In the heart of London, a routine hospital visit spirals into chaos. Your father, scheduled for a long-awaited hernia operation at Guy’s and St Thomas’, now faces an indefinite delay. The hospital has just informed a crowd of anxious patients that all procedures are off due to a ransomware attack on their third-party service provider. Bloodwork, swabs and other pre-op tests have been compromised. This isn’t a fictional scenario – it’s a real event that unfolded on June 4, highlighting the critical importance of protecting systems against cyber threats. But what are we meant to be protecting?

At the core of these threats lies the need to safeguard the confidentiality, integrity, availability and authenticity (CIAA) of data and systems. This article dives into the key components of CIAA, providing insights into how organisations can defend against these pervasive risks.

Confidentiality: Guarding the gates

Confidentiality ensures that only authorised users and processes can access or modify data. According to the General Data Protection Regulation (GDPR), confidential data includes personally identifiable information (PII) – any data that can identify an individual, from age and ethnicity to health and financial records.

Failure to protect confidentiality can result in severe consequences. In Malta, two companies faced fines of €65,000 and €250,000 in 2022 for GDPR violations. Beyond regulatory fines, breaches can also violate contractual obligations, such as those set by the Payment Card Industry Data Security Standard (PCI DSS). Violations can result in staggering costs; for example, Equifax’s 2022 breach affected 143 million customers and cost $425 million.

The stakes are high for banks. A breach of cardholder data can lead to not just financial penalties but also operational disruptions, reputational damage and loss of customer trust. For example, Heartland Payment Systems faced a 14-month ban on processing card payments after a major breach – a potentially business-ending consequence.

To protect confidentiality, always question the necessity of storing sensitive information. Can data be referred through an internal identifier rather than using PII? Are there encryption processes in place to safeguard data? Such proactive measures can significantly reduce risks.

Integrity: The  backbone of trust

Data integrity ensures information remains accurate and unaltered except by authorised actions. A breach in integrity can have catastrophic effects, especially in financial institutions where cyber threats like ransomware are on the rise. Attacks on financial institutions have increased from 55% in 2022 to 64% in 2023, often starting with phishing schemes or more sophisticated tactics like spear-phishing.

Safeguarding the CIAA of an organisation’s data and systems requires a proactive, comprehensive approach

A typical cyberattack unfolds in six stages: reconnaissance, infiltration, account compromise, lateral movement, privilege escalation, and finally, the attack or persistence phase. The time between the initial breach and the final attack can range from days to months, during which a malicious actor could wreak havoc on systems and data.

Threats to integrity aren’t limited to external attacks. Internal factors like human error, vendor failures or inadequate change management can also compromise data integrity. It’s essential to automate data validation, promptly address data input issues and raise these risks with relevant IT and risk management units.

Availability: The lifeline of business operations

Availability ensures that systems and services are accessible when needed. Disruptions can stem from both operational failures and security incidents, affecting business operations directly. Imagine being turned away from a self-service kiosk due to a system outage, as was the case for a shopper preparing for a family BBQ during a bank’s availability crisis.

The EBA Guidelines on ICT Security and Risk Management emphasise the importance of measures to “prevent, detect and recover from disruptions to ICT services”. Availability issues can escalate quickly, affecting service delivery and business continuity. Organisations must implement automated alerts and monitoring systems to detect and address potential disruptions before they impact operations.

Authenticity: Trust but verify

Authenticity validates that data and communications are genuine and originate from a trusted source. Many cyberattacks, including phishing and spear-phishing, exploit lapses in authenticity. For instance, a privileged user on vacation might unwittingly approve a fraudulent multifactor authentication request, granting attackers access to sensitive systems.

Maintaining authenticity involves implementing controls like multifactor authentication and logging of authentication requests. However, these measures are not foolproof. Always scrutinise unexpected authentication requests, especially those received outside normal operating hours. Question why you are being asked for information and verify the legitimacy of communications through secure channels.

Root cause analysis: The path to prevention

When a CIAA-related incident occurs, it’s crucial to conduct a thorough root cause analysis (RCA). This process involves asking critical questions to determine what went wrong and how to prevent future incidents. Identifying human error or systemic issues without actionable insights is futile. Instead, focus on implementing effective controls, such as clear signage for wet floors or robust access boundaries.

In conclusion, safeguarding the CIAA of an organisation’s data and systems requires a proactive, comprehensive approach. By questioning processes, implementing robust controls and conducting thorough RCAs, organisations can better defend against the complex and evolving landscape of cyber threats.

John Zammit is a seasoned professional in information security with over 30 years of experience in ICT. He works at Bank of Valletta plc in ICT governance, risk and compliance. The opinions expressed in this article are those of the author at the time of writing and do not necessarily reflect those of Bank of Valletta plc. Any errors or inaccuracies are attributable exclusively to the author.

Sign up to our free newsletters

Get the best updates straight to your inbox:
Please select at least one mailing list.

You can unsubscribe at any time by clicking the link in the footer of our emails. We use Mailchimp as our marketing platform. By subscribing, you acknowledge that your information will be transferred to Mailchimp for processing.