IT has evolved at an unrelenting pace in the past decade. As a result, cyber security has become the need of the hour. This is especially true as IoT, Big Data, and AI have become deeply rooted in every aspect of human life.
Now most individuals believe that setting technical controls like IDS, IPS, Firewall, Anti-virus, and DMZ maximizes safety. Unfortunately, this has led to the misconception that technical level security is the same as information security.
What is scarier is that in over a decade of delivering consultancy and corporate trainings on information security, I have come across professionals who believe Information Security and IT & Cyber Security are synonymous.
So, without further ado, let’s debunk this myth once and for all.
First off, however, let’s have a refresher course on the main three terms used throughout this article: Information Security, IT Security, and Cyber Security.
What is Information Security?
Before defining information security, you need to understand that information is an important ‘asset’ like capital infrastructure and people. It is considered an asset because it offers significant value for an organization.
As an asset, its compromise may lead to seriously undesirable consequences, including loss of reputation, customers, and revenue. Organizations will also have to deal with regulatory non-compliance consequences such as hefty penalties.
Types of information assets available in any organization
Understanding the current fast-paced growth of the Threat Landscape
The biggest current challenge for organizations is keeping their data secure, while its value as well as volume grow manifolds daily. This is especially difficult considering the widespread use of smart devices and business applications that access, store, and process data across each modern enterprise.
This challenge adds more pressure on organizations to stay ahead of the changing threat landscape. Some of the most common threats to be prepared for include:
- Organized cyber attacks
- Unauthorized access
- Tempering with information or information loss
- Equipment aging or malfunction (especially due to malware, virus, trojan, worms, spyware)
- Attacks in the form of hacking, cracking, spamming, social engineering, or phishing
- Software errors and reduced performance
- Loss of information due to staff resignation or termination
- Damage caused by a third party
- Natural disasters and physical and/or environmental hazards
As you can see, these threats are not only related to technology. They are connected by people, process, and supplier components as well.
- About 2 in 5 companies will have over 1,000 files open for anyone to see.
- These include files with sensitive information.
- Between both humans and machines, there will be roughly 300 billion passwords used worldwide by 2020.
- Personal data can be purchased within the range of $0.20 to $15.00.
- Credit card information sells for much more than other kinds of personal data.
- In the event of a data breach, it would typically take companies over 6 months to notice.
- The fact that it takes companies over 6 months realize that they have a data breach means that you’re more and more susceptible to having your information stolen.
- Vulnerability to attacks can be determined by which companies you put your trust in, and who you give your information to.
The most common security gaps
Most organizations and their professionals leave it to IT departments or service providers to take care of their security issues. As a result, security loopholes begin appearing. If not filled in a timely manner, a lot of repercussions will follow.
Some of the common security gaps include:
What organizations should do
As information is an asset, it requires suitable protection. This is especially important in the current threat landscape.
Information Assets should be secured with the goal to maintain their Confidentiality, Integrity & Availability. Therefore, Information Security entails protecting information and information systems from unauthorized access, use, disclosure, disruption, modification, and/or destruction.
What is IT Security?
IT security refers to securing digital data through technical controls like network security, IDS, IPS, and firewalls. SANS Institute, however, defines this term best:
IT Security is the process of implementing measures and systems designed to securely protect and safeguard information utilizing various forms of technology developed to create, store, use and exchange such information against any unauthorized access, misuse, malfunction, modification, destruction, or improper disclosure, thereby preserving the value, confidentiality, integrity, availability, intended use, and its ability to perform their permitted critical functions.
- More malware is being launched than ever before – 230,000 new malware samples/day.
- Hacker attacks occur every 39 seconds.
- The average cost of a data breach in 2020 will exceed $150 million.
- Since 2013, 3,809,448 records have been stolen from breaches every day. This amounts to 158,727 per hour, 2,645 per minute, and 44 every second of every day.
- By 2020, there will be roughly 200 billion connected devices.
What is Cyber Security?
Cybersecurity is all about cyberspace. According to ISO 27032: 2012, cybersecurity is the:
preservation of confidentiality, integrity and availability of information in the Cyberspace resulting from the interaction of people, software and services on the Internet by means of technology devices and networks connected to it, which does not exist in any physical form. It also includes application services provided over the Cyberspace.
Based on this definition, the term majorly covers network security, services security, and critical information infrastructure protection (CIIP) exposed on the internet.
- Criminals are utilizing smart home devices to exploit individuals.
- By 2021, cybercrimes could cost us $6 trillion to combat.
Information loss accounts for 43 percent of the costs of cyber attacks.
- Data loss occurs during hacks. If the information belongs to third parties, it can be incredibly pricey attempting to restore that lost data.
- Around 53 percent of millennials experienced cybercrime in the last year.
- The amount of malware (malicious software) installed on Android platforms has increased by 400 percent.
Debunking the myth ‘Information, IT, and Cyber Security are the same’
Most people believe that IT security is everything but above definitions and explanations now clearly indicate that by implementing technical controls, you cover only the technical aspect.
- What about the policies and processes to manage this technical security?
- What about the people (i.e. staff) who are accessing the information systems and using them? People are, unfortunately, the weakest link in information security. Untrained staff, especially, is the biggest source of information security threats.
- Finally, what about the vendors who access your data and information, and visit your premises for service delivery? Do you have any mechanism to identify and check the security requirements of your regulators and customers?
Thin line between Information Security, IT Security & Cyber Security
- Information security provides a framework or a bigger picture to secure all information assets related to people, processes, technology, and supplier components for IT and non-IT assets. Examples include information asset management & access control, human resource security, physical & environmental security, and network & communication security.
- IT Security deals with technical controls, and how well they are implemented and managed. Examples of IT security are IDS, IPS, and Firewalls.
- Cyber security is a component of IT Security which primarily covers the risk of being exposed in the internet world, where you share, exchange and store your personal and official data. Some examples include social media and cloud-based application services.
The reality is that Information Security is the umbrella under which both IT and cybersecurity controls are also covered and controlled.
Information Security Management System (ISMS) provides you with a framework that helps identify the risks pertaining to people, processes, technology (including cybersecurity), and vendors. It enables organizations to implement administrative, managerial, technical and legal controls.
By implementing an ISMS, rest assured that all your administrative, managerial, technical and legal controls will be implemented. This, in turn, will help you manage and control the technical part (IT), and take care of non-technical aspects in the process.
So, how keep your information assets secure?
You need to have a comprehensive framework that can identify, protecting, detecting, responding, and recovering from all types of security incidents at the strategic, tactical and operational levels.
To establish such a framework, simply take your pick from globally recognized standards and frameworks like COBIT, ISO 27001, NIST, and SANS.
These standards help organizations to identify the components required for establishing a security framework which includes policies, risk management approaches, procedures and SOPs, plans and guides on identifying technical controls for network security, communications and operations security, end point security, and cloud security.
Establishing ISMS with ISO 27001: 2013
ISO 27001: 2013 is possibly the best option for you if you are willing to formally establish and implement an Information Security Management System (ISMS) which covers IT & Cybersecurity as well. This is one of the most popular information security standards as it seamlessly complements technical and cybersecurity standards and frameworks, while providing a unified platform on which you can confidently build up your security profile.
An ISMS delivers a systematic approach for establishing, implementing, operating, monitoring, reviewing, maintaining and improving an organization’s information security to achieve business objectives. It is based on risk assessment and the risk acceptance levels designed by the organization to effectively treat and manage risks.
ISMS in a nutshell, from the perspective of ISO 27001: 2013
By using ISO 27001:2013 to implement an ISMS based on a risk management approach, the biggest advantage you receive is the ability to establish administrative, managerial, technical, and legal controls.
Although ISO 27001: 2013 is a non-technical standard, its control areas extend to access management, cryptography, operations and communications, systems acquisition, development and maintenance to name just a few. As a result, it will greatly strengthen your IT & cybersecurity controls as well.
Another advantage of using this standard is that it complements other standards and frameworks like NIST, COBIT, and ISO 27032:2012. Hence, if you come across risks particular to IT & cybersecurity while performing risk assessment, you can easily refer to your preferred standards and implement them under the same ISMS.
Here is a quick look at the ISO 27001: 2013 Annexure A Controls.
More Reasons to Implement ISMS
With ISMS as part of your organization, you will be able to achieve the following:
- Identification of the current maturity level of your existing security controls
- Creation of information security objectives which you wish to achieve after investing time, money and efforts
- Setting information security policies with the approval of Senior Management
- Identification of all information assets, their owners, and their value
- Conducting risk assessment to identify threats and vulnerabilities, and prevent compromising the confidentiality, integrity, and availability of information assets
- Conducting risk treatment planning using the ISO 27001:2013 standard and by referring to IT and cybersecurity specific controls
- Design and implementation of information security procedures, roles, and responsibilities
- Implementation of a security monitoring mechanism based on KPIs and metrics
- Continual improvement of all implemented controls to ensure better day-by-day combat of security threats and vulnerabilities associated with information assets
With this article, I hope you now have a clear idea about how information security, IT security, and cyber security differ from each other. You would also have a better idea on implementing an ISMS to proactively and confidently maintain controls, whether they are related to IT or not.
For further assistance or information, do not hesitate to get in touch. I will be happy to guide you on achieving your organization’s goals.
Syed Nabeel Iqbal currently is working as Director Advisory Services at Business Beam and is a Lead Consultant & Lead Trainer on IT GRC domains. He holds a Master’s degree in Business, Lead Auditor & Lead Implementer Certifications in Information Security in addition to leading Certifications in COBIT, ITIL, Business & IT Continuity and Project Management. Nabeel holds more than 15 years of professional experience and has successfully delivered 35+ Consulting & 150+ Trainings to leading clients in Pakistan, Oman, Dubai and Saudi Arabia. You can find Syed Nabeel on LinkedIn.