sensitive and critical information not only helps guard against potential threats but also ensures the lights stay on.
CLASSIFICATIONS DEFINED in companies are typically dependent on whether we’re talking about a Private Entity or a Public Entity (i.e. Governmental Agencies).
For commercial or private companies, the common levels of sensitivity (with examples) from the highest to the lowest are as follows:
Confidential—Merger and acquisition plans: This is business-critical, and leaks could jeopardise competitive advantage.
Private—Employee personal information: This includes information like your phone number, home address, or email that you might not necessarily want publicly listed.
Sensitive—Proprietary software code: This could be the cornerstone of a company's new (non-flagship) product.
Public—Annual reports: Often published on a company's website for investor transparency.
For governmental entities such as the UK Ministry of Defence🎖️, sensitivity levels are categorised as:
Top Secret—This involves information that, if disclosed, could cause exceptionally grave damage to national security, such as nuclear weapon launch codes. The UK's Developed Vetting (DV) is the highest level of security clearance, and for good reason. Unsurprisingly, individuals with DV clearance often need to operate with minimal oversight, which explains the need for such stringent checks.
Secret—Details of military technologies in development could give adversaries an unfair advantage.
Confidential—Personnel records of soldiers while less critical than undercover identities, they still need protection.
Controlled Unclassified Information—Non-sensitive logistical plans are things like supply chain management.
Unclassified—Recruitment materials designed to attract new enlistees.
The maestros behind these data classifications are the data owners, who decide on the appropriate classification level based on the data’s value and sensitivity. Meanwhile, the data custodians play the crucial role of maintaining the data and its assigned security level, ensuring the data's integrity, confidentiality, and availability are preserved as per the owners' directives.
Conclusion
I wasn’t entirely honest earlier. I said the UK’s DV is the highest level of security clearance in the nation, but that’s not technically correct. There is a level of clearance above that which only a very small number of people hold, and that’s enhanced-Developed Vetting (eDV). I can only imagine what kind of lives they live. Anyway, I digress.
Security is often a very costly expense, and data identification and its subsequent classification help us direct our efforts to where they matter most. So, if time and funds are going to be wasted, it won’t be on our watch!