Decision Support: Determine the value and vulnerability of company data to evaluate security threats

Analyze your data for hacker opportunities

Since security is expensive, both in absolute dollars and in practice (sometimes those with authority are even locked out!), you shouldn't protect everything equally. For example, data that changes rapidly and isn’t especially valuable doesn't need much protection. On the other hand, information that could destroy your company if it fell into the wrong hands shouldn’t even be on your network.

Did you miss it?
In an earlier column, I discussed the need to balance protection against the value of your network’s information and your time. In case you missed it, you can catch it here.

Establishing a base level of protection
The value you place on specific data dictates what needs protecting. This valuation also helps establish a range of protection, as some files should receive more protection than others. However, this valuation doesn't tell you the level of absolute protection you require. That is, after analysis you know that A needs far more protection than B, but you still don't know what measures will be required to protect either data set adequately.

System administrators should begin by setting a base level of protection. Where you set that baseline for the least-sensitive data depends, in part, on how big a threat hackers pose to your network. Therefore, setting a base level requires that you determine what data is at risk—and from whom.

Remember not to discuss your network!
Check out "Are you encouraging hackers to attack your network?" for a quick memory refresher on why you shouldn’t publicly discuss your systems and IT architecture.

Threat estimates
Making an accurate threat estimate depends on a number of factors, including intangibles. For example, will recent publicity raise the ire of the wrong high school student, or will the color of your company’s logo make some wacko think your firm operates in the service of Satan (that would be the Devil, as opposed to SATAN—Security Analysis Tool for Auditing Networks)?

These types of threats face businesses every day. Real or imagined, they exist. And the threats are steadily growing.

To decide the level of security you require, it's important to assign values to the individual features of your business that might attract the random hacker, true wackos, or even an industrial espionage specialist. This is very different from deciding how valuable the data is to you.

Data needed to run your business is vital to you, but unless someone wants to put you out of business, it might not be important to others. Thus, you aren't seriously threatened, except by accidents or a random hacker attack.

Of course, someone may want to put you out of business, either for competitive advantage or simply out of spite. It happens. In some cases, you know of the threat, but sometimes it isn't as obvious as having your competitor swear undying vengeance against your CEO in FortuneMagazine.

On the other hand, even data that isn’t particularly important to your business—perhaps mailing lists of people who want products you no longer sell—might be quite valuable to some other business. Don’t let them get it.

Everybody's got secrets
You don't have to be a defense contractor to have secrets. If you're successful, people may be targeting you in order to learn how you do it. Even if you're going out of business, they might want to pick over your bones.

The question isn't if your company has information that’s valuable either to a competitor or garden-variety thief; the questions are how much of it do you have, what kind is it; and just how valuable is it to someone else?

You may not be able to determine just how valuable your information is to another business, so your analysis will always include a large fudge factor. But at least it's a place to start.

How much of it do you have?
In the category of competitive-based threats, you should consider customer and supplier lists, invoices, employee data (competitors can lure them away more easily if they have their e-mail addresses or telephone numbers), and much more depending on the nature of your business and how vulnerable you are to competitors.

What kind is it?
The category of data that would interest any random thief includes credit card accounts, bank account numbers, and other financial data.

Just how valuable is it to someone else?
In general, the more valuable the information is to others, the more likely you are to be a target of information theft. In other words, the greater the threat, the greater the need for protection.

Threat categories
Value is only the determining factor for rational attacks. If your business or its owners have made enemies, especially among highly motivated groups or individuals, you could be in an even bigger threat category.

If you have been careless enough to brag in print that your security system is perfect, then get ready. You’re officially a sitting duck.

It's impossible to be precise about how big a potential threat you're facing, but it's important to evaluate security based on both threat assessment and the absolute value of the data to your own business and others.

Watch for the inside job
If your data is highly valuable to competitors, you need to improve your new-employee screening process, too. Why? Because in addition to the usual threat from a disgruntled worker, you could also face a concerted attempt to penetrate your systems from the inside. Although a breach can occur from the outside, it's always easier from the inside.

A skilled and systematic attack poses a very different threat from that created by a disgruntled employee who might not possess the skills to both extract valuable information and disguise the theft.

Other security concerns should become apparent depending on the results of your threat analysis. That's the entire point of conducting such a study.

Paranoia won’t destroy ya
By now, some of you are probably convinced I'm totally paranoid. If you're one of those people, you're in the wrong business. A good security officer is a paranoid security officer.

In fact, I'm happy to be called paranoid. It's better than being described as “unemployed.”

John McCormick is a consultant and writer (five books and 14,000-plus articles and columns) who has been working with computers for more than 35 years.

Have a comment?
If you'd like to share your opinion, please post a comment below or send the editor an e-mail.