This article is featured in the magazine, Preventing a Cyberattack: A Guide to Cyber Readiness. Download it now.
By Dr. Kevin Harris, Program Director, Cybersecurity, Information Systems Security and Information Technology Management at American Military University
Many organizations spend large amounts of resources creating a secure infrastructure that protects their digital assets. But are organizations spending proportional resources to protect their most valuable assets?
It is critical that leaders determine what organizational assets are the most valuable and thus what requires the most expenditure. A vital component of the IT asset protection strategy, and one that is often overlooked or undervalued, is the asset identification phase.
Determining Valuable Assets
To start, organizations need to determine what information would be most valuable to outside parties and what systems are most likely to be targeted by hackers. Identifying the most valuable digital assets provides an organization with a clear direction for building an asset protection strategy and creating business continuity plans.
While there is often some overlap, there are two types of assets that require the most protection—assets that hackers can profit from and assets that are critical to business operations.
Hackers want profitable information. They often target organizations that collect and store sensitive customer data including financial information and personally identifiable information (PII). They target companies that have valuable intellectual or technological property from research and development efforts. Any information that can be sold by hackers should be considered a valuable asset.
All business leaders, not just those who are aligned with information security, need to evaluate the downstream ramifications to the enterprise if critical data were either lost or compromised. During this evaluation process, it’s critical that leadership consider the organization’s mission. The more critical the asset’s relationship is to the organization achieving its mission, the higher priority level and protection measures that asset should be assigned. A resource should also be considered to be of high value if the loss of data could have major financial implications.
Collaborate to Create an Asset Matrix
The identification of valuable assets is a task that should not be taken lightly as it is a foundational exercise that affects significant portions of the IT strategy including operational, business continuity, and cyber defense.
Leaders must spearhead the creation of a comprehensive total asset matrix that lists an organization’s assets and important information about each asset. The matrix should include the asset name, a description, its primary business functionality, the IT unit responsible for overseeing it, potential attackers, mitigation strategies, date of last assessment, level of value, and level of risk.
It is recommended that an internal team be created to develop this total asset matrix with members coming from different business units within the organization. This collaboration is critical to ensure important data used across the organization is accounted for and included in the documentation. It is also recommended that an organization’s legal and public relations employees be a part of this team so there is an awareness about the public perceptions and potential legal implications of any decisions made.
Due to the sensitive nature of the asset matrix, it is imperative that members of the team are vetted and undergo training on handling sensitive material. Access to the document should be logged and the document itself should be highly secured and protected using a network and host-based intrusion prevention system. Offline copies of this document should be included with the organization’s business continuity documentation.
Developing a Threat Matrix
Once the asset matrix is created, the IT security team will need to incorporate additional information for each asset, including potential attacks, protection measures, last date an assessment was performed, and overall threat level. This added information will assist the organization’s incident response team (IRT) to develop a threat matrix that includes further detail about the potential motivations of individuals and/or groups that might want to illicitly access each asset. If the likelihood of a particular group becoming more active rises, or it is determined that a digital asset becomes more valuable, the threat level of that information should change and security protections will need to increase to protect those high-value targets.
When threat levels change, the threat matrix should be immediately reviewed to determine if protection modifications are necessary. For example, it may become prudent for an organization to limit external access to certain types of data during high-risk periods.
Implementing Systems to Protect Assets
Once the matrix is created, the IT security team should ensure that adequate firewalls, intrusion detection systems, and intrusion prevention systems are implemented to safeguard networks housing servers as well as applications. Organizations should retain highly skilled information technology (IT) employees who are trained to design, implement, maintain, and secure information systems that are vital to the organization’s operation and success.
Part of any effective IT strategy is having a business continuity plan, which allows the business to maintain operations in the event of a loss of resources resulting from a natural disaster, ransomware, or other cyberattack. Organizations should emphasize the technical aspects of disaster recovery and run mock exercises to ensure employees are able to implement recovery procedures that are in place.
Review and Update Regularly
The creation of an enterprise asset matrix is not a one-time event, but rather an ongoing effort that is performed, at a minimum, once a year. Organizations have many valuable types of data and that data changes regularly. It’s absolutely critical that every organization routinely identify and assess all of their assets, how well they are protected, and the actors who may gain access to using it. Continual assessment and optimization is not just a best practice—it’s essential to protecting your enterprise in a rapidly changing cybersecurity threat environment.
About the Author: Dr. Kevin Harris is the Program Director for Cybersecurity, Information Systems Security and Information Technology Management at American Public University System. With over 25 years of industry experience, Dr. Harris protected a variety of organizational infrastructure and data in positions ranging from systems analyst to chief information officer. His career encompasses diverse experiences both in information technology and academia. His research and passion are in the areas of cybersecurity, bridging the digital divide, and increasing diversity in the tech community. As an academic leader, he instructed students at various types of institutions including community colleges, HBCUs, public, private, graduate, and undergraduate, as well as online. Dr. Harris trained faculty from multiple institutions in the area of cybersecurity as part of an NSF multistate CSEC grant. To contact the author, email IPSauthor@apus.edu. For more articles featuring insight from industry experts, subscribe to In Public Safety’s bi-monthly newsletter.