You’re not alone, as many discussions on data protection and cyber crime overlook the nuances that define the industry.
We aim to correct that here, providing a simple explanation of both terms and how they fit into your organisation.
What is information security?
Information security is a general term for the way organisations and individuals protect their valuable assets – whether that’s business records, personal data, intellectual property, etc.
This data is stored in many ways – for example, they can be physical files, on servers and hard drives, in the Cloud or on personal devices.
The ways you protect it will differ; you can’t apply the same defence mechanisms for paper records as you would with digital files.
The former should be kept in a drawer and only accessible to approved personnel, whether that’s by placing the files in a locked room or by locking the drawer itself. By contrast, digital files require technological defences, such as access controls to ensure that only approved users can view them.
As you can see, the general principle remains the same – you are implementing controls that limit who can view the information – but the methods vary. Information security refers to the overall practice of protecting personal data and the approaches to achieve that.
What is cyber security?
Cyber security is a specific type of information security that refers to the ways that organisations protect digital information, such as networks, programs, devices, servers and other digital assets.
Although it is only one aspect of information security (alongside physical security), it gets the most attention because cyber threats are far more likely than physical ones. Malware, criminal hacking and internal errors are the leading causes of data breaches, so it makes sense to prioritise defences that mitigate these risks.
That’s not to say that cyber security and physical security are entirely separate. Take the threat of stolen devices, for example.
You need physical security measures to prevent devices from falling into the wrong hands. This will primarily come in the form of policies that instruct employees on how to handle their devices, such as laptops, outside the premises.
However, these should be complemented with cyber security measures that protect the organisation should a device be stolen. Such measures might include password protecting the device and databases, encrypting sensitive information and implementing a kill switch to remotely wipe stolen laptops.
The three pillars of data security
Whether looking at cyber security specifically or information security generally, you should be aware of the three pillars of data security.
The model describes the methods for protecting sensitive information and comprises:
- People: Employees handle sensitive information daily, so it’s essential that organisations educate them on the risks and how to stay safe.
- Processes: Organisations should document the steps that employees must take to stay safe. This should include stating the roles and responsibilities for data protection activities.
- Technology: There are countless technological defences organisations can implement to tackle threats, such as antivirus software, access control and data encryption.
Essential principles to secure your organisation
You can find out more about the three-pillars model by reading Cyber Security: Essential principles to secure your organisation.
Written by IT Governance’s founder and chief executive, Alan Calder, this guide takes you through the essentials of cyber security – the principles that underpin it, vulnerabilities and threats and the attackers who use them, and how to defend against them – so you can confidently develop a cyber security programme.