We find ourselves in the midst of a digital revolution which continues to grow rapidly. Both organizations and individuals have become fully immersed in today’s “Information Age”. We are generating and consuming information at an astounding rate, contributing to the information explosion and leaving behind an extensive information footprint in digital, physical and spoken formats. This trend is set to continue: global data volumes are forecast to reach 44 zettabytes (44 trillion gigabytes) by 2020.
Today, valuable information is used to compete and succeed in a global market; intangible information assets can represent 80 percent or more of an organization’s total value. With that being said, organizations must prioritize the protection of their mission-critical information assets. These assets require clear ownership and heightened protection due to the risks to which they are exposed.
Determining Your Mission-Critical Information Assets
For centuries, organizations have been acquiring, producing, leasing, licensing and selling assets. Accounted for in financial statements, these assets represent an organization’s wealth and financial stability. This makes them vulnerable to theft and fraud. As a priority organizations should focus on those assets that are of the highest value and risk – commonly referred to by business leaders as the “crown jewels”.
Assets such as property, plant and equipment are tangible whereas information is an intangible asset. There are two types of intangible assets:
- Legal – such as trade secrets, copyrights, and customer lists
- Competitive – such as company culture, collaboration activities and customer relationships
Both types are essential drivers of competitive advantage and shareholder value today. It’s common to view the value or importance of information by using a simple classification chart (e.g., negligible, low, moderate and high); however, mission-critical information assets represent only the very tip of the highest layer. Information of high business value or impact could still register as “high” or “critical” but not necessarily be designated as mission-critical. Traditional risk assessment approaches would not identify this information separately, so mission-critical information assets typically require a different approach to identification.
Recent Information Security Forum (ISF) research uncovered two main factors that typically influence whether or not an information asset is classed as a crown jewel:
- Its value to the organization
- The potential business impact if compromised
At the ISF, we refer to information assets with a high value and business impact rating as “mission-critical information assets”. Examples of mission-critical information assets include details of:
- Information that supports overall business operations, e.g., board papers, M&A or upcoming redundancy plans
- Material relating to possible and planned future products and services, e.g., formulas for new drugs, engineering specifications or upcoming exploration locations
- Information relating to promoting and selling an organization’s products and services, e.g., noncompetition agreements, competitive analysis or an upcoming marketing campaign.
When identifying mission-critical information assets, organizations should take into account the extent to which:
- The information asset contributes to, or supports, business value (e.g., business revenue; competitive advantage; operational effectiveness; and legal, regulatory or contractual compliance)
- The business could be impacted in the event of the confidentiality, integrity or availability of the information asset being compromised, considering any financial, operational, legal/ regulatory compliance, reputational, or health and safety implications.
With Value Comes Significant Risk
Business leaders often consider the value of mission-critical information assets, but fail to recognize the extent to which these assets are exposed to threats and the potential business impact should they be compromised. These assets often attract the attention of highly motivated, capable and well-funded adversarial threats, such as unscrupulous competitors, nation states, and organized criminal groups. The extensive footprint of these assets provides more opportunities for attackers to gain access.
There are four challenges commonly experienced by organizations in the protection of mission-critical information assets, each of which can be addressed by applying the ISF Protection Process, a structured and systematic five-phase process for determining the approaches required to deliver comprehensive, balanced and end-to-end protection. These challenges include:
- Many organizations have not identified all mission-critical information assets.
- Organizations often value mission-critical information assets but fail to consider the type or level of risk to them.
- An incomplete or inaccurate view of the factors influencing the real level of risk to mission-critical information assets leaves gaps in protection.
- Organizations typically rely on conventional approaches to deploying security controls for mission-critical information assets, leaving them vulnerable to attack.
Recent ISF research found that different types of mission-critical information assets will often require innovative, advanced and sometimes unique protection approaches, supported by a range of security controls. Unfortunately, many organizations simply do not know what their mission-critical information assets are, where these assets reside or who is responsible for them. Few organizations have given focused attention to defining their mission-critical information assets across the enterprise. As a result, these assets are frequently incorrectly classified and poorly managed.
The protection of mission-critical information assets requires the involvement of different stakeholders throughout the organization. Business leaders, information owners, legal experts, as well as IT and security specialists are all required to play a role.
Threats to Mission-Critical Information Assets
Mission-critical information assets and associated footprints are exposed to a broad range of threats that, collectively, can be described as a threat landscape. The threat landscape comprises three common groups of threats – adversarial, accidental and environmental – and some threats can appear in multiple groups. For the purpose of this discussion, I’ll focus on threats that are adversarial in nature.
Adversarial threats are individuals or groups who are committed to achieving a particular – often malicious – objective. Mission-critical information assets often attract the attention of highly motivated, capable and committed adversarial threats. These sophisticated and well-resourced adversarial threats often have access to:
- Many highly skilled individuals
- Extensive financial resources
- Advanced or specialist technical capability
- High capacity network bandwidth
There is no industry sector immune to adversarial threats. Adversarial threats present a formidable and hostile environment within which organizations operate, especially if different threats are combined. These threats typically target mission-critical information assets using a multitude of techniques and methods over an extended period of time, including sophisticated cyber-attacks. Threat events are often initiated in a particular sequence, forming a five-stage cyber-attack chain.
If highly motivated threats are not managed effectively, they will lead to security incidents, including those caused by serious cyber-attacks, potentially resulting in considerable and long-term business impact.
Conventional Protection Approaches Fall Short
Some organizations implement a compliance-based approach to protecting particular information, which is unlikely to single out mission-critical information assets for specialized protection. This can result in significant gaps that remain undiscovered until a security incident occurs.
Other organizations apply a risk-based approach, although research indicates that in many instances these efforts are not focused on the risks specific to mission-critical information assets. Consequently, important activities such as detailed analysis of the threats or accounting for the complete footprint can be overlooked.
For many organizations, the skills shortage, combined with investment constraints, inhibits their ability to build on existing approaches to provide balanced and comprehensive protection. A common side effect is an over-reliance on fundamental controls and a lack of enhanced and specialized controls.
Go Above and Beyond Conventional Protection
Mission-critical information assets demand and justify the additional investment to ensure these assets are adequately protected. However, greater protection does not just mean performing additional security activities or purchasing more security products. To protect mission-critical information assets, including the footprint, a range of different protection approaches are likely to be needed for different types of mission-critical information asset. Information security practitioners have to think and plan beyond existing protection capabilities and security controls to provide owners of these information assets with protection that is:
- Balanced, providing a mixture of informative, preventative and detective security controls that complement each other
- Comprehensive, providing protection before, during and after threat events materialize into security incidents
- End-to-end, covering the complete information lifecycle.
This will enable organizations to match the protection provided with the sophistication of threats to mission-critical information assets. Organizations should also consider controls that are:
- Automated, to complement manual security controls and help ensure greater levels of protection can be maintained
- Fast, operating in real time, supporting decisions that need to be made immediately
- Resilient, being resistant to direct attack by highly capable and committed threats.
While the need to provide mission-critical information assets with specialized protection can appear obvious, organizations often experience difficulties in identifying these assets, evaluating the extent of their exposure to adversarial threats and understanding the true level of risk to the organization. Consequently, many organizations do not adequately protect their mission-critical information assets and are vulnerable to a range of attacks, including serious cyber-attacks.
In contrast, ISF research has revealed that some organizations demonstrated “good practice”, providing the necessary high levels of protection for mission-critical information assets. These ISF members invest time and resources in a range of security activities, which form part of a broader set of good practices in information risk management and information security.
Risks are Considerably Miscalculated
Mission-critical information assets represent the majority of value for organizations of all sizes. However, the risks these assets attract are significantly underestimated and high profile breaches continue. I can’t stress enough that organizations must act now to identify their mission-critical information assets and ensure these assets receive balanced and comprehensive protection. In summary:
Balanced
- Deliver appropriate, additional layers of preventative and detective security controls.
- This will provide early warning of emerging or imminent threat events, enabling a balanced set of end-to-end controls to counter the main adversarial threats.
Comprehensive
- Apply fundamental, enhanced and specialized controls throughout the information life cycle.
- This will reduce potential gaps in protection due to an extensive footprint, supporting comprehensive and end-to-end protection.
Anything less leaves known risk in your organization.
About the Author: Steve Durbin is managing director of the Information Security Forum (ISF). His main areas of focus include the emerging security threat landscape, cyber security, BYOD, the cloud, and social media across both the corporate and personal environments. Previously, he was senior vice president at Gartner.
