Thursday, November 21, 2013

Cybersecurity meets psychology - Microsoft & Maslow

I received an interesting Tweet from Microsoft Security (@msftsecurity) regarding a report they published in conjunction with Oxford-Analytica.  Here is a link to the report titled "Hierarchy of Cybersecurity Needs: Developing National Priorities in a Connected World" (look for the link at the bottom of Kevin's article).

While this is written at a national level I think it is highly applicable to SMB's.  In accordance with Maslow's Hierarchy of Needs the report defines 5 levels of cyber security needs.  With each layer building on the one below it, if lower needs are not met then they will be dominate.  As these lower level requirements are met then higher level needs become evident.

Let's take a look at how it breaks down, or builds upon itself, whichever you prefer.

Access - The first need that a SMB requires is secure access to the network.  Without secure access to shared resources such as; files/folders, databases or printers ... even the Internet itself is a resource in this case, no organiation can SMB's function at an acceptable level of efficiency.  This is even true in more traditional scenarios, POS terminals and credit card processing systems require access to their respective networks in order to perform their functions.  In other words, without access to a network people and machines cannot fulfill the basic needs of the organization.

Resilience - Once the need for access has been fulfilled the organization and its personnel need the network to be reliable.  If the organizations network is not resilient and staff cannot access the resources they require to do their job a breakdown occurs.  The IT industry has made resiliency a core requirement of any quality network design, there can be no single point of failure that would cause a disruption to the business.  Whether it be a RAID array on a server or a highly available router/firewall configuration the architecture of the network should be built in order to function properly even in the event a single component fails.

Connectivity - This need is tightly integrated with its predecessors.  Whether it's to shared resources, business partners or customers organizations are not able to function without secure connectivity.  Think of it this way, if your customers are incapable of connecting to your website, or walking into your brick and mortar location because the entrance is blocked, to purchase goods/services then your business will suffer significantly.

Trust - When conducting business it is vital your customers have an acceptable level of trust in you and your technologies.  Your employees, partners and customers must trust that the information they provide you with; whether it be an employees Social Security number, a business partners bank account information for automated deposits or a customers credit card number, if there is no trust that information will be protected then they will not provide you with it.  In cyber security terms this equates to, among a myriad of other things, protecting your data from hackers, providing secure SSL connections to your website or establishing VPN connections to business partners when exchanging data.

Optimum - When all underying requirements have been met the organization's cyber security posture is in its optimum state.  All parties involved can access the network, resiliency provides fault tolerance to provide a minimum of 99.999%+ uptime, there is connectivity to required resources and trust is established using security best practices. Employee's are secure knowing their personally idenitifable information (PII) and other information they require is secured.  Business partners and customers have assurances that their data will remain confidential.

If you're an SMB owner/partner, IT manager or part of the IT staff take some time to think about how your organizations security practices meet these needs.  Do they?  If not, at what level is there a problem?  If you keep reading this blog on a regular basis I will show you how you can implement a cyber security program that will.

No comments:

Post a Comment