This is nothing new. You need to protect your system though what do you need to do and how much do you need to spend to protect it ?
First – what are you protecting ? I am guessing an operating capability and also information. Ask the question. The whole of your IT goes down, will it affect you ?
What is it worth ? I tend to think that your operating capability and your information is going to be much of your business worth (if you’re business has an IT type function).
What would happen if your business got done over ? For instance, all of your servers. Massive Ransomware type incident, or a competitor looked to grab confidential (perhaps IPR) type documents. The three scenarios we often talk about are Confidentiality, Availability and Integrity.
- grabbed your database with all your users on it, or your confidential documents
- changed your data to invalidate the information you held, or your credibility
- blocked access to the systems, to prevent your business from working, causing a delay to your processing or an outage to your business.
No one wants to spend money un-necessarily, though no one wants to leave themselves vulnerable to un-necessary risk. Think about worse case scenarios with those things above and capture how much it would cost if you were impacted. Risk is essentially the impact of a compromise times the likelihood of the compromise occuring.
The GDPR this year is going to change the field. Under certain circumstances you need to notify supervisory authorities of data breaches.
Other articles are going to look at Information Governance, Risk Management and Threat Modelling methodologies to help us understand what we need to do. But, until we know what our jewels are and where ours doors and windows are broken, and who actually wants to steal your stuff – we cant work out what type of burgular alarm we need.