Information Security vs. Cyber Security: Why knowing the difference matters more than you think
The number one question we get is “Do you do Cyber Security?” – when we know they really mean information security.
We understand why cyber security is still used when discussing the safeguarding of data. Whenever media reports on cyber attacks or incidents, they use words like cyber security. Experts will say that they are “Investing in more cyber security”, but what they are really referring to is information security instead.
That’s because information security is the inclusive management of Technical (aka cyber security), Physical and Administrative processes and tools. Making cyber security just one piece of the puzzle of overall security. Because, what you’re defending isn’t really your devices, or your network, but your information. That’s what hackers want: your data. But with cyber attacks getting bigger, and entire systems and infrastructure needing to be rebuilt after ransomware attacks, it’s imperative to understand what your business needs to safeguard your data.
There are three main pillars of information security:
Technical Protection
This is what most people think of when they hear “cyber security”. Technical Protection comprises all of the tools businesses use to keep their networks and devices secure: from firewalls, to password protectors, to anti-virus blockers. Secure browsers, closed networks, encrypted email and communications, etc.
But these tools are like a fence: they stop unwanted hackers, programs, and viruses (or at least, they slow them down) but they have nothing to do with what’s inside the fence. And while important, they can only do so much.
Administrative Policies & Procedures
When an attack does happen, you need to know what to do, who to call, and how to prevent more damage from being done.
Imagine that fence, surrounding your business. It might do a good job of keeping unwanted visitors out. But that fence has a gate, and if you don’t know how to lock the gate, the entire fence might as well be useless.
To be secure, you and your employees need to know what to do when a cyber incident happens. This includes how to use the tools you have in place to keep your business secure. More importantly, you need to know how to safely save your data and information so that if hackers get past your tools, you are still secure. You need to know not to log into personal accounts on company devices. You need to know how and when to make backups of your data, and where to securely store that data so that hackers can’t reach it.
As a security firm, we can equip you with all manner of security tools. But, if your business doesn’t have effective administrative policies and procedures, it’s a losing battle.
Physical Security
In the movie Oceans Eleven, the thieves need to gain access to the Bellagio’s network so that the casino’s security would have no idea they were being robbed. Instead of attacking the network by computer, the thieves did something different: they used balloons to block a camera, and an IT uniform to gain access to the servers. From there, hijacking the casino’s feed was as easy as pressing a button remotely.
It’s cool when it happens in the movies, but physical attacks to hack information happens all too often in real life. Physical Security measures include things like keeping doors locked, keeping your server room secure, and shredding important papers. Physical Security is a crucial, yet often overlooked, part of Information Security.