Protecting Most Valued Assets
On September 13, 2023 the Vedis Knowledge Session on Cybersecurity took place at Nijenrode Business University. I, Yuri Bobbert, had the opportunity to give a presentation about cybersecurity. In this talk, I explained that cybersecurity is hard to define and understand. You cannot guarantee that your company is a hundred percent secure from every possible risk. What you can do, is focus on protecting the most valuable assets.
Protecting most valued assets
As a retail company, you do not want to spend too much time on this subject. You want to focus on one thing: helping people and selling your product or service. To achieve that, you make a plan and determine your goals. You monitor what goes well and what does not. You check whether you have enough personnel and if they are doing the right things. This is actually not so different from how you can approach cybersecurity. It does not have to be difficult or expensive at all. I will show you the highlights of the knowledge session on cyber security in this article.
Status report
I know it is not easy to be in the retail sector at this moment. Increased prices for rent and personnel, debts due to the corona pandemic and competition from webshops are just a few of the challenges. As a retail company, you might have something other than privacy and security laws on your mind. Nevertheless, business goals and privacy and security goals often go hand in hand, since non-compliance or unsecure systems can cost millions in fines and lost revenue. However, cybersecurity solutions often only focus on one aspect. The plethora of risks and products make it difficult to decide what you should do. That is why it is important to rethink cybersecurity and periodically report about your status.
Four reflections for digital assurance
Never trust, always verify. That is the core of Zero Trust. Whereas internal processes were often trusted by default, the new standard distrusts all zeroes and ones in digital environments. Besides this strong starting point, it is helpful to think about 'protect surface' instead of 'attack surfaces'.
In the visual below, the sea is the attack surface and the church is the protect surface. Instead of trying to protect the city from all possible attacks, you decide what is important to your company and you focus your efforts there, in this case on the church. Inherent to zero trust is good user account control. This has to be managed properly, with extra conditions when changes are to be made. Finally, it is good to trust in people, but it is better to control the risks.
Four solutions to strengthen information security
The key to preventing security issues like hacks, is in process hygiene. This consists of measures that make sure you are in control. It already starts at the door with access management. Who has access to a system? Why do they have access, to what exactly, until when, at what times and how do they have access?
Secondly, you have to create a partitions. This way, critical systems are separated and a hacker cannot just walk from one system to another when they are inside. Furthermore, configuration management helps you to make sure your systems are up to the latest standards. Lastly, surveillance is required 24 hours of everyday of the year to keep control of all the systems and to discover and strengthen vulnerabilities to your core assets.
Four take-aways for digital assurance
Firstly, it is important to know your goals, the assets that are most valuable to you and the risks that are related to them. Secondly, when you protect these risks, the measures have to be proportional. Besides this protect thinking, knowledge of exactly which regulations apply to you is essential.
Finally, it is great if you know that you are digitally in control, but you need to be able to show it to others as well. A proactive ‘in control statement’ is the solution for that. I consider this last takeaway the most important one, not in the least because you need the other three to make the in control statement the right way.
Asking the right questions
As a CEO, founder or board member you ask yourself questions during your business process. What are my goals? What sells best? What can we do better? You can ask similar questions about your digital assurance. I will leave you with these questions to think them over.
- What goals do we have regarding information risks, security and assurance?
- What are our most valued assets?
- What lessons can we learn from the last twelve months?
- How can we measure our information assurance and how does it contribute to our business goals?
- How do we use our IT investments and how do we measure it?
Do you want to know more about digital assurance? Don't hesitate to contact Anove.