In the early days of information technology, network security was a fancy way of saying that you had installed antivirus software on your PC. Today the threats are more sophisticated, encompassing ransomware, identity theft and phishing attacks. Your network security must evolve in scope and sophistication just to continue doing business as usual.
There’s a lot that goes into developing robust, multilayered security to safeguard your data and IT infrastructure, but it can be broken down into 3 principal pillars: Confidentiality, Integrity and Availability, otherwise known as the CIA triad.
3 Pillars of Network Security
A security solution that covers the 3 pillars ensures your business is protected against an attack and will be resilient in responding to and recovering from one.
A security solution that provides confidentiality ensures that access to data can be enabled or restricted for specific users based on their need to know.
For a medical practice this is a well-known HIPAA requirement. Staff who don’t need access to a patient’s files shouldn’t have it.
Data integrity refers to security controls that ensure data or system configurations are not modified in an unauthorized way.
For example, an account spreadsheet must be protected from unauthorized changes to ensure you can rely on the accuracy of the data.
Availability describes how data and applications remain accessible to users and processes through secure, authorized devices during production hours.
How to ensure data availability:
- Establish security controls for systems to protect against malicious attacks that affect uptime
- Build redundancy into server and network configurations
- Implement robust disaster recovery and business continuity planning
Knowing these 3 pillars is key. All 3 components must be considered alongside all the other elements in your business plan.
Tying Security Into Your Business Plan
Any technology or process put into place as a result of the business plan has to be measured against whether or not those components are secure. That’s why it’s more difficult to tack on security after the fact than it is to integrate it into your business planning process.
Let’s say, for example, your business plan calls for outsourcing payroll functions to a third party. Your plan should address essential security issues like:
- Which data and files should the vendor be allowed to access? (Confidentiality)
- What information are they permitted to alter? (Integrity)
- How and from where will they access your system and payroll information? (Availability)
Or, if your business is expanding and you need to add new servers, they will need to be regularly updated and properly configured. This ensures any security flaws are patched and that all workers – office or remote – can access the information they need to do their job.
Without a plan that addresses availability you run the risk of not knowing how long your systems will be down when IT disruptions occur.
When an IT Disruption Occurs
We have all experienced the helplessness of being unable to access email, the customer relationship management (CRM) database files on the server and other essential business apps.
Preventive measures are essential, but you also need to be prepared for the possibility that something – a phishing email, a tornado, a hail storm, a neighbor setting the sprinkler system off – could leave you without access to your systems. To prepare for this reality, consider these two important factors:
Maximum Tolerable Downtime (MTD)
MTD defines how long your business can remain shut down – without access to email, databases and essential apps – before it causes irreparable or unacceptable losses. This can be determined by thinking about disruption to sales and/or damage to your reputation or any other factors that might be impacted by downtime, like an employee revolt.
Your MTD might be a few hours or a few days. It will determine the level of investment and preparation you need to avoid downtime and recover from an IT disruption.
Recovery Time Objective (RTO)
RTO is your target time for restoring access to your data and apps. It is always going to be less than your MTD – your cliff’s edge. Your RTO should be realistic for the level of investment, preparation and testing built into your business plan. A security-focused managed services provider like VersaTrust can help you determine this.
Start Your Business Planning with a Security Assessment
Network security is intertwined with every aspect of your business, and there are many factors you need to consider as you evaluate your business plan. A security assessment helps organize the process and provides actionable insights that safeguard your business.
When we conduct security assessments, our in-house Certified Information Systems security professionals identify vulnerabilities and design customized solutions. After the initial evaluation we help you to:
- Incorporate the 3 pillars, MTD, RTO and proper budgeting in your business plan
- Implement and configure your applications for usability and security
- Monitor your network and perform routine upgrades
- Recover your network quickly in case of a disruption
Not all managed IT providers have the expertise to provide a thorough security assessment and align it to your business goals. We do. Contact us at (817) 595-0111 or email us to schedule an assessment.