Identifying mission-critical information assets is essential in designing an effective security architecture. What assets demand the best defenses and protection?

Protecting information and data has never been as vital as it is today. The dawn of stringent data protection and privacy laws such as the General Data Protection Regulation (GDPR) and ePrivacy Regulation (ePR) not only reaffirms the importance of data, it also raises the stakes for those that collect, handle, and store data. Reports of continued data breaches, despite the new policies, further drive this point.

According to an IBM study, the cost of a data breach has increased, pegging the average cost of a data breach at US$3.86 million in 2018. But organizations are likely to pay even more due to fines from violating data protection laws, as was the case for UK British Airways (fined US$230 million), Marriott (fined US$124 million), and Equifax (fined US$575 million). Each report highlights the constancy of threats, the costly consequences, and the security holes that make breaches possible.

Given these factors, organizations should begin to reevaluate if their resources are enough to protect the data that they collect, store, and process.

What are an organization’s critical information assets?

To begin with, organizations must first identify their mission-critical information assets that, if compromised, would cause major damage to the business. Different industries hold different forms of data, or the same data but held with varying degrees of importance; information assets can also take on different forms for different organizations.

Here are broad classifications of information that organizations may consider as their crown jewels.

• Competitive information. This type of data is at the core of every business. It involves trade secrets, R&D information, or any kind of information that gives a corporation its competitive advantage. This could be long-held business secrets that defines the company identity. For a pharmaceutical company, it could be the formulas of their products. This could also include collected operational data (such as competitor information, projection data, and customer metrics) that drive company decisions.
• Legal information. Documents like copyrights and contracts that have legal bearing are some of the most confidential and crucial information that organizations protect. Such documents make official conditions and agreements made by the organization with separate entities such as customers, third-party contractors, or employees. They also legally protect an organization’s intellectual property and other assets.
• Personally identifiable information (PII). This particular type of information is at the heart of many data protection laws, most notably that of the GDPR. PII could be customer or employee information that could be used to identify individuals.
• Data from daily operations. Depending on the business, any of the other types of information above could fall into this category of data. Each department in an organization have specific data that they modify or use every day and is necessary for the company’s daily operations. Human resources, for example, handle data like employee salary or health information, and are therefore involved greatly in the handling of employees’ PIIs.

According to Trend Micro and Ponemon’s Cyber Risk Index (CRI) the top types of data at risk—R&D information, customer accounts, trade secrets, and confidential company data— fall under at least one of these categories. Cybercriminals can tailor their attacks on the kind of information that they want to target. They could also choose their target based on which would be the most within their reach, because a company has directed its security resources elsewhere.

How can organizations identify mission-critical assets?

Organizations may have different categorizations for the data and information that they store, but each organization must establish a definitive set of parameters for defining their mission-critical information assets. Some factors they can consider for choosing which assets to protect are the following:

• VALUE. Data that an organization has chosen to record and store must have an innate value. This value can change or depreciate over time. Organizations should be able to evaluate what value the data brings to their company and how much it influences their processes.
• RISKS. A good way to evaluate how important data is would be to anticipate the kind of threats and risks that they might inspire. Is it the kind of data that would interest malicious actors? How accessible is it? By answering similar questions, organizations can assess the level of risk level certain information might face and elevate its protection.
• IMPACT. What would be the consequence if an attacker compromises or steals certain information? If the impact is big enough that it cascades beyond organization borders —if it affects the safety and security of several customers, for example — then organizations should consider protecting this information as a critical asset.

What important data should enterprises protect?

The point of identifying critical assets is to determine the best way to distribute resources and design an appropriate security structure that minimizes the risks associated with the potential breach of these assets. However, an organization must still acknowledge that data that has not been identified as mission-critical still has an inherent value, and must be accounted for. We list them below.

PUBLICLY AVAILABLE INFORMATION

Enterprises need to have certain information about them publicly available, through websites that help potential customers. Individual employees are likely to own social media accounts as well. All this information, though deemed harmless enough for the public, could be useful for malicious actors performing reconnaissance before an actual attack.

COMPANY STRUCTURE AND CULTURE

This information is deeply integrated in the company, and is likely difficult to put into words or actual data. However, it can be surmised through observation and word-of-mouth. Just as such information may be important to perspective employees and customers, hackers can use it to design the social engineering aspect of their planned attacks. They could, for example, use such information to pose as a high-ranking executive.

NETWORK INFRASTRUCTURE

Hackers could use a legitimate tool like NMAP to send specially crafted packets to the target host and then analyzes the responses. It could further discover hosts and services and operating system detection. In the wrong hands, knowledge of an enterprise’s network infrastructure could let a hacker customize a more efficient campaign.

The information listed above are those an organization must have control over. This means, an enterprise must be aware that this information is out there, if publicly available. Although perhaps harmless by themselves, they could become tools that would allow attackers to penetrate initial defenses.

How can organizations protect their mission-critical assets?

As mentioned earlier, the first real step for organizations would be to know their data better than anyone else. We summarize our recommendations in the following steps.

1. Map the data. This step involves knowing what data is being collected and where all of it is being stored. In this step, organizations should also note the information that can be garnered from the combination of different data, when analyzed together. This gives an overview of which areas or departments hold critical data.
2. Identify the critical data. From the mapped data, organizations can begin to identify or perhaps reevaluate their mission-critical data. This is done to prioritize security resources and identify the risk level they are prepared to take to defend these assets.
3. Assess threats. Organizations must anticipate and recognize the possible threat actors that might target the information and assets that they hold. This can help them design and prepare defenses that can defend against known techniques of malicious groups.
4. Plan and implement necessary security measures. Using the knowledge gathered from the first step, organizations can begin to formulate security measures to protect their critical assets. And a good place to start would be to ensure the encryption of data both at rest and in transit to reduce the impact of it falling into the wrong hands.

Overall, organizations should implement strong network defense that would block threats from various entry points, preventing them from reaching identified mission-critical assets. A multi-layered connected network defense and complete visibility into all network traffic, in addition to next-generation intrusion prevention system (NGIPS), can help organizations stay a step ahead of threats that could compromise intangible assets.

Enterprises can also add an extra layer of security through Trend Micro XGen™ security, which provides a cross-generational blend of threat defense techniques. It uses machine learning technology to proactively and efficiently detect the maliciousness of previously unknown file types, ensuring that data centers, cloud environments, networks, and endpoints are protected against a full range of threats.