In the field of information security, confidentiality, integrity and availability (CIA) is a well-known acronym. Many people would be led to believe that confidentiality is the most important component of CIA, but I would argue this is not the case.
There is no company that does not need to maintain integrity of its business data, customer or other information. Indeed, some types of business are mandated to do so, for example by the US Sox legislation and country-specific accounting legislation. Clearly, the banking and insurance industries would suffer greatly, if for example the account balances or sums insured were changed by malicious insiders or criminals.
Yet, from discussions with executives and individual business line managers, there seems a low level of awareness of the importance of keeping company data protected against unauthorised changes, in other words protecting the integrity of the data.
The question is not whether your company might need to care about the integrity of key data, it is: “Is there data that should not be protected against unauthorised changes?” I would argue that the list of such data repositories in most businesses is fairly short. In fact, the vast majority of business-generated data requires various levels of integrity assurance.
Now let us look at ways of ensuring that enterprises design and implement sufficient security controls.
Read more Security Think Tank articles about dealing with data integrity attacks
- Governance and oversight key to data integrity.
- Under-the-radar data integrity attacks expected to rise.
- Integrity attacks tough, but not impossible to spot.
- Data integrity breaches – the challenge facing banks.
- Build in controls to protect against data integrity attacks.
- Data custodians likely to be top targets of integrity attacks.
- Data integrity attack could happen to any company.
- Three strategies against data integrity attacks.
There is no need to reinvent the wheel. There are well-established international standards that recommend/mandate security controls to protect data. My favourite is the cyber security framework by Nist (US National Institute of Standards and Technology), supporting Nist SP 800-53.
For impatient executives, here are seven key controls to consider:
- Document processes that generate, receive or process data. At the very least, indicate the criticality, actor and data stores.
- Implement correct access controls, taking into account the CIA requirements from the previous exercise.
- Train your users in cyber security best practices.
- Implement data integrity checks, for example to analyse whether data has been changed in bulk or is in an unexpected pattern.
- Monitor access to data and its changes: look for anomalies, policy violations, bulk changes and unusual patterns.
- Ensure applications behave as expected even under attack by following good app security practices.
- Plan for inevitable incidents of loss of data integrity.
To conclude: be prepared to fight to save your business by protecting business data integrity.
Vladimir Jirasek is managing director of Jirasek Security.