Know What You Have
After completing this unit, you’ll be able to:
- Take inventory of all devices, systems, and applications.
- Identify the key systems that are the most critical and the most vulnerable.
- Adopt basic steps to protect your most critical systems.
Why It’s Crucial to Know What You Have
Here’s a question: How can you protect what you have if you aren’t quite sure what you have? It’s imperative that you have an inventory of your systems, devices, and applications—the items that need protection from cyber threats. That’s the first step in cyber hygiene.
It’s hard to believe, but we have been using the Internet for almost 30 years. Despite changes in technology and the Internet, many people use the same ways to access their systems and protect their identity as they did in the ’90s. These traditional identity and access management processes are no longer secure. They’ve become irrelevant, and cyber criminals have moved well beyond them.
Plus, there are more devices than ever. It was much simpler when work was limited to desktops. With phones, tablets, and laptops, people can work from anywhere. That means the attack surface has grown and entry points have multiplied. More devices and applications means more things for you to protect.
And it all starts with knowing what you have. Once you know what you have, you can adopt measures and practices to protect those assets.
So how do you do it? For small organizations it can be quite simple. Sit down and create a spreadsheet that lists all the devices, systems, and applications your organization uses. For larger organizations, it can get a bit more complex. If the number of applications is challenging to manage, consider finding an automated way to keep your inventory updated.
You may not know where or how to start building and maintaining your inventory. Not to worry! There are plenty of tools and resources shared by the Global Cyber Alliance’s Know What You Have toolkit for small businesses that make cyber inventory management an achievable reality.
Identify Your Crown Jewels
Now that you know what you have, it’s easier to protect what you have. But some things are more valuable than others. Think of it another way. If you had to leave your house in an emergency, which items are the most important to you, the ones you want to save without question? Likewise, which of your systems are “mission critical” or your “crown jewels”? These systems are often integral to running your business and, as such, are the ones that have the most consequence if they fall victim to cyber threats. Perhaps they carry sensitive information. It’s likely that compromise of these systems can negatively impact your customers. Your crown jewels must be protected.
Protect Your Crown Jewels
Now that you have identified your crown jewels, it’s time to review a few ways you can protect them.
Encryption of data: It’s important to encrypt all sensitive and confidential data. This step is integral to protecting data and ensuring your crown jewels are safe. If a breach occurs, the data will be unreadable and the sensitive information protected. You can use the tools in the Global Cyber Alliance’s Update Your Defenses toolkit for small businesses to encrypt your data on your computer.
Separation of duties: Certain people within an organization have responsibilities that require them to access several systems and the data housed on these systems. But not everyone has these responsibilities, and this separation is key to strong cyber hygiene. Only a few should have access to all systems, and it’s important to know who they are.
Principle of least privilege: Only those who are required to use the system to do their job should have access. One of the best things you can do to protect your systems is to limit who has access and what type of access they have. The fewer people who can access a system, the lower the threat of cyber issues.
Once you’ve identified who should have access, look at how they get into the system. How many layers of security do you have protecting access to your crown jewels? Does it only take one PIN or password to access the systems you can’t run your business without? It’s critical to implement what is called a layered access mechanism for these systems. This means each section or application in the system requires authentication. Ensure these systems are monitored and there are alerts for certain triggers, for example, if someone without the right credential tries to access them.
Sum It Up
You’re off to a great start! Knowing what you have and protecting what is most important is critical to practicing good cyber hygiene. Now, you’re ready to tackle the next unit which defines the steps you can take to boost your digital immunity and help you practice good cyber hygiene. Let’s dive in.
- External Site: Global Cyber Alliance (GCA) “Know What You Have” Toolkit
- External Site: Global Cyber Alliance (GCA) “Update Your Defenses” Toolkit