As a person who has spent the majority of my life experiencing amazing advances in technology all around me, I occasionally find myself losing touch with the sense that all of this technology is based on ideas that have existed for millennia. I find this to be especially true in one of the areas I deal with on a daily basis: Cybersecurity.
Most of us usually think of Cybersecurity as something that’s only been around for the last 15-20 years. We consider these subjects new, and occasionally foreign, animals that we’re trying to figure out how to deal with and to create effective controls for. However, the basic tenets of Cybersecurity (based on traditional Information Security) are really not so new and foreign as we may imagine. The basis of Cybersecurity is the notion that people, organizations, governments, etc. have objects (information, people, or physical items of value) that other people want to acquire and that we must use technology to protect.
HOW STRONG ARE YOUR CONTROLS AGAINST CYBERSECURITY THREATS? DON’T WAIT UNTIL IT’S TOO LATE TO FIND OUT. CONTACT OUR RISK ADVISORY SERVICES TEAM
This idea of what is old is new again was highlighted for me recently when I was listening to a podcast discussing ancient Assyrian battle tactics (Dan Carlin’s Hardcore History: King of Kings I), and the reasons the Assyrian empire went from a tiny backwater village with practically nothing, to an empire with one of the most advanced armies of its day within a generation. One reason, according to the podcast, had to do with the army’s horse-mounted cavalry and its ability to basically break the wall of the opposing army’s infantry, which brought confusion and heavy losses to the opposing side. This confusion would allow the Assyrian army to generally crush the opposition quickly with fewer losses to the Assyrian infantry. Since this cavalry was a serious advantage the Assyrians had over other empires at the time, the knowledge of how to feed and care for horses, their living war technology, was considered a state secret and to be protected at all costs. Today, the concept of living and dying to protect the secret of caring for horses seems ludicrous, but we can certainly draw parallels between the ancient need to restrict access to knowledge that could lead to a loss of something invaluable with our modern use of technology to do the very same thing.
Something else about that story also struck me: the Assyrian stable masters’ ability to isolate and identify the object they wanted to protect, then, the methodical way they went about protecting it. This involved creating a horse master guild that shared word-of-mouth instructions on how to correctly breed for the most desirable traits in a war horse as well as information on ensuring horses stayed healthy during long campaigns and marches. Only a select number of men were chosen to be in the guild, which on could argue was an early version of a discretionary access control method.
Today, organizations can find themselves so distracted with the fear of doing too little with respect to addressing Cybersecurity concerns that the pendulum can often swing too far in the other direction. The belief can creep in that we have to protect everything using the most innovative and advanced tools available to us that typically come with a serious price tag, and that isn’t always fiscally feasible. It can be helpful to take a moment to refocus our efforts by asking ourselves some simple questions:
- What am I trying to protect? – This won’t be the same for every organization and can run the gamut from horse hoof supplement recipes to sensitive financial information.
- Who would most want what I’m trying to protect? – Again, this won’t be the same for everyone, which is why it’s important to identify this in relation to your organization.
- What methods could possibly be used to attempt to access what I’m trying to protect? – Since the object you’re trying to protect, and the “who” you’re trying to protect it from will be different depending on who you are, the methods that could be used to attempt to gain access to that object will also be different. This will dictate where you choose to focus your spending on protective and productive solutions.
- What tools can I use to prevent unauthorized access? – Following the same logic of the questions above, there’s a big difference in the tools used to prevent the theft of an antiquity displayed in a museum versus the tools used to protect PII information stored digitally on an organization’s server.
While these questions aren’t meant to be the only method you use to address Cybersecurity concerns in your organization, hopefully they’ll provide food for thought and a fresh perspective on how to refocus your own approach to protecting what is most valuable to you.
Laura is a Manager with YHB and serves on the Risk Advisory Services Team. Laura focuses on assisting organizations in a variety of industries with IT-related audit and consulting services.