All sensitive and proprietary information, not just subsets of that data, must be accounted for in addressing and mitigating cybersecurity threats. Protection of those information assets must be addressed not only within the company, but also with its external vendors, contractors, and other partners. The headlines are replete with security breaches that resulted from a business entrusting its data to a third-party vendor that had inadequately protected its systems.
When assessing security measures, the concept of CIA should be a foundational requirement. Specifically, security controls must be designed to address not only the confidentiality of data, but the integrity and availability of that data. Hackers know all the tricks. If they cannot get access to data, they may target denying others that access or finding ways to corrupt the integrity of that data.
Never underestimate the effectiveness of social engineering and other similar "non-technical" attacks. Every business experiences these attacks on a daily basis through phishing and other means. Appropriate, repeated training for employees is one of the most important steps in mitigating this substantial threat.
Applicable laws and standards require businesses to do what is reasonable to address threats. That means devoting an appropriate level of investment that balances usability against security. Striking an adequate balance is key to designing a successful cybersecurity approach.
Sign up for CIO Asia eNewsletters.