Information security, also known as InfoSec, is managing risk to the Confidentiality, Integrity and Availability of information through Administrative, Physical and Technical controls. It involves the processes and tools implemented to safeguard information from unauthorized access, alteration, disclosure or destruction. Therefore, it encompasses a variety of security tools, solutions, and processes designed to safeguard information across devices and locations. Together, these help businesses and individuals defend against cyber attacks and other forms of cyber incidents.
What is the difference between information security and cyber security?
Information security safeguards various forms of information, such as digital data, physical documents, and intellectual property. Whereas cyber security is a subfield of information security that focuses on the technical controls involved in defending computer systems and networks. Here’s a breakdown on the difference between the two.
Consider what a company needs to defend. It’s not just about the technology, but the protection of all information. That’s what hackers want: data, data and more data. Therefore, all aspects must be addressed. Including administrative policies (such as cyber awareness training) as well as physical measures.
Whenever media reports on cyber attacks, they use “cyber security” frequently when describing the attack. Experts will say that they are “investing in more cyber security”, but what they should really say is “information security” instead. This is because it’s a broader, better term than cyber security.
The three categories of information security are:
Technical Protection
This is what most people think of when they hear “cyber security”. Technical Protection comprises all of the tools businesses use to keep their networks and devices secure: from firewalls, to password protectors, to anti-virus blockers. Secure browsers, closed networks, encrypted email and communications, etc.
But these tools are like a fence: they stop unwanted hackers, programs, and viruses (or at least, they slow them down) but they have nothing to do with what’s inside the fence. And while important, they can only do so much.
Administrative Policies & Procedures
When an attack does happen, you need to know what to do, who to call, and how to prevent more damage from being done.
Imagine that fence, surrounding your business. It might do a good job of keeping unwanted visitors out. But that fence has a gate, and if you don’t know how to lock the gate, the entire fence might as well be useless.
To be secure, you and your employees need to know what to do when a cyber incident happens. This includes how to use the tools you have in place to keep your business secure. More importantly, you need to know how to safely save your data and information so that if hackers get past your tools, you are still secure. You need to know not to log into personal accounts on company devices. You need to know how and when to make backups of your data, and where to securely store that data so that hackers can’t reach it.
As a security firm, we can equip you with all manner of security tools. But, if your business doesn’t have effective administrative policies and procedures, it’s a losing battle.
Physical Security
In the movie Oceans Eleven, the thieves need to gain access to the Bellagio’s network so that the casino’s security would have no idea they were being robbed. Instead of attacking the network by computer, the thieves did something different: they used balloons to block a camera, and an IT uniform to gain access to the servers. From there, hijacking the casino’s feed was as easy as pressing a button remotely.
It’s cool when it happens in the movies, but physical attacks to hack information happens all too often in real life. Physical Security measures include things like keeping doors locked, keeping your server room secure, and shredding important papers. Physical Security is a crucial, yet often overlooked, part of Information Security.
Key principles of information security
Confidentiality
Information security involves many aspects that contribute to the overall safety of your data. Keeping your data secure and confidential is imperative to security. One way to accomplish this is by only providing access to files information that is only absolutely necessary. Examples: HR files only accessible to those in the department, finance information only accessible to the finance team, etc.
Another method of keeping files confidential, as well as secure, is through zero-trust architecture. This eliminates implicit trust throughout an organization with the principle of “never trust, always verify”.
Data Integrity
What is data integrity and why is it important? Data integrity is a principle and procedure that ensures an organization’s data is accurate, complete, consistent, and valid. Adhering to this process not only preserves the data’s integrity but also ensures that the information in the database is precise and correct.
Ensuring and upholding data integrity can help organizations avoid the time, effort, and expenses associated with making bad decisions based on incomplete information. Ultimately, those decisions are only as reliable as the data they rely on. Any compromise in the integrity of data can lead to long-lasting and extensive negative consequences.
Accessibility
Another key principle to information security is keeping data both secure and accessible. The technical protections in place should still allow for a smooth flow of information.
This is where the management of IT impacts security in a big way. Your systems should run seamlessly while keeping your data secure. Including secure browsers, encrypted email and communications, closed networks etc.
IT and security working together will collectively help reduce your downtime in the event of a disruption or cyber incident.
Common Misconceptions
Cyber Criminals Wear Hoodies
When you think about hackers, most people think of a mysterious person in a black hoodie in a basement somewhere, when the reality is that most of the hackers today are bots and programs designed to find vulnerabilities in a system. This means that you don’t need to be targeted to become a victim of a cyber-attack, you just need to be found.
“They don’t want MY data”
Another thing people think is “I don’t have any sensitive information that would be useful to attackers”. This is a huge misconception because they can still block you from accessing it until you pay up. Regardless of whether they would be able to use or sell the information. Contact information for companies and individuals is very sensitive information.
With this material, the attackers can impersonate your company. After that, they can contact these clients and request more information that puts their company at risk. So, a company that isn’t protected against cyber threats puts all their clients and other contacts at risk, in addition to themselves.
Information security is managed by IT professionals
It’s common to think that IT and Information Security are the same thing. But IT departments may not have the ability to keep you as secure as you need to be. Effective IT management helps your business function as efficiently as possible. And information security is about keeping everything secure while being productive and efficient.
Files in the cloud are automatically secure
Files stored in the cloud are not safe by default. If anyone can access your computer, they can get access to what information you have in the cloud. Businesses need to protect files stored in the cloud just as much as files stored on site.
What information security analysts do
Information security analysts use their expertise to protect and secure data through technical, administrative and physical controls. Key skills for security analysts including being able to understand, configure, optimize, and troubleshoot systems such as: MFA, SSO, EDR, MDR, SIEM, SASE, Application Allowlisting, Zero Trust Environments, Firewalls, Switches, APs, Virtual and Cloud infrastructure, Network & Domain Monitoring, RMM, M365, GWS, Azure, Backup, Servers, Workstations, Mobile. All things cyber & networked.
Information security analysts also need strong communication and administrative skills in a variety of ways. They need to be able to clearly explain to executives, IT staff, and staff how they can recognize, avoid, and effectively handle potential cyber incidents. This includes creating, presenting, and overseeing information security plans and protocols, and may also manage departmental budgets.
Being able to also strategize and implement physical security controls is crucial in the overall picture of information security. This could include access control cards, biometric access control systems, surveillance cameras, data center perimeter fencing and intrusion detection sensors.
What Chief Information Security Officers do
Chief Information Security Officers (CISOs) have a designated role within organizations to spearhead information security management. They advise on critical decisions, understand security threats, and optimize processes as an executive/board-level resource. They also manage security strategies, budgets, review of risks and regulatory programs.
This could look like hiring a full-time Chief Information Security Officer, with salaries of $250K+ per year – or, alternatively, they can outsource this position to a security firm with a Virtual CISO (vCISO) service offering.
vCISOs have become a critical asset to leading organizations into the right position to navigate the landscape of information & cyber threats.
Where to start
Without having the right guide, the ability to establish and maintain security defence measures can be difficult in the face of new and evolving cyber crime. There are three effective ways to establish the baseline knowledge needed to address business security:
The cost will vary depending on the depth of each assessment and testing, but it is money well invested. As we like to say, “an ounce of information security is worth a pound of financial loss.”
Recent examples of why information security is important
Cyber attacks are growing more common and easier to execute, especially with the evolution of AI. Tools used to commit illicit acts are becoming cheaper and user-friendly. There’s even ransomware-as-a-service as a business model.
The City of Hamilton, the RCMP, Global Affairs Canada and Canada’s financial intelligence unit FINTRAC have all had high-profile cyber incidents since the start of 2024. There have been countless more in the private sector – and those are just the ones that made the news!
Last year, businesses in the manufacturing sector were targeted significantly more than other sectors with 47% of respondents saying they experienced an attack; followed by construction (38%) and healthcare + pharma sectors (35%). Interestingly, only 18% of organizations in the public sector have been impacted by ransomware. (Reference: Palo Alto Networks Canada, 2023)
Wrapping up…
One of the main reasons why information security is so important is because of the devastating impact a successful cyber-attack can have. From immense financial loss to tremendous reputational damage, a cyber incident can be detrimental to a company. By implementing strong information security, including compliance with your own policies and procedures, you can significantly reduce your cyber risk.
The potential financial losses caused by a cyber-attack are an unsettling thought to any company. But it’s important to be able to estimate your total potential liability from a cyber incident to ensure you have the correct amount of insurance. With Birmingham’s free cyber liability calculator, you can calculate your company’s overall potential financial risk.