When I’m talking to people about cybersecurity, one of the questions I encourage them to ask themselves (and their team) is, “How are we protecting our digital assets?” To answer this question, you need to know what your assets are, where they are stored, and what you need to protect them from.

binders

What do I need to protect?

First, you need to figure out what assets actually need protecting. Different digital assets may require different levels of protection. For example:

  • Email. We all know it’s important for email to remain up and functioning, but how important is it to keep all emails, and for how long? Different companies will have different answers. Many companies have the culture of “save everything” and use their email as a document management system of sorts. Yuck, but okay. Others strive to keep as little email as possible.

  • Archive documents. Documents that you need to keep for historical purposes, but don’t get changed once they’re archived. These might have different backup requirements.

  • Public documents. These are documents that could be published on the front page of the Times without it hurting the company. These documents don’t require the level of access control that, say, your finance system does.

  • Corporate secrets. This is the stuff that, if compromised, could end you. Whatever your equivalent of the Coca-Cola recipe is. This is the stuff that needs to get backed up, that needs significant access control, and must be tamper-proof.

Where’s the data?

This is an awkward question to ask because most systems administrators won’t like to admit the truth: they don’t necessarily know. I mean, we know where we tell users to keep it (in SharePoint! On the T: drive! In the corporate Google Drive account!)… But the reality is users are going to store wherever makes sense to them. So part of this exercise must include an enforceable policy on where to save the data (more on this another time). For now, answer to the best of your ability. Let’s say it’s an old-fashioned SMB file share and not the CFO’s personal dropbox account.

What are we protecting from?

Close your eyes and imagine what a really bad day for your company looks like. I do this a lot. Here are a few examples:

  • Ransomware encrypts and locks files
  • Database with all employee salaries is downloaded and shared with all staff
  • Public website defaced and online payments routed elsewhere
  • CEO accidentally deletes an important presentation that was saved on their desktop.
  • Customer credit card numbers compromised and sold.
  • Firewall crashes and you cannot access your cloud-hosted files because Internet is down.

Write your answers down

Believe it or not, you just took the first steps towards writing your very own disaster recovery plan. It’s that easy! These are questions you must answer as part of your plan. In a future post, we will discuss the bare bones of digital asset protection.

Photo by Samuel Zeller on Unsplash