Written by Lucy Khayat
We all know that there is much that can be done to improve an organisation's Cyber Security posture but it can be overwhelming when you look at the big picture. We see this everyday. As we work with our clients, for those who are at the start of their their journey, we try to instill the importance good cybersecurity posture and why cyber should be a live conversation across all levels of the organisation, from the board, right through to the coalface.
The first step towards a good cyber security posture is to appreciate and understand the importance of your organisation’s data. Data is the primary reason behind all cyber security models, frameworks and time spent fortifying organisations - live it, respect it and be at one with it!
At Dragonfly, our team love the Five Knows of Cyber Security or what we refer to as the “5 Knows”. The 5 Knows was developed by Telstra and we use this simple approach to assist our clients appreciate and understand their data and data flow throughout their organisation.
The 5 Knows are an easy checklist to understand, implement and get on top of improving your cyber security posture, making for some early wins – and of course, who doesn't love an early win?
1. Know the value of your data
How much thought have you put into your data? Critically, appreciating the true value of your data will set the tone and urgency of your actions surrounding the protection of this critical asset.
Telstra rightly point out that "you must know the value of your data - to yourself, to your competitors and to those who wish to do harm". First step is to have your organisation appreciate that their data is a valuable asset, and that the asset requires the necessary protections in place, like any other valuable asset, be it property, equipment, trade secret or the proverbial recipe of your "special sauce" you own.
Simply put, your data is an asset of variable value to different people, treat it accordingly.
2. Know who has access to your data
Do you have the controls in place to restrict who within your organisation has access to your physical equipment, stock and internal resources? Do you track who accesses these assets? Should data be treated differently?
Look closely at who within your organisation, external partners and vendors have access to your critical data and review whether they really need to have access to this data in order to complete their activities or as a feed into a system outside of your control.
3. Know where your data is located
It may seem obvious but you need to know where the company's data is stored to assist you in determining the real security risk you are facing - the more scattered the data, the more effort required to mitigate risks.
Questions you need to ask include whether the data resides with you or a service provider, is it in the cloud, are partners using other third party providers and finally, where is it geographically?
Answers to these questions will assist in creating a path to reducing these risks.
4. Know who is protecting your data
It may be a simple question but who is responsible for protecting your data? In large organisations, it may not always be an internal team you expect it to be. Understandably, it would be helpful to know who it is, what are the operational security processes in place and how you can contact them if you need to.
5. Know how well your data is protected
What is being done currently to protect your organisations data? If the responsibility falls internally, what are the security processes and procedures currently in place which will be used to build on? If your data is being accessed externally, what are your business partners or vendors doing to protect your data?
We find that, to answer the 5 Knows is a great start to help your organisation along their journey and to protect their critical data.
No matter where you are in your organisation's Cyber Security journey, you will find value in paying attention to this aspect of protecting information across your organisation. Whilst this process is an inwardly looking view of your business, it is in your control. If you need any assistance in securing your valuable data or would like assistance in fortifying your security posture, just reach out, we are here to help.