The What and The Why.
This is Episode 1 of Designing Your Cyber Security Infrastructure where I will guide you through designing a secure IT infrastructure to protect your organization and your data. This is a multi-part series where I will talk about different concepts in the view of business processes and provide you with the know-how and the resources to implement them. If you are looking to secure your organization and its data or are just trying to understand how a cyber-security infrastructure is designed, this series is the perfect fit!
Let’s start with the basics. What is Cyber Security?
Cyber security is the application of technologies, processes, and controls to protect systems, networks, programs, devices and data from cyber attacks. It aims to reduce the risk of cyber attacks and protect against the unauthorised exploitation of systems, networks, and technologies.
In simpler terms, it is the process of protecting any and all data, people, tools, technologies, infrastructure, and processes that occupy digital space or operate on digital medium. So from protecting your passwords and sensitive data on your computer to protecting physical manufacturing plants which are automated using computers, all fall under cyber security’s domain. Now since most business practices are being done on a computer, businesses need cyber security more so than ever — just on different scales. It’s a widely believed concept that “since we are a small business nobody is really looking to hack us”. Well… that’s not really true. While larger businesses attract more malicious actors due to their scale and the sensitivity and value of their data, smaller businesses are weaker in terms of security which makes them an easier fish to fry. A person might not be actively looking to hack you specifically, but there are always chances that they can stumble upon you. When a new virus, malware, ransomware attack, or phishing campaign is launched it usually is targeted for mass attack. This is because the probability of success is pretty low. When one of these attacks is successful in breaching whatever it is targeted at, it sends either the hacked data directly to the attacker or provides knowledge to the attacker of possible weak links within your IT structure. This gives the attacker a target and a reason to try and perform further attacks specific to you…..And it would be pretty unfortunate if you get caught in one of these attacks.
Another common false idea is that “we don’t care if we get hacked, we don’t really have anything to protect”. There are usually 3 categories of things a cyber attack is aimed at — 1. Valuable Data, 2. Financial Loss, 3. Infrastructure Damage.
What data classifies as Valuable Data? Any and all data that can cause harm to a person or business in a sentimental, financial, or physical manner and/or violates a person’s privacy is termed valuable data. This includes Personally Identifiable Information (PII) that can identify a person uniquely such as Name, Driver’s license, Financial Records, Medical Records, Credit card information, Passport Information, Adhaar Card, and Address. Another form of Valuable Data is the Intellectual Property of your business. Intellectual property (IP) refers to creations of the mind, such as inventions; literary and artistic works; designs; and symbols, names and images used in commerce, industrial designs, trade secrets, copyrights, patents, and business processes. Theft or leakage of PII of your employees or customers/users is a direct violation of the privacy of those individuals. Loss of Trust and Reputation, Lawsuits, and Fines imposed by the Government are some outcomes of an attack leading to theft/leakage of PII. (Real-life Example: Paytm Hack | Discord Breach) IP on the other hand can be used in 2 ways. It can stolen and sold to your competitors or it can be damaged in a way that it is not usable by you anymore. Either way, you would lose all the competitive edge you may have and throw away all of your hard work down the drain. (Real Life Example: Rockstar Games Hack)
Financial Loss is another form of threat. This refers to an attack that is aimed at stealing your organization’s banking account details to directly transfer funds or making an employee do the same by means of blackmail or fraud/ phishing. (Real-life Example: Thane Bank Hack | Pune CEO Phishing Scam)
And lastly…Infrastructure Damage. Cyber attacks that cause damage to your Business Infrastructure that makes you unable to function normally are considered under this category. For example, a DDoS Attack on your Web Application used by your employees may not cause direct harm to your customers but it prohibits your employees from doing their job. (Real-life Example: AIIMS Hack |MGM Resorts Attack) Or.. if you use automated systems in a product assembly line, an attempt may be made to change your production line process resulting in damaged or defective goods and may set you back months in production. (Real-life Example: Colonial Pipeline Hack | Stuxnet Worm)
And if all of that is not that important for you, there are also various government regulations and laws that depending on the nature of the breach, the domain of the business, and the regulatory body, impose heavy fines when a breach is discovered. (Real-life Example: DPDP Breach Fine)
Now that we know what ‘what’ but more importantly the ‘why’ of cyber security we can jump into designing our own secure IT Infrastructure.
In the next episode, I will show you how to design and write an IT Security Policy and its SOPs and also provide you with the resources to write a policy that suits your organization’s needs.
If you are completely new to IT and Cyber Security, I would recommend you check out the Cyber Security Glossary, where I have defined some basic terms that we will be discussing throughout this series.
And if You Need Help…
If you ever need any help or advice, whether that be creating your own It Security Policy or help with your web Application Security, Security Audits, or any other cyber security-related requirements, please don’t hesitate to get in touch.
Who’s “us”? We’re Kalp Systems, a market-leading service provider of end-to-end Cybersecurity services, We help organizations build, manage and monitor successful Cybersecurity programs, securing systems more effectively and improving Governance, Risk Management & Compliance with a wide variety of regulatory frameworks.