Cyber Security is the buzz word today, especially in India. With the growing instances of cyber attacks, organizations are focusing on security of their digital assets, be they networks or devices connected to them.
The large consulting firms have begun aggressively building Cyber Security teams to cater to the growing demand from clients for high level of expertise in countering cyber threats. Not satisfied with just providing consulting services, consulting companies like EY and Deloitte have built Cyberthreat centers in India. These centers aim to provide security monitoring services to clients not just in India but across the world.
However, it is important to understand the key difference between “Cyber Security” and “Information Security”.
Cyber Security in essence is a subset of Information Security.
It addresses the “computer” related security issues. Information Security on the other hand looks at the entire gamut of managing “information” related security issues, be they in physical format or electronic format. To view it differently, Information Security would be the responsibility of the business management while Cyber Security would be largely owned by the IT team.
With the above definition in mind, it would be worthwhile to consider the consequences of concentrating on purely Cyber Security without a comprehensive approach towards information security.
There are several aspects that may get overlooked if organizations take a “Cyber Security” skewed view of information security:
– Privileged Access: As is well known, most security breaches are internal. Abuse of privileged access is one of the major culprits. Without controls like background checks of employees (that is an “Information Security” good practice), the likelihood of such instances increases.
– Printed information: Many organizations still print out confidential information on paper. It is important to have policies and procedures in place to manage this information. Just like an organization can lose confidential information through cyber attacks, so can it lose information through dumpster diving!
– Smartphones: With cameras becoming standard on most phones, taking photographs of confidential information and sending it out through non-enterprise apps like “WhatsApp” etc. could cause major damage to organizations.
– BYOD: The BYOD trend has led to increasing complexity in managing information due to blurring of organization and personal digital boundaries. Organizations now have the overhead of managing multiple layers of security policies and procedures.
While the growing interest in Cyber Security is welcome, organization would do well to undertake comprehensive Information Security initiatives. There is a real risk that given the fear psychosis around cyber attacks, Cyber Security would get prioritized over Information Security. With CISOs doing a great job of focusing on securing computer assets, the more important task Information Security could fall through the cracks.
It is essential for businesses to recognize this risk and take a holistic view towards Information Security while also recognizing the Cyber Security is a critical piece of the overall picture.
(Disclaimer: The cartoon above is just for catching your attention. Management should not attempt such procedures on their employees. 🙂
(Confidis delivers services in the Information Security space that includes Cybersecurity. It works at the intersection of business and technology and has provided several organizations with security advice that focuses on meeting business objectives.)