By David Hawthorne, Director of Cloud Engineering
Stop for a moment and consider the value of the device this article is displayed on.
Perhaps it’s a $1,500 laptop. Perhaps you are reading on a phone or tablet. But have you considered the actual value of the asset? Most likely the data contained on the device far exceeds the retail value of the asset. Placed in the wrong hands, the asset leads to stolen identities, financial accounts are raided, competitors gain an advantage, and there’s a lack of confidence in business partners as disclosures are made public. The past decade has seen the rise of data accessibility everywhere with benefits like digital twins instantly accessible. But with the rise in data availability, we have even more passwords leaked and ultimately, fungible.
When combined with continuous pressure from governmental, regulatory, and compliance standards such as PCI-DSS, GDPR, and HIPAA, how does a business balance risk when simply enabling Multi-factor Authentication (MFA) is not enough? Have you asked some of these questions?
Further, in the construction industry, it’s common to have multiple subcontractors on one project, which may not have a need-to-know for certain information. For this reason, cloud solutions such as O3 utilize role-based permissions to restrict access to data and files. By retaining all information in the cloud and authorizing only a select set of users with a business need for information, an organization can maintain privacy and confidentiality while preventing unauthorized downloads and data dissemination.
But how far is enough when dealing with security? If I do X, am I still secure for Y?
Enough security is enough security.
All joking aside, in information security we have a concept to illustrate the interplay between the three factors that influence a secure posture: confidentiality, integrity, and availability. We call this the CIA triad, and you can find more information here. These three elements of the triad relate to business continuity, preventing data breaches, and keeping exposure limited. Every organization must balance the three elements of the CIA triad based on its own appetite for risk, business needs, and compliance obligations.
In protecting data, most organizations should start with or review existing policies and procedures, the foundation for a successful information security program. Organizations may then implement controls that ensure the organization’s policies and procedures are followed. For example, on the job site, personal protective equipment is required. In the case of security, a policy would declare that anti-malware must be installed and configured to a certain standard. Further, data loss prevention, which precludes information from leaving the PC, can be added to ensure a higher level of assurance. Of course, there are exceptions to every rule – perhaps you aren’t concerned about data loss on laptops that don’t have sensitive information. In this case, the policy can guide such decisions. Treat data policies like guides to prevent being trapped in a “security for the sake of security” box. As the program matures, continuous improvement activities will help fill the gaps and address the rapidly evolving security threats.
Protect the people and protect the organization for a win-win.
Too often we hear of the human element of cyberattacks related to a mistake made by an employee that results in public disclosure. Events like the Colonial Pipeline ransomware attack in which an employee reused a password on a different site. A city in Japan where a lost flash drive exposed an entire city’s PII. And the spear-phishing attacks that took over Twitter accounts. Solid security awareness training coupled with assessments such as phishing tests not only makes organizations more secure, but employees also see a benefit as they apply the concepts learned personally and professionally.
How can I ensure our vendors have an appropriate security program in place?
When possible, partner with vendors whose commitment to information security is validated with an AICPA SOC 2 report. SOC 2 provides a detailed report on an organization’s controls relevant to security, availability, processing integrity, and the confidentiality and privacy of the information being processed. O3 Solutions has completed SOC 2 for security and confidentiality Trusted Services Criteria.
Ultimately one can never know if they have done enough to secure an organization. A breach may not have occurred purely out of luck or lack of visibility. However, some basic policies, the right resources, and an understanding of the true value of an asset will improve your overall security posture.
If you’re interested in discussing how O3 provides a secure platform and meets all SOC 2 requirements for clients, please contact us to learn more at firstname.lastname@example.org.