When it comes to business security there are 2 systems that will save you after the impact of a cyber event. The first is a good backup and the second in encryption.
Neither of them is as foolproof as business owners think.
Understanding the importance of backups.
The whole point of a comprehensive back up regime is to be able to get back to business as normal as fast as possible.
A good backup will help you achieve that. So will a good disaster recovery plan, a decent business continuity plan as well as building in as much resilience as possible into the organisation itself.
Like any plan or solution it has to be tested, it has to be stressed and more importantly, everyone in the organisation needs to know what to do, where information is and how to implement those plans.
Failing to test or improve from the experiences of real-time tests and war-games is usually where an organisation fails.
You cannot improve a system unless it is tested regularly. Once tested you can rectify issues discovered during the testing.
You DO NOT want to have the cyber event as the first test of system failure and recovery.
What to do with backups.
When it comes to a backup it needs the following items in place.
- A copy of all critical and non-critical data stored in another location.
- A copy of that information only connected to the system when it is doing a backup
- A process that has no human requirements except to check it has happened and fixing it when it fails (immediately)
- A system that is regularly tested and improved. In business everything changes, the systems and data need to be tested but the people involved as well.
Protecting your encryption keys
The second component is encryption. Seen by many as the silver bullet of data security, it is just another deterrent. If your data is stolen then encryption will ensure that the data is unreadable, unless the bad guys have the keys.
The most important component of encryption is the security of those keys, if the keys are stolen or get out the encryption is useless.
So protecting those keys is more important than protecting the data the keys are securing.
When it comes to SME’s, not for profit organisations and charities we often find the security keys, especially for securing websites, just lying around a system. Usually, they are saved in a folder called certificates with no added security around those files.
Protecting your encryption
There are many ways of using encryption and all of them cannot be discussed here so here are a few ideas.
- Make sure your encryption key is not hardcoded into the applications using it.
- Make sure your encryption key is your property and not owned by a third party.
- The encryption keys should never be stored on or in the same system using them.
- Make sure there is an audit trail in their use.
- Only use one administrative account to encrypt data, record that account and the password in an out of band location, only used for that specific role.
- Your keys can be encrypted!
- Cryptographic keys change regularly, create a policy, process and procedure around that requirement.
- Back them up. The keys can be stored on an encrypted thumb drive and stored in a secure location. IE – a safe (part of the policy?)
To stop a cyber event instead of just recovering from one you also need to implement other components. To survive the onslaught of cybercrime, follow and implement the best practices documented all over the internet.
A plan B is important, just like insurance is important. When everything else fails your recovery is critical.
The CareMIT Security Methodology will help you secure your systems, people and data.