The CIA triad: Fundamental information security principles you need to follow

Cybersecurity may be an ever-expanding field, but it remains rooted in three basic information security principles, namely, confidentiality, integrity, and availability (CIA). Let’s take a closer look at each of these so that you can check them against your own company’s data security strategies.

Confidentiality

First and foremost, you only want authorized users to have access to your data. Here are but some examples that illustrate the importance of data confidentiality:

• You have invested heavily in your R&D and have come up with product formulations that you believe will take the market by storm. You don’t want those formulations to fall into your competitors’ hands.
• You have amassed the medical histories of patients. They’re already suffering illnesses, so you don’t want them to suffer the social stigma surrounding those illnesses by letting the public know what they have.
• You do business with third parties all the time. You don’t want phishers to get wind of your current business dealings and trick account managers into funneling payments to the phishers’ accounts.

To keep company data safe from the wrong hands, you can apply the following methods:

• Keep it under lock and key – Before users can access your network, use firewalls and identity authentication measures (such as strong passwords and thumbprint scans) to block unauthorized users. You can keep extra-sensitive data in micro-perimeters so that successful network intruders can’t access it.
• Use encryption – Whether you are storing or transmitting data, you can encrypt it so that those who might steal the data can’t actually read it.
• Assign access permissions – Only grant users access to the data they need to do their jobs. This way, if ever a hacker takes over a user’s account, they will only be able to steal the data that user has access to. And if the user is quick to report the account takeover to IT admins and the admins immediately revoke the compromised account’s access, then that hacker might not get to steal much data after all.
• Train employees on cybersecurity best practices – With so many cybersecurity tools smartening up thanks to artificial intelligence, cybercriminals are focusing more and more on easier targets: human users. This is why you need your staff to be aware of good password hygiene, master proper data protocols (such as verifying supplier account number changes as legitimate), and have the ability to recognize phishing emails and bad attachments.

Integrity

In 1982, seven people died in Chicago because they ingested Extra-Strength Tylenol capsules that had their contents partially replaced with cyanide. This led Johnson & Johnson to change the capsules into caplets and initiate the use of tamper-proof packaging — a practice that the both the pharmaceutical and food industries employ to this day.

Clearly, product tampering has grave consequences, which is why even the mere threat of it can diminish consumer confidence in a producer and lead to reduced earnings, layoffs, or even closure. Consumers need to be able to trust in the integrity of their foods and medicines, otherwise the economy will take a hit because no one will be willing to purchase such consumables.

In a similar fashion, businesses like yours must keep the integrity of your data intact. That is, you must keep the data unchanged during storage, transmission, and usage — unless legitimate processes and users update this data. If even a little bit of company data is contaminated, then the veracity of entire datasets can be put into question.

For example, let’s say the clinical trial data pertaining to the effectiveness of a COVID-19 vaccine were injected with flu vaccine effectiveness data. This may result in the clinical trial data being thrown out and a new clinical trial being initiated, setting back the approval and distribution timetable for the vaccines. And with the novel coronavirus mutating new strains, the longer it is allowed to spread across human populations, the more the vaccines lose their effectiveness in abating the pandemic.

To maintain the integrity of your data, you need stringent access controls plus proper backups so that you can revert data back to its uncompromised state.

Availability

Modern businesses run on data: customer information, order information, inventory tracking information — so many types of data that your business can’t afford to lose access to. There are three ways in which your data may become unavailable:

• It is deleted – Data deletion can happen by accident, such as when on-premises servers get destroyed in a flash flood. Data can also be deleted intentionally, be it by internal or external saboteurs.
• It is locked away or becomes inaccessible – Ransomware can encrypt your data and keep you locked away from it until you obtain the decryption keys for it. Power outages can shut down your servers and make the data they hold inaccessible until the power comes back on.
• Your data processing power is inhibited – Attacks on your servers, such as distributed denial-of-service attacks, can overwhelm your machines so much as to make your websites and apps frustratingly unresponsive. Customers may leave you for your competitors, and your staff can lose man hours being unable to accomplish their tasks.

To mitigate all of these data availability issues, you need data backup systems, disaster recovery strategies, backup power generators, and immediate access to extra bandwidth and processing power.

Tl;dr: Employ information security principles in your cybersecurity strategy

Your cybersecurity strategy must always be oriented toward maintaining the confidentiality, integrity, and availability of your data. To help you create a CIA mindset in your organization, turn to HERO Managed Services LLC. Consult with our IT experts to learn more.