I’ve spent a lot of this year talking about confidentiality. That’s what most people mean when they talk about “cyber-security”: keeping secret stuff secret. Which is, of course, important. But in the security biz we talk about three aspects to security: confidentiality, integrity and availability. Fun fact: we’re told to teach this as availability, integrity and confidentiality on the Continent, to avoid the unfortunate acronym.
Integrity is the business of keeping your data correct – which is to say consistent with reality. In some senses this is the most important aspect of security. After all, if you lose your data (but have backups) you can be back in business. If you lose your secrets it’s embarrassing and expensive but not usually fatal. But if your data’s[1] wrong, there may be no way back. If the error, or the deliberate alteration, goes back far enough you lose trust in your whole dataset. There was a good example of this recently, when it was revealed that the UK’s online divorce system (that’s a thing? who knew?) turned out to have an error dating back more than a year which means many divorce settlements may need to be revisited. Won’t that be fun?
Maintaining integrity is hard. It involves a wide variety of checks and a lot of discipline, and can only be partly automated. Much of the work needs to be done at the design stage, and is hard to retro-fit – like most security, it’s better baked-in than iced-on. The people who know about this best are accountants – this is what double-entry book-keeping was designed to achieve. So get them involved outside the finance department in helping you design the best way to validate your data.
Availability is the more obvious need to keep your systems functioning – and accessible – whatever life throws at you. Taken more broadly, it’s about keeping your business functioning; there’s no point keeping the lights on if no-one’s home. This is what business continuity plans (BCP) are for. Got one? Bet you don’t. If you do, bet you haven’t tested it. Or trained it into your staff. Somebody in Glasgow is probably reading this with a degree of chagrin right now, given that a single data centre failure seems to have taken almost all of their IT offline. Bit embarrassing, really, given their £1.4bn annual revenues and recent £10m of “critical ICT investment”.
You’ve got some quiet time between now and the New Year. Sod spending it with the kids, or getting sozzled on eggnog and fat on mince pies. Settle down with a copy of your BCP instead and see if you think it’s fit for purpose.
Bah. And indeed, humbug.
[1] Note to pedants: yes, data are plural. Sentences shouldn’t start with but, or and, or or. “That’s a thing” is a hideous American neologism. I know, I know. On the other hand, I maintain Churchillian discipline over dangling prepositions, and I make effective use of semicolons. I think it balances.
A bigger picture 