Cyber security and information security are terms that are frequently used interchangeably. Although closely related, they each represent the need for a separate and significant area of management attention.
Cyber security primarily addresses IT system hardening efforts such as updating and protecting hardware and software systems, monitoring network and Internet traffic, and ensuring users have good cyber hygiene practices in place.
Information security, on the other hand, addresses issues related to maintaining access to sensitive information by authorized users. It also involves implementing mechanisms for legal and regulatory-driven information privacy concerns such as HIPAA (health care-related), DFARS (DoD-related), and GDPR (EU-related) to properly safeguard access to personal identifiable information and meet other industry-mandated requirements.
Lack of cyber security readiness will increase the risk of a breach of sensitive information. It will make it much easier for hackers and unauthorized users to gain access to such information and exploit it in order to benefit financially and to damage your brand. As a result, improving underlying IT cyber defenses is somewhat of a prerequisite to establishing more effective information security practices in most organizations.
Even when significant IT cyber protections have been established, it is still possible to have an information security breach. There are many scenarios in which sensitive information could end up in the wrong hands due to users mishandling such data. This could involve storing files on thumb drives; employees improperly emailing information to personal, client, or supplier email accounts; or leaving paper-based reports containing sensitive data in plain sight.
For example, consider an employee in a social services agency who prints out an Excel list of their clients with their social security numbers and dates of birth. Or, think about an employee in a manufacturing company who prints the specifications of a product design. In both cases, the information could easily be acquired by an unauthorized user, who could simply take a picture of the reports and sell them on the dark web for personal gain. Even if the companies in these scenarios had proper IT cyber protections in place, they were still at risk of an information security breach.
When considering ways to implement proper cyber and information security measures in your organization, make sure your focus is not just on IT-related security efforts, but also on how your sensitive information is stored, accessed, and communicated internally and externally. An effective cyber and information security approach needs to be truly integrated. It requires active participation of IT and non-IT process owners to ensure a holistic approach with both technical and non-technical concerns taken into consideration.
Sassan S. Hejazi can be reached at Email or 215.441.4600.
You may also like: