Information Security, Cybersecurity, and Network Security.
The terminology of security can be confusing, and people don't always use its terms precisely. Getting them right isn't just a matter of nitpicking; it helps you to understand and communicate. When people think they're talking about the same issue but they aren't, it takes extra time to get everyone on the same track.
Here we'll look at three terms: information security, cybersecurity, and network security. The first one is the broadest term, and the other two get increasingly specific. People working in cybersecurity and network security need to remember they're really dealing with information security and not narrow their focus too much.
Information security
Information is any meaningful arrangement of symbols. It can be on paper, on a computer, or in your head. Information security deals with protecting it in all its forms. In the age of computers, it's easy to forget that non-digital information needs protection too. Poorly protected paper records are the source of many security leaks. "Loose lips" are another risk.
The CIA triad — confidentiality, integrity, and availability — is a widely-used model for information security. It applies to cybersecurity and network security as well.
-
Confidentiality is the protection of information from unauthorized access.
-
Integrity is the assurance that information hasn't improperly been changed or removed.
-
Availability is the maintenance of access to information for authorized parties.
Keeping information secure entails physical, procedural, and personal protections. Physical protection keeps the media where the records are stored away from unauthorized parties. Procedural protection establishes methods by which only authorized people can obtain access. The personal aspect establishes policies to make sure no one carelessly endangers security.
Cybersecurity
The term "cybersecurity" comes from "cybernetics" by way of "cyberpunk." Cybernetics is an old word for what we call computer science today. Cybersecurity is a subcategory of information security. It's simply computer security in all its aspects. It includes the protection of networks, individual machines, access devices, and digital storage media.
Cybersecurity has its personal aspects as well as its computational ones. It includes the creation of strong passwords and their protection against discovery. An important part of it is being alert against trickery, such as phishing messages.
It's bad policy to trust everyone without limitations, and even strictly honest people can find their accounts have been compromised. Good cybersecurity limits what any account can do to what it needs to do.
A key principle of modern cybersecurity is defense in depth. Any one protection, whether it's human judgment or anti-malware software, can sometimes fail. A good security system puts multiple barriers in the way of any attempt to break in.
Network security
The most specific of these categories is network security, which is a subcategory of cybersecurity. Even small organizations today have complex data networks, and keeping them secure is a difficult task. Everything in the above discussions of information security and cybersecurity applies here.
Networks need protection on the inside as well as the outside. Firewalls and protection of public-facing resources are essential. Security against attacks from within is necessary as well; employees may be dishonest, or malware may take control of a machine on the network.
"Shadow IT," devices or software introduced for legitimate purposes but without authorization, can endanger security. It's hard to protect a network when its administrators don't know about everything on it.
Check out our 6 step guide for network security assessment.
What they have in common
Information security, whatever forms it takes, is a constant challenge. New threats can emerge at any time, the requirements for protection can change, and people can make mistakes. It's helpful, when protecting computers and networks, to keep the broader picture in mind.
Whatever kind of security you're dealing with, it's really about information, not machines. Information theft may start with something as low-tech as a lunchtime conversation. The human aspect is always important. Thinking about information security, not just cybersecurity or network security, helps in staying aware all the ways that information needs protection.
