Part 1 – Your Organisations Cyber Security Journey – The Asset Log
Welcome to Tetrabyte’s simple multi-part monthly series on cyber security for small business. We guide you through the key elements in understanding your business and creating plans to manage your cyber security.
How to begin
Step 1 is your Organisations Asset Log.
Starting your Cyber Security journey, can be totally free. Our first step will not only help you with Cyber Security, but also ensures you know where your hardware is, where to look if someone makes a GDPR SAR request and helps you understand the spread of your company date.
An asset log tracks creates a record of everywhere you store and share data. This might seem obvious at first, but the more depth you go, the more you will realise how quickly your data has spread. This first step is critical though, unless you understand where your data is, you cant secure it!
We have created a simple handy template for you to start with, download it from our website in the link below, no sign up, no tricks.
Your first months challenge is to understand where your data is being stored.
Template Walkthrough
Whether you create your own or used the template provided, the below will walk you through the critical information to gather and why
1 – Hardware
Understanding your hardware is important, and we are not just talking about Desktops and Laptops. Its important list Servers, Printers, Networking Switches, Routers, Firewalls, and anything else connected to your network. By understanding your hardware you start to build a picture of where data is stored, computer servers, backup drives, user laptops, mobile phones with emails and files. We then extend this to alterative risks, Printers, Switches, Routers all pose a risk and open attack vectors if they are not in Support and up to date. By listing them all out, we can start to acknowledge what we have and understand where to look for risks.
We are looking to log the unique identifiers, make, model and serial numbers, and who is looking after it and where it currently is.
Week One Challenge – Download the template and fill out the Hardware tab today to start your journey. Spend your week adding to it with everything round the office, ask staff to send you details of any nearby hardware. Your looking for ANYTHING that stores data or connects to the cabled or Wi-Fi networks.
2) Physical Storage
Threats aren’t always digital and this exercise integrates so well with GDPR/Data protection requirements that we might as well include Physical Storage too. Understanding what paperwork you have around the office allows you to take a moment to consider physical security, is that HR paperwork in a locked cabinet or Suzie’s desk draw? If someone submits a Subject access request, do you know where to look?
Week Two Challenge – Download the template and fill out the Physical Storage tab. Walk through your office and consider who works from home or mobile offices. Review where everyone stores data from filing cabinets to notebooks.
3) Digital Storage
Files and data are not just stored on your hardware, with modern workplace and mobile working we are increasingly reliant on cloud systems. Start to consider where you store computer files, and who should have access to them, consider Backups and USB devices. By listing these out you start to formally recognise the spread of data. How can you ensure data on USB drives is secure if you forgot that staff were even using that USB drive. What happens if someone loses the USB and you don’t remember its existence.
4) Online Systems
Online systems let you start to consider what you use as a business and where your storing data online. This can be everything from Emails, Teams Chat Messages, Bookmark and browsing history sync and your accounts software’s. You might wish to combine these tabs or keep them separate, depending on what you feel is best. You now need to start looking at EVERY website you have ever signed up to, every service that you have a login for.
Week Three Challenge – Download the template and review your online systems, consider where you’re storing and sharing files and data in general. Start by searching any password managers you use, such a Google Chrome Passwords or BitWarden. Then look through your web history, what sites have you been using, what sites have your staff been using. Emails are another great source, look for mailing lists that your on from sites you looked at once 5 years back, look for welcome and sign up emails for new services. Lastly think about software you have installed and if they require logins and/or subscriptions.
5) Third Party Data Sharing
This should be your last data storage location, technically its not even yours. Understanding who your organisation shares data with is key for security. Establishing trust, contractual obligations and providing informed consent to staff and customers around sharing is important. This will help with understanding what your risks are in the event that any third party experiences a data breach. You’ll know if you use them, what they have and what your own exposure may be.
Week Four Challenge – Download the template and review who you share data to, how its shared and why. Speak to all your teams, web developers and be as comprehensive as possible.
That’s a wrap
Once complete you now have a deeper understanding of your organisations data and your exposure. Most businesses running this review find a surprising number of systems and data spread. You should now be getting a good understanding of how your business has grown overtime and how lots of little online accounts create exposure over a vast area.
What next
For now, you can file this away and wait for the next part in the series. But if your eager to move forward, the next step is minimising and understanding how your security currently works.
- Do you really need to be sharing and storing data in all these locations?
- Can you consolidate services and reduce your attack surface?
- How is data secured within each location, passwords, multifactor authentication, data security policies, access controls
If you like this start and want a jump start on your security, Tetrabyte offer free security reviews for your business to all our customers. Contact our team today to join up or book in your full review.
