It’s all about the risk, bout the risk…
It never helps to start a blog with ‘please keep reading and it will become apparent’ – but here goes.
In this blog we are thinking about controls, and the types of controls you place around certain scenarios. Initially we aren’t talking about cyber – instead we are talking about a subject close to a number of peoples hearts – sheds.
Let me create three different scenarios for you, once you have read them, compare the answer you have formulated in your head to my answer. And then we will move back into the information and cyber space to conclude.
Below this denotes a question
This denotes a response.
You have a shed with nothing in it, what lock (if any) do you have on the door?
This is a fairly straight forward question and answer. For me, I might not pop a lock on (so people can see it’s empty) or a cheap privacy lock to stop people hoarding things in my shed.
You have a shed with quite a nice bike in it, what sort of lock do you pop on the shed. Might you do anything else to protect the bike?
I think the first thing you would probably do is ask what the value of the bike is. You also might want to check insurance documents, to make sure it’s insured when it’s in the shed (if not – you might add it to the insurance).
You might add a ground anchor in the shed (where a securing bolt is mounted into the ground and then attached to the bike) in addition to the shed lock. You might buy a specialist lock (again based on the insurance requirements).
You inherit a number of boxes after the passing of a relative – explain the thought process of where you store them?
The obvious question is what is in the boxes, and what is the value of the items in them. If we discover they are quite expensive or could easily get damaged, we might hire a local storage unit (with security) for a period of time – whilst we sort through the boxes before moving some into the shed, with appropriate locks, and others elsewhere.
These might sound like daft scenarios with regards to cyber and information, so let’s make the link between sheds and cyber. Think of the shed as your in-house IT. The items (bikes etc) are your information, the details of insurance is either your contract, legislation and / or customer requirements that you need to conform to and the padlock, that’s the controls you use around the business.
Information Metrics
The value of your assets
Just like the bike or boxes – you need to know what information you own, what the requirements are and what its worth. We then need to assess who would want the bike (or a box of diamonds if it was in the shed) and secure them accordingly.
The size of your risk
Once we know what we have, and who is likely to want them, then we can decide on the risk associated with it. For instance we all instantly knew a nice bike in a shed, with a rubbish lock, is high risk. Though we don’t always know the same about our IT (or our information).
The proportionality of your controls
We wouldn’t (knowingly) buy a lock that didn’t meet our insurance requirements, though sometimes we are doing things with information that may fall foul of legislation, like GDPR. So, we need to understand what our requirements are, and then develop and test controls, that are proportionate to our risks.
Summary
We will be using this analogy again, so stick with it, though if you do just one thing as a result of reading this blog, do this:
Try to understand what information is imperative for your business to operate and then ask yourself; if this information was not available tomorrow, for one month, how would it affect operations? If you don’t know or the thought of a month without key information makes you shudder, it may be time to start assessing things.
It’s not all bad news – we can help you understand your business requirements and Cyber Essentials is a great way to perform this exercise. Perhaps you might want to put your trust in us and team up, for reassurance, certification and not a single shed!