“Protect your corporate Crown Jewels” seems to be the modern day cyber mantra, but no one provides guidance on how to do it. So, here’s some practical advice.
Ask a room full of executives if they really know what their corporate crown jewels are and how to best protect them and the answer is most likely…”sort of.” It’s easy to get executives to agree that they have corporate crown jewels. It’s much more difficult to have them agree what those crown jewels are and what to do about them.
Consider this: According to the Commission on the Theft of American Intellectual Property, 70% of the value of publicly traded corporations is estimated to be in “intangible assets.” Of these assets, your “Crown Jewels” are your most important. These are the information, functions, and processes that would have a devastating impact if they were stolen, manipulated, delayed, or destroyed. Cyber attackers are getting much more specialized in identifying, stealing, and reselling your most valuable data. (For more on this, see our blog about Data Laundering).
Although highly valuable, your crown jewels only make up a tiny fraction of your overall data. IBM estimates this to be between .01%-2% of your total data. So, finding these needles your ever-growing data haystack may take some time.
Every company has a different opinion of what they consider critical. There are often large disagreements even within a company about what is most important. At first, individual executives may want position their information as the most critical. Then, after they realize that this means more monitoring, restriction, time, and cost, they tend want to point elsewhere for the corporate crown jewels. Also, what a company considers critical will change over time. For example, an SEC filing is highly confidential before it’s released, but not as much after it goes public. With so many factors and opinions, it’s little wonder that companies struggle to define their Crown Jewels.
Step 1: Use a Risk Framework to Identify Your Crown Jewels
A disciplined way to start identifying your crown jewels is to use a risk framework. The framework is a list of categories of the kinds of impacts that you could experience if your data is compromised. Below is an example of a risk framework that you can use to organize your discussions.
- Strategic – Data related to your planning, investing, and goals that could impact your competitive position and your ability to meet your strategic objectives
- Operational – Data about daily operations that could cause disruptions and delays, as well as your ability to deliver quality and timely products and services
- Financial – Financial information about you or customers that attackers can use to disrupt your operations or to manipulate financial transactions
- Compliance – Data that is mandated by law or required by private contracts that could carry regulatory consequences if stolen or manipulated
- Legal & Contractual – Data related to legal proceedings and contractual obligations that could carry legal repercussions if revealed, stolen, or manipulated
- Reputational – Confidential corporate information that could damage or impact your brand, customer perception, or business development activities
- Safety and Health – Data that could directly impact the health and safety of employees, partners, customers, or the general public
As you apply the risk framework, think about which data and functions would have the highest impact if they were stolen, destroyed, delayed, or manipulated. You’re looking for the showstoppers; the data that would threaten your ability conduct business.
Tips to keep in mind:
- Think beyond the obvious. Some of the Crown Jewels will be easy to spot, such as patents, financial projections, and details of key agreements. While those are important, push yourself to think about the less obvious critical data. Things like merger strategies, legal settlement details, sales data, and supplier agreements might be overlooked, but critical.
- Crown jewels can be data, but also are critical processes and functions.
- Data can be seasonal or time sensitive. A merger announcement, for example, is highly confidential until the point it’s announced.
- Focus on impact rather than the likelihood of the information being compromised – you can apply likelihood after you identify your most critical data.
- Have your executive team come up with their own list, then bring them together to discuss.
- Provide examples for each category to help your team, and clear descriptions of what is considered critical.
- Use a ranking system to help grade the severity of impact and make your team provide justifications (e.g., describe or quantify impact) for their rankings.
- Consider doing a facilitated exercise to help work through different scenarios and identify crown jewels.
- Use an expert – having an experienced guide will help you more effectively identify your critical data.
- Vet your findings with all levels of the organization – there are likely crown jewels your executive team does not see.
Step 2: Map Your Crown Jewels
Once you know what to look for, you need to map your crown jewels. Create a comprehensive inventory that includes the formats of your data, where it is stored (i.e., systems), who has access to it, where copies live, who “owns” it, how it is developed, how it is transmitted, and how it is destroyed. You need to map the full lifecycle of your critical data.
Tips to keep in mind:
- Data used to create your crown jewels can also be crown jewels. For example, individual financial analyses used to create larger strategic plans can also be considered critical.
- Remember that data can exist in many formats and in many locations (e.g., printed, with suppliers/partners, removable drives, and email). You need to map everywhere your crown jewels have been.
- Don’t forget about drafts and early versions of the crown jewels.
- Add any other relevant details to the inventory, such as time sensitivity, customer data, legal or regulatory obligations.
Step 3: Evaluate Your Vulnerabilities and Prioritize Your Risks
Once you have a clear understanding of the lifecycle of your crown jewels, you need to conduct a risk assessment to identify and prioritize your vulnerability to the crown jewels being compromised. You should consider conducting a specialized penetration test to help map your exposure. This penetration test will need to be specifically calibrated to target your crown jewels. Some companies offer advanced penetration testing. The outcome of your risk assessment and penetration test should provide insights on how to best protect your crown jewels.
Tips to keep in mind:
- The penetration test should go beyond looking at your technical systems and should include social engineering against those who handle your critical data, including senior executives, partners, and suppliers.
- Include a tabletop exercise to better understand your response to critical data.
- Remember to test and assess for data/functions/processes being stolen, delayed, destroyed, and manipulated.
- Estimate the cost of impact, when possible.
- Use experts to conduct the risk assessment, penetration test, and to translate the results into non-technical, business relevant language for senior executives.
- Assess the likelihood of various exposures – together with the impact assessment (detailed in step one), you will have a risk evaluation of your crown jewels.
- Make sure your assessments include a recommendations roadmap and cost estimates to protect your crown jewels.
Step: 4 Protect Your Data
Once you have a clear risk assessment of your crown jewels, you will need to protect them. This involves multiple disciplines, including technical capabilities, training, policies, legal enhancements, auditing, and behavioral changes. Solutions can range from data classification, to advanced threat detection. These are your most critical assets, you will need to invest to protect them.
Tips to keep in mind:
- Think about how to automatically track and control your crown jewels. This includes data classification, data watermarking, and data loss protection.
- Make sure you strictly control access to your crown jewels, including two factor authentication, micro-segmentation, automatic access expiration.
- Limit third party access to your crown jewels, including partners and customers.
- Make sure you have a comprehensive data disposal capability to destroy digital and physical versions of your crown jewels.
- You will need to focus on the people who handle your critical data. This includes higher levels of training, communications, specialized processes, specific policies, restricted access, and higher levels of monitoring.
- Pay close attention to legal and regulatory obligations related to your crown jewels.
Step 5: Track and Monitor Your Crown Jewels
You will need to continuously track and monitor your crown jewels. Develop specific reporting for your crown jewels and have your senior executive team be directly responsible for oversight and guidance of your critical data.
Tips to keep in mind:
- You might want to use predictive analytics, threat intelligence, and advanced persistent threat hunt teams to monitor your critical data.
- Consider having specialized forensic and response capabilities available for your crown jewels.
- You might need to develop specialized monitoring for your crown jewels.
- Regularly perform a critical data analysis to identify new crown jewels.
- Regularly perform specialized penetration testing and vulnerability reviews for your critical data.
- Reporting to executives should translate technical concepts and requirements into clear business terms.
If information is power, than data is king. That is why protecting your crown jewels is no longer just a good idea, it is a business imperative.