You only need the internet to go down during a busy working day to remind you just how reliant we have become upon technology. With our heavy reliance on our advanced technological devices and the Internet of Things comes the need to manage the risk with a robust data security strategy.
With the advent of remote working structures, the transition to cloud-based technologies, and the ever-evolving data threats, information security has never been more important.
Both information security and cyber security are essential components of any organisation’s information risk management strategy. These terms are often used interchangeably, which can generate significant confusion, even amongst IT professionals.
Whilst they are related, information security and cyber security are not the same things. Instead, they use different strategies and skills to achieve many of the same goals. Understanding these subtle differences is crucial when it comes to your organisation’s data security.
Put very simply, cybersecurity defends cyberspace, preventing cyber-attacks. Information security is more general; it seeks to keep all data secure from unauthorized access or alteration in general, whether it is stored digitally or physically. InfoSec as it is often abbreviated, therefore encompasses the discipline of cybersecurity.
What are the differences, and the similarities, which have led to this widespread confusion?
What is the difference between information security and cybersecurity?
Today, we tend to assume the data is digital. However, information security is a general data governance practice, covering all forms of meaningful data. Information security officers create and enforce user, network and data security policies to protect company data from unauthorised access, disclosure modification and disruption. This includes educating network users, undertaking regular IT asset audits, maintaining an upgrade programme and ensuring professional data erasure of redundant IT equipment. Their role also includes crisis response plans to ensure business continuity and recovery, should a breach occur despite their best efforts.
Information security focuses on maintaining the Confidentiality, Integrity and Availability of the all valuable data, wherever it is stored – a core process known as CIA. This ensures that data privacy is protected by proprietary, authorised access restrictions (Confidentiality), is stored accurately and in the correct order, (Integrity) and is reliably available to those who have a legitimate use for it.
Whilst it sits under the umbrella of information security, cyber security has a narrower focus. It only secures digital information and covers networks, programs, end-points, servers and cloud storage. Patching vulnerabilities, it protects against ransomware, malware botnets, Denial-of-Service and social engineering attacks. Cyber security provides the first line of defence to prevent an intrusion from internal or external sources using technological methods, such as firewalls, antivirus and malware detection systems.
This digital distinction is the key difference. You wouldn’t protect the data on a smartphone in the same way you would data stored in a locked desk drawer, for example, so this is where the two disciplines differ.
An ever-increasing threat, it receives a lot of attention from the board and the media. Large cyber-attacks on multinationals make the headlines because remote cyber threats are far more likely than physical ones and can be far more damaging – the EU and UK GDPR can impose tough penalties for those who fall short of these laws.
Cyber criminals are continuously finding new methods to get their hands on our most valuable data with attack attempts surging during the pandemic. Security and risk management spending grew 6.4% in 2020. Reflecting digital transformation, the growth of cloud technologies and the move to hybrid working practices, the latest forecast from Gartner, reports that global spending on information security and risk management technology will grow by 12.4% – reaching $150.4 billion by the end of 2021.
What are the similarities between information security and cybersecurity?
Despite their differences, the physical security and cybersecurity are not entirely separate. Data security has evolved. It was only a decade or so ago that an organisation protected it most sensitive data in locked filing cabinets, secured by access controls. Although some industry regulations may require some documentation to remain under physical lock and key, the majority of any organisation’s highly valuable data is stored electronically on servers, desktops, laptops – and increasingly in the cloud.
Physical security and the protection from unauthorised access are paramount for both disciplines. The physical access controls implemented by information security officers have changed. Pin numbers or even biometric scanners have replaced the physical padlock to the server room, and the filing cabinet key is now a strong PC password.
The two fields work collectively. For example, security policies and procedures regulating the use of devices outside of the office may prevent a laptop from being stolen, but complementary cybersecurity encryption can protect it if it is lost.
Value and prioritisation.
Without an assigned value – a piece of data is worthless. 01022001 means nothing, it is just a string of random numbers. But once it is identified as a date of birth, the data takes on a new and highly valuable meaning.
Information security officers define critical information, whilst cybersecurity teams protect it. Using the CIA process, information security can prioritise which data is of the highest value and could be the target of a physical or cyber-attack. Therefore, information security will assist cybersecurity teams, helping them prioritise valuable data, so they can determine the best ways to secure it, giving it the highest level of protection.
Data security efficiency.
An efficient data security strategy requires both policy and technology. Network and application security and critical infrastructure technologies should run alongside enforced procedural strategies, such as password and access control compliance and user awareness programs. Operational policies, such as an IT asset disposal policy will ensure the correct procedures are followed – and it will maintain your corporation’s regulatory data protection and WEEE compliance.
Whilst the general principle of implementing controls that limit data access is the same for both information security and cybersecurity – the methodology varies. Understanding the subtle differences between the two disciplines is the first stage in protecting IT systems from unauthorized access in an appropriate manner for each form of data.
Despite the differences in the extent of their focus, both fields are highly complementary to each other – Both protect company data from being stolen, accessed, altered, or deleted. Threats are not all technology-based but are present from a variety of sources. Working in partnership, both security teams can understand the crucial question: What is our most critical data and how do we protect it?
Inadequate data destruction is one of the key challenges for data governance and is one of the biggest ITAD mistakes. 47% of UK businesses do not erase their data correctly, leaving themselves open to a data breach and potentially devastating fine from the Information Commissioners Office.
Through our range of data wiping services, environmentally friendly ITAD and operational support services, tier1 Group helps information security officers and cyber security experts protect company data. Our secure IT asset disposal and data destruction services ensure your legislative compliance – each professionally sanitised asset has its own ITAD chain of custody and IT asset disposal accreditation certification to prove it.
Find out how tier1 can help – contact us on 0161 777 1000 (Manchester), 01621 484380 (Maldon) or visit www.tier1.com/contactus
Gartner Inc, IT Chronicles, IT Governance, Bit Sight, Security Scorecard, The Indian Institute of Management, Upguard, simplilearn.com,