You’ll often see the terms cyber security and information security used interchangeably.
That’s because, in their most basic forms, they have the same aim: protecting the confidentiality, integrity and availability of information. This is also known as the ‘CIA triad’:
Confidentiality: Protecting information from falling into the wrong hands.
Integrity: Making sure the information is – and remains – accurate.
Availability: Ensuring the information is accessible when needed.
But ‘cyber’ and ‘information’ security have a crucial difference, which this blog explains.
In addition, although many people default to ‘cyber security’, simply using the phrase ‘information security’ more can help improve your organisation’s security. We’ll explain how in this blog.
In this blog
Why is information security important?
Examples of information security
Benefits of defaulting to ‘information security’ rather than ‘cyber security’
What is cyber security?
Cyber security looks to protect digital or electronic data, as well as the networks and systems holding or processing the information.
These days, with so much digitised information, most data breaches – and all mega breaches – involve network or system intrusion. From the perspective of most criminals, the ‘return on investment’ of cyber crime is far better than that of physical crime.
Cyber attackers can attack anyone, anywhere, from the comfort of their home. And they’re spoilt for choice about who to target: virtually every organisation holds valuable information, often in huge quantities.
So, anyone will do.
The ideas that ‘I won’t be targeted’ and ‘my data isn’t worth anything’ are misconceptions. In addition, threat actors can use automated tools to identify vulnerabilities – and therefore victims. Worse, they have tools that can automate the attacks, launching them at scale.
What’s more, the nature of digital information is that you can easily copy it. In fact, stealing it doesn’t require you to remove the data from its original location, making detection all the harder.
Bottom line: cyber security is the starting point to protect your information.
Examples of cyber security
Although cyber security focuses on the digital world, your cyber defences should cover all three security ‘pillars’: people, processes and technology.
People matter because of the insider threat: most cyber incidents involve a human element, whether that’s because someone clicked a phishing link or made a different mistake. This threat is best addressed through staff awareness training.
Processes are important, as they help guide staff. These inform them how to do things like report a suspected or actual cyber incident, or how to maintain your technical measures. Your documentation can also instruct on, for example, secure code review.
Which leads nicely on to technology. Examples of technical controls include:
Access control, including passwords and MFA (multifactor authentication);
Anti-malware software and firewalls;
VPNs (virtual private networks);
Data encryption; and
Spam filters.
What is information security?
Information security is a superset of cyber security. It aims to protect all information, including:
Digital information;
Hard-copy information; and
Unwritten information/knowledge.
Protecting digital information overlaps with cyber security.
Hard-copy information can be any type of physical information assets – paperwork, for example. Like digital information, this must be securely collected, stored, processed and destroyed.
Unwritten information is perhaps the most overlooked aspect of security. But the practical reality is that, often, only one person – or a handful of key people – knows how to perform a certain task.
This can be a problem, particularly where only one person knows how to do something. What will you do if they’re not available? And how will you ensure that task is performed consistently? With a ‘single point of failure’ like this, documenting the information is usually a good idea.
Why is information security important?
Information is at the heart of any organisation, whether it’s business records, personal data or intellectual property.
So, keeping it secure is vital.
That means preserving all three of confidentiality, integrity and availability. You don’t just want to prevent information from falling into the wrong hands, but also make sure you maintain access to the data, and that you can rely on its accuracy.
Remember: you often can’t do business if you lose access to your information. This makes it one of your most important assets.
The fact that criminals can extract significant value from this information means your data is an asset to them, too. The term information ‘assets’ exists for good reason – by definition, someone wants to get hold of them.
Many a time, that ‘someone’ is a business partner that’ll go through the proper channels – but not everyone will take the legal route.
Protecting yourself is in your organisation’s best interests. While this might cost, it’ll prove far cheaper than experiencing an information security breach and having to deal with the operational, financial and reputational damages that follow.
Examples of information security
Information security covers any process or technology that protects the confidentiality, integrity and availability of information.
This includes the cyber security measures discussed earlier.
In addition, you can look at physical security controls such as:
Physical security monitoring (CCTV, security guards, etc.);
Locks for cabinets containing sensitive information; and
Key cards for entering the building.
As to undocumented knowledge, as mentioned earlier, the best precaution you can take is to document it – particularly where you’d be in trouble if you lost access to it.
For more ideas on information security measures, take a look at a best-practice standard like ISO 27002. This is the companion standard to ISO 27001, the international standard for information security management, which provides detailed guidance on 93 information security controls (from Annex A).
Benefits of defaulting to ‘information security’ rather than ‘cyber security’
The trouble with the term ‘cyber security’ is that it sounds technical. Many people assume anything ‘cyber’ is an IT problem – not their concern.
This is incorrect.
Again, most incidents involve a human element – people making an honest mistake that causes a security breach. Anyone who can access sensitive data is responsible for security. Staff training can help make this clear to your employees, especially non-technical staff.
As Damian Garcia, head of GRC consultancy, explained:
I’m not keen on the term ‘cyber security’ – I much prefer ‘information security’.
Because if you say ‘cyber security’, most people – and organisations – will default to: “Oh, it’s IT. It’s technical. I don’t need to worry about it – someone else is dealing with it on my behalf.”
By extension, studies show that unless you make IT security explicit, people will assume that the security is happening in the background, and they’re still protected – even if the antivirus or padlock symbol isn’t showing.
Again, unless you explicitly teach them otherwise, people will assume that security isn’t their responsibility. Especially cyber security.
But simply changing the terminology to information security or data security already makes it seem like something a non-technical employee – especially senior management – might be responsible for.
Address your information security and cyber security risks
You can learn more about the risks your organisation faces and how to stay safe with our Cyber Security Staff Awareness E-Learning Course.
The content, which is certified by the UK NCSC (National Cyber Security Centre), helps embed effective security habits and reduces the risk of data breaches.
Teach your staff what security is, the consequences of a cyber attack and why security is everyone’s business. Empower your staff to spot malicious activity, and to know what to do if they see a problem.
Don’t take our word for it
Here’s what our customer Kelly-Anne said:
Fantastic course, accessible by all abilities and provides a great overview of cyber security in language that is understandable and helps staff really understand their role in the cyber security of the organisation, well received by all staff and have received extremely positive feedback.
And customer Jon said:
Easy to navigate. Staff have enjoyed the interaction, and the passmarks achieved show a high level of interaction with the content.
We originally published a version of this blog in August 2018.
The post Information Security vs Cyber Security: The Difference appeared first on IT Governance UK Blog.