A Tale of Two Crowns: Prioritizing and Protecting Your Most Important Assets
It was a scene that could have come straight out of a heist movie. Last Tuesday, August 2, two burglars broke into a cathedral near Stockholm and stole several of Sweden's famous crown jewels. The thieves smashed a security case, snatched the loot, hopped on bicycles, and dashed towards the shore of a nearby lake. There, the bandits jumped into a motorboat and sped away.
The stolen jewels consist of two golden crowns and a 17th-century orb, made of gold, pearls, and other precious materials. The jewels once belonged to Charles IX and his wife Christina, who ruled Sweden in the 17th century. The Swedish royal family has insurance covering the cost of the crown jewels. However, given their historical significance, these artifacts are essentially priceless -- and irreplaceable.
“It is not possible to put an economic value on them,” a police spokesman said. “These are invaluable objects of national interest.”
A Case Study Comparison: The Swedish and British Crown Jewels
This Swedish jewel heist was not an elaborate, Ocean’s Eleven style operation. It was much more similar to a simple, smash-and-grab job. Security at the cathedral was weak. The building was open to the public. The jewels were protected only by a locked glass box. There were guards at the cathedral, but they were unable to detect the theft before the burglars had fled.
Compare this security posture with the one that protects the crown jewels belonging to a different European monarchy. The British royal family houses their jewels at the Tower of London. The security setup at the Tower is legendary. The crown jewels are stored behind two inch thick, bomb proof glass. Visitors are closely monitored by more than 100 CCTV cameras. The facility is saturated with security personnel – a 22-strong Tower Guard, plus a private team. The Tower is also home to 38 “Yeomen Warders” – former military officers that live at the fortress full-time.
Why does Britain go to such great lengths to protect their crown jewels? Simple: The jewels are invaluable and irreplaceable. They are far more than mere tangible treasures; the jewels embody 800 years of monarchical history. If something were to happen to these relics, it would be a national tragedy.
What Do Crown Jewels Have to Do with Cybersecurity?
So you might be wondering: What do crown jewels from European royal families have to do with cybersecurity? Essentially, they serve as a useful metaphor for thinking about your company’s most critical assets. In the language of cybersecurity, “crown jewels” are assets that, if compromised, would be detrimental to your business operations, diminish your competitive edge, and cause significant financial loss to your company. Like their real-life counterparts, digital crown jewels are essential to your enterprise.
Crown jewels come in many forms, depending on your type of business. For a credit reporting company, like Equifax, crown jewels could be customer data. For a search engine, such as Google, it might be an algorithm. Crown jewels can even be a signature recipe (Coca-Cola comes to mind).
Identifying Your Crown Jewels
When you’re working to secure your organization from cyber threats, it can be tempting to try to protect all of your assets. This strategy, however, is a fool's errand. It is impossible to guarantee perfect security. Even businesses with the strongest cybersecurity programs can (and often do) still experience a breach.
Since you can’t protect everything, you have to prioritize your defense efforts. This is where the concept of crown jewels comes in handy. Take stock of all your digital data and systems and flag the ones that, if compromised, could cripple your company. Remember to consider not only the assets you need to function today, but those that will be necessary to grow the business in the future.
As you’re taking an inventory of your assets, it is helpful to put yourself in the shoes of a threat actor. These attackers might view your organization differently than you do. Assets that seem inconsequential to you could be important to them. Systems that are seemingly secure might be more vulnerable than you realize. By thinking like a threat actor, you gain a unique perspective that can help uncover critical weaknesses in your cybersecurity posture.
Protecting Your Jewels
Once you’ve identified your crown jewels, the next step is to ensure they are properly protected. In order to accomplish this, you first need to know where these critical assets are located. Think of this inventory like a fire evacuation map. These maps are posted in buildings so that, in the event of a fire, people can quickly find important locations and assets – such as emergency exits, fire extinguishers, etc. Similarly, by carefully mapping your crown jewels, you can promptly and effectively respond to a breach.
After you’ve located your crown jewels, you can then implement preventative measures to protect these assets. You want to safeguard your jewels with the same rigor as the Tower of London. You probably don’t need Yeomen Warders. But there are a number of policies and controls that you can put in place to secure your critical assets. This can include everything from administrative controls (e.g. strong access controls), to technical controls (e.g. encryption), to physical controls (e.g. security guards).