It’s impossible to calculate the sheer volume of information stored in the world’s data centers, private computers, and digital storage devices. One estimate suggests Google, Amazon, Microsoft, and Facebook alone hold over 1.2 million terabytes between them.
And then there’s the physical data, the many millions of filing cabinets, printed ledgers, and notebooks.
With so much information in circulation, it’s no surprise that there is a whole branch of security designed to protect it.
The first information security (infosec) practices evolved in tandem with the development of written communication. In fact, Roman Emperor Julius Caesar is considered an information security pioneer, having invented the Caesar cipher to protect the information contained in secret messages.
Information security in the era of cybercrime
Today, information security is inextricably linked with cybersecurity. Although information security covers the storage and transmission of both physical and digital data, and cybersecurity is solely concerned with mitigating attacks originating from the internet, the two terms are often used interchangeably.
IT security is another term used alongside information security but again, there are differences. For example, the umbrella term IT security also includes application security, the process of identifying and patching code vulnerabilities, and network security, the methods used to defend and maintain computer networks.
In the 21st century, most data is stored electronically, so the term information security is generally used as a way of describing the methods used to protect digital data in storage and transit.
By far the biggest threats to sensitive information originate from the internet.
The core principles of information security
Known as the CIA triad, the three most important principles of information technology are confidentiality, integrity, and availability:
Confidentiality is one of the cornerstones of information security and, in many respects, one of the hardest principles to uphold. The challenge is ensuring that sensitive information remains confidential when users without authorization attempt to access it and putting in place measures to identify these imposters.
It’s important not to confuse confidentiality with privacy. While privacy could be simply categorized into information that is publicly available or not, information deemed confidential can be accessed by anyone given the authority to do so.
Common techniques to ensure confidentiality include the use of encryption and cryptography, password protection, and other authentication techniques like Google’s Authenticator app.
As well as keeping data confidential, companies must ensure that data remains the same unless purposefully altered by an authorized person. Maintaining the integrity of information ensures that at no point it is changed, whether this change occurs through malicious or accidental means.
Companies regularly deploy some of the methods we discussed earlier to prevent both accidental and purposeful manipulation of data. For example, a password requirement and automatic logout procedure for an employee’s internal email account not only ensures the account isn’t accidentally left open but also protects it from anyone deliberately trying to access and potentially alter information.
Data integrity concerns a company’s legal obligations too. For example, data protection laws protect consumers from having their data illegally transmitted or abused. Companies promise to maintain the integrity of this data, ensuring it remains in the same state that it was when they were permitted to handle it.
You can look at the concept of availability as the direct opposite of confidentiality. In essence, means that data is easily accessible to those who are permitted to access it. It is often implemented in tandem with the application of confidentiality measures.
It’s just as important to have tools that hinder access to information as it is to have tools that enable it.
One example of availability being considered in an information security plan could be the safe transfer of data to temporary storage devices during a systems upgrade. Another could be the inclusion of a back-up power source that ensures authorized users can still access data in the event of a loss of electricity.
What are the most common threats to information security?
Digital information is particularly vulnerable to theft or manipulation, especially when it is handled using internet-based services and systems.
Unlike information stored on paper that can be physically locked in a safe, it’s far more difficult to contain and protect digital information, especially when it is available online. For this reason, the conversation around threats to information security usually concentrates on cybersecurity issues.
Many people fall victim to phishing emails and websites that convince them to hand over important credentials that give hackers unauthorized access to information.
These scams make it easy to access confidential data and the companies trusted to maintain the integrity of this data are often held legally responsible for losing custody of it.
Cybercriminals often try to steal confidential information by infecting computer systems with computer viruses.
In a malicious attack, confidential information can be leaked or destroyed, or in many cases held to ransom. One of the most significant ransomware attacks was the WannaCry virus back in 2017, which affected some of the biggest organizations and institutions in the world.
Denial-of-service attacks are specifically designed to target the availability of information. By flooding a company’s network with traffic, cybercriminals hope to exhaust all of the resources in place to maintain it, overwhelming the system and making it impossible for authorized requests to continue.
In some instances, a ransom is demanded to stop the bombardment.
With portable devices becoming ever more capable of storing large amounts of data—a top-of-the-range iPhone stores up to 512GB—the rewards for stealing these devices continue to grow.
Information security measures should also cover the devices, such as smartphones and laptops, used by company employees to store and transport information. The job of the information security specialist no longer ends within the walls of a company office. Data is constantly on the move, both virtually and physically.
To finish, a strong and successful information security strategy will ensure all of the above threats are considered and mitigated against, and above all, maintain the confidentiality, integrity, and availability of the information it has been designed to protect.