Cybersecurity vs Information Security – What’s the Difference?
As organisations from all industries mature, managing risk to avoid unnecessary cost and disruption becomes a key focus. Today more than ever, information and digital systems provide some of the biggest opportunities for growth[TC(1] , but also the greatest potential for risk. In this space, the terms cybersecurity and information security are often used interchangeably, and while they share some characteristics, organisations that understand their differences will be better equipped to treat risk and ultimately reduce their overall risk profile.
What is cybersecurity?
In short, cybersecurity refers to the technical methods used to secure technical systems. Fitting entirely within the realm of information technology, it focuses on protecting, preventing damage to, and restoring electronic communications services and systems.
Cybersecurity professionals configure cloud, network and infrastructure for optimal security, as well as maintain systems that detect, prevent, contain and eradicate threats to the organisation’s digital assets. Among the many tools used in the cybersecurity field are firewalls, anti-virus, web and spam filtering and vulnerability management. What all of these tools have in common is that they are technology designed to protect other technology from technical threats.
What is information security?
Information security is a broad area, of which cybersecurity is just one element. Information security encompasses all information held by an organisation—regardless of the format, storage medium and type of threat. Information security professionals work to protect both digital assets (sometimes using cybersecurity strategies) and non-digital information assets. As such, information security spans the entire organisation, covering areas ranging from policies and procedures to roles, responsibilities, vendors and contracts.
The goal of information security is to protect three key attributes of all information: confidentiality, integrity, and availability.
· Confidentiality means that information is only available to those authorised to access it. In recent headlines, both Medibank [TC(2] and Optus failed to keep information they stored confidential when an attacker gained unauthorised access—with devastating results to both organisations.
· Integrity refers to the accuracy and completeness of the information the organisation stores. Integrity is achieved by preventing information from being tampered with or changed without reason and authorisation. For example, if an attacker were able to change the balance of their own bank account, they would have breached the integrity of the bank’s information.
· Availability means that data can be reliably accessed by those who have authorisation. When attacks encrypt data or make systems unavailable, then the accessibility of information has been compromised.
What’s the difference?
Cybersecurity is a sub-activity of information security. While both fields are concerned with protecting digital information, information security has a broader scope, including physical data, such as printed files and documents, as well as intellectual assets, such as the knowledge of employees.
Information security also looks at a wider range of threats to the confidentiality, integrity and availability of an organisation's information. It typically has a heavy focus on governance, risk and compliance activities and will seek to identify and treat risks coming from weaknesses in areas outside of just cybersecurity, such as corporate policies, contracts and non-disclosure agreements, employee screening and employment terms, intellectual property rights, privacy, roles and responsibilities, segregation of duties and many more.
What does information security give an organisation that cybersecurity does not?
Cybersecurity is an important first step for small organisations. Without foundational cybersecurity, organisations face significant risks across all of their digital systems. However, as organisations grow, they will also face a growing number of risks from non-digital attack vectors. This is where information security can build upon the foundations of cybersecurity.
In fact, in the 2022 publication of ISO27001, the international standard for information security, only 36% of listed security controls fall into the cybersecurity realm. The rest fall under three categories: physical (15%), people (9%) and organisational (40%), representing the broader scope of information security. The remainder of this article will explore what these categories mean and how they can be implemented.
Organisational Controls
These controls aim to secure information through policies, processes and procedures. Some key areas of organisational controls are information security policies, organisation of information security, Supplier relationships and contracts, and privacy and protection of PII.
Information security policies govern the collection, transfer and storage of information. These policies should be aligned across all departments and regularly reviewed to reduce risk to the confidentiality, integrity and availability of information assets.
By implementing clear policies, organisations can make information security a natural part of the way both management and employees go about their daily tasks and in doing so, reduce the risk of data leaks and breaches.
Organisation of information security is concerned with how information security roles and responsibilities are managed and assigned to appropriate employees. A robust organisational plan drives accountability for a holistic security posture, and assures specific areas are not neglected.
Implementing clear ownership and accountability for the security of information also leads to continual improvement in the space, and ongoing consideration and reduction of security risks.
Supplier relationships and contracts: While cybersecurity focuses solely on protecting an organisation’s own systems, information security includes making data secure even after it has been shared with an authorised third party. Modern organisations make use of many external services which put their information in other organisations' hands: everything from emails on Microsoft’s cloud to financial data on Xero’s cloud.
By reviewing and validating that security is appropriately catered for in contracts and handled by suppliers, organisations can prevent themselves from becoming headline news for data leaks which may be no direct fault of their own
Privacy and protection of personally identifiable information (PII) goes beyond the technical defences an organisation implements to protect its customers' data. These controls start with a detailed awareness of the private information the organisation holds, and then go on to evaluate legal, regulatory and contractual considerations surrounding PII. They often include appointing relevant responsibilities, such as a data privacy officer. Organisations can often reduce risk by asking abstract questions, such as, "Do we really need to store this data?"
People Controls
One of the biggest sources of information security risk in any modern organisation is neither technical nor external: it is the organisation's own people. In addition to PII, most organisations have valuable information assets like tools, templates, cost calculators or pricing books which give them a competitive advantage. However, in order to operate, employees need access to this information, and these same people often lack guidance or awareness of their responsibilities to keep information secure. This can lead to the accidental sharing of confidential information.
It is also becoming increasingly common for employees to change employers several times throughout their careers. People controls start with ensuring that information security is communicated through initial employee screening and onboarding, through the terms and conditions of their employment. They also include appropriate confidentiality or non-disclosure agreements, which should remain in effect after employment to protect the organisation from both accidental and intentional risks to information security.
Done properly, people controls assure that information is handled securely while employees are working, and protect competitive advantages by preventing valuable information assets from being shared with competitors when an employee leaves the organisation.
Physical Controls
Finally, information security also includes the physical security of information. Whether that information resides in digital form on computers, or in physical documents in desks and filing cabinets, physical controls ensure computer rooms, offices and working spaces, including home offices, are secure to prevent accidental and intentional data breaches. Possible controls include physical perimeters, clear desk screens and secure disposal/reuse of assets.
Conclusion
Information security is a broad term that encompasses all the means used to maintain the confidentiality, integrity and availability of an organisation’s information—from employee knowledge to customer data. It includes policies, procedures, contracts, relationships, roles and responsibilities. Cybersecurity is a subcategory of information security and focuses on the technical methods used to protect digital systems from cyber threats.
While led and advised by professionals[TC(3] , information security spans all areas of an organisation and seeks to mitigate digital and non-digital threats to an organisation’s information.
In modern organisations, competitive advantage is increasingly achieved through information assets—be it client databases, commercially sensitive documents, or internally developed costing and quotation models. Information security provides a much broader lens with which to identify and mitigate threats to these assets and maintain those competitive advantages.
[TC(1]Or innovation
[TC(2]Yep, just got the email confirming that my data was released
[TC(3]I feel like this implies a contrast. Is it saying that it's everyone's responsibility to maintain IS?