By Rohit Nagarajan, Vice President and Head of Database, SAP APJ
July 5, 2016
This vendor-written piece has been edited by Executive Networks Media to eliminate product promotion, but readers should note it will likely favour the submitter's approach.
In today's hyper-connected network economy, cyber security is a top-of-mind boardroom discussion topic. Information is the new sinews of war. Your customer information, of course, but also your own financial and strategic plans, your employees' and contractors' personal data, and so on. An attack on this data (either for leakage, manipulation, ransom or other malicious intent) could seriously endanger your relationships and trust with these important parties. It could also lead to business disruptions and loss of market share, not to mention potentially hefty fines.
Nevertheless, some businesses have taken this adage somewhat too strictly and decided to protect all their data. Not only does this have a cost, but since they most likely have limited resources, it means they could be running scarce on protecting their real crown jewels.
In this short post, I don't intend to give you a complete process for attaining a 100 percent cyber-secure company, but I'll try to share a few thoughts on what path you can follow to at least get started.
1. Rate and Rank Your Information
As I mentioned, not all information is critical or confidential. In order to prioritise your data protection needs, try first of all to rate the criticality of the information should it be accessed without your consent and then rank it.
Keep in mind that more information will be created every day, so institute a good information classification system ranging from "Public" to "Confidential" that is understood and applied consistently across the organisation. This will help you keep this ranking constantly up-to-date and therefore reduce ongoing efforts of identifying critical information.
2. Map Your Assets
Now that you know what data you must protect, you need to know where it sits. This might seem quite trivial, but according to the recent EY Global Information Security Survey 2015, "only 40 percent hold an accurate inventory of their ecosystem (i.e. all third-party providers, network connections and data)".
How can you really protect something if you don't know where it is and how it's being accessed? Map your assets and how they interact-this will give you a complete picture of the risk context.
3. Identify Your Vulnerabilities
Talking about risk context, identify the threats as you would for any other business risk. Applying a root cause approach is very relevant in this case as it will help you find the weakest link.
To understand the real exposure of each vulnerability, roll-up the risk chain and assess the business, strategic, and also operational impacts resulting from a data breach.