You’ll often see the terms cyber security and information security used interchangeably. That’s because, in their most basic forms, they refer to the same thing: the confidentiality, integrity and availability of information.
But there’s a crucial difference between them that affects the way your organisation operates. In this blog, we explain what information security and cyber security are, the differences between them and how they fit into your data protection practices.
What is information security?
Information is at the heart of any organisation, whether it’s business records, personal data or intellectual property.
It can be kept in any number of places and can be accessed in many ways. You’re most likely to access data on your work computer or via paper records, but information can be found in many places.
For example, data can be held on removable disks, laptops, servers, personal devices and physical records.
It all needs to be kept safe, and the process of doing that is called information security.
Specifically, organisations are protecting the confidentiality, integrity and availability of information.
In this context, confidentiality refers to information being viewed by only by authorised parties, integrity to information being accurate, and availability to information being accessible when necessary.
There are two sub-categories of information security. Organisations must protect physical assets including its premises, as well as anywhere else where sensitive information can be stored physically.
The second sub-category of information security relates to the protection electronic information. This is cyber security.
Examples of information security
Information security covers any process or technology that’s used to protect the confidentiality, integrity and availability of information.
This can include:
- Anti-malware technology;
- Information security policies;
- Access controls;
- Staff awareness training;
- Data protection impact assessments;
- Key cards to enter the office; and
- Locks for cabinets containing sensitive information.
What is cyber security?
Cyber security is a particular type of information security that focuses on the protection of electronic data.
It focuses on the measures that are used to prevent unauthorised access to an organisation’s networks and systems.
The term is often used to refer to information security generally because most data breaches involve network or system intrusion.
Criminals are far more likely to compromise information with cyber attacks – such as malware intrusion or phishing scams – because it can be done online.
Moreover, organisations typically store much more data online than in physical form, meaning there is more information to target. Additionally, technical vulnerabilities are easier to exploit and there is a much lower risk of being caught.
As such, cyber security may only be one part of information security, but it is the most important.
Examples of cyber security
Cyber security covers any process or technology designed to protect electronic data. This can include;
- Data encryption;
- Passwords;
- VPNs;
- Spam filters;
- Multi-factor authentication;
- Secure code review; and
- Anti-malware software.
Where do cyber security and information security overlap?
Although we distinguish between information security and cyber security in this blog, in practice there will be a significant overlap.
For a start, any time of cyber security mechanism that’s designed to protect sensitive data can also be categorised as information security.
Password-protecting a database, for example, protects the information held within but also prevents a cyber attack.
There are also risks where physical and cyber security must be addressed. Take malicious insiders, for instance. Organisations must implement physical controls to prevent unauthorised personnel from reaching parts of the building where they shouldn’t be.
This could be records room or a senior employee’s office where files might be left on the desk.
But the organisation must also consider the cyber security risks associated with this threat. Any digital records must be protected appropriately, such as with access controls or data encryption.
Another overlap between information security and cyber security occurs with digital records that are held on physical devices – such as USB drives or laptops.
Organisations must implement policies and processes to mitigate the risk of the device being used inappropriately. This could happen, for example, if an employee leaves their laptop unattended in an insecure location or if they used a removable device for personal and professional use.
These measures should be complemented with cyber security mechanisms designed to protect the information on those devices. Organisations might encrypt sensitive files or implement a technology that enables them to remotely wipe a laptop if it’s lost.
These are just a few examples. When you assess data protection risks, you will find countless instances where you must consider information security and cyber security.
Become an information security expert
You can learn more about the risks your organisation faces and the ways you can stay safe with our Information Security and Cyber Security Staff Awareness E-Learning Course.
This online training course is the ideal way to teach your employees about data protection threats.
The content, which is certified by the UK’s NSC (National Cyber Security Centre), helps embed effective information security and cyber security habits and reduces the risk of data breaches.
Those who take the course will learn about specific threats that they face, such as malware and phishing, and the steps that individuals can take to combat these threats.
A version of this blog was originally published on 9 August 2018.