Cybersecurity vs Information security. I hear you thinking…, What! I thought cybersecurity WAS information security! Well, yes, and no. Let us start with a detailed definition or two.
Cybersecurity vs Information Security
Cybersecurity protects from attacks via cyberspace (that nebulous entity we have all created to work and play in via our technological devices and linkages). This form of security covers your computers, smart phones, laptops, and other hardware as well as the means of accessing, linking, and communicating through them (think LANs, the internet).
Cybersecurity attacks may target a website your company keeps but are more likely to target the data your company stores and uses to run your business. This is why information security is important to understand.
Information security concerns itself with the actual raw data your company collects (such as a field requiring a date: MM/DD/YYYY) and the information derived from that data (e.g., a DOB versus a policy renewal date). This information may be stored digitally (say on a server via the cloud), in an analog format (think about forms or photos in a file cabinet), or both (perhaps a thumbnail drive within a desk drawer).
It is the job of the information security staff to work with a company’s leaders to define and understand what data is most necessary to the successful completion of business tasks and how, in whatever format it exists, it should be protected.
Concerns with Information Security
The primary concerns of information security regarding data are: integrity, confidentiality, and availability.
Integrity – guarding against the improper or accidental modification or destruction of data.
Integrity can be maintained by making sure only permitted persons may edit, modify, delete, or destroy (e.g., shred aged documents) data. It also includes ensuring authenticity (i.e., being able to verify the identification of a person or process) and nonrepudiation (making sure a sent message or signed document cannot de disputed).
Examples of integrity loss would be analog information not properly protected from environmental conditions (fire, flood, etc.) and so damaged beyond use or digital information improperly transferred or changed without approval.
Confidentiality – reserving access to data – think “need to know” – by preserving authorized restrictions to access and disclosure.
This is especially important for personally identifiable information (PII – such as social security and credit card numbers) and protected health information (PHI).
Here, again, restricting access to those who need the information to perform their job duties is important to protecting information content privacy
A breach of confidentiality may be brought about by human error, intentional sharing of data, malicious entry, etc.
Availability – ensuring that access and use of data is timely and reliable.
Availability is maintained through continuity and functionality of access procedures, backup or duplication of information, and maintenance of hardware and network connections so that data is accessible when needed by the users for daily applications and for business decisions.
As with integrity, a loss of availability can occur when networks are damaged due to natural disasters; or when client devices fail.
In addition, your Information Security personnel should be aware of the many legal and regulatory requirements (like NIST, GDPR [European Union law], HIPPA, and FERPA) of your industry that affect the company’s information security requirements and be able to develop and disseminate guidelines which inform employees on how to protect business sensitive information throughout their work cycle as pertinent to said guidelines.
As you can see, your data damage prevention/recovery and threat mitigation processes will span the information security and cybersecurity assignments making it essential for personnel from both teams to understand the needs of the other and work closely to develop protection protocols for your sensitive business information.
Therefore with the alignment of your cyber and information security teams employees can be trained in the whys and hows of information protection and be helped to understand how conscientious application of developed procedures – whether usually considered as pertinent to cybersecurity (e.g., strong passwords, multi-factor authentication), essential to information security (such as who is responsible for safeguarding sensitive physical material in an emergency), or both (whom to make a report to regarding suspicious activity, keeping mobile devices under lock and key when not in use),. – creates a safer environment for your critical and sensitive business data and aids in keeping your business up and running.
Remember, one cannot have information security without having cybersecurity but cybersecurity has no true value without an understanding of the information to be secured. And though information security covers digital data in cyberspace it must not forget the analog data lying around the company.
Plan well and take care!