Information security has become synonymous with cybersecurity but the focus on cybersecurity can distract attention from the basic elements of information security. You need to hold onto your information, not to cybersecurity.
An expert in cybersecurity recently offered to email someone a confidential document that they were not authorized to access. When it was pointed out to the expert that the document was confidential and circulating it was a breach of privacy, his response was that he did not know that the information was confidential. The information is classified as confidential, the relevant policies and procedures are in place in the organization, and all staff have completed mandatory training both on general data protection and on the use of the specific information in this instance. Despite these actions by the organization, a data breach was narrowly missed, so what more can be done?
In the post ‘taking the cyber out of security’ Tyler Morris (2015) reminds us that not all security is cyber security.
Over Reliance on Cybersecurity
Francis (2015) describes cyber as ‘an overused and meaningless term’. Information security is important and the IT industry’s response is to create labels such as cybersecurity to acknowledge the importance of the subject. However, the response of creating labels causes three problems.
First, the labels become a focus for resource allocation, job titles, conferences, events, service providers and software solutions offering solutions. The label becomes the focus of attention rather than addressing the underlying causes of information security problems.
Second, labels can be used to abdicate responsibility. The use of key labels shows that a company is aware of the problem and can clearly point to what resources and actions have been taken under the label of cybersecurity. But by using the label it also becomes easy to pass on responsibility for the problem. Information security becomes seen as someone else’s job; let us all point to the cybersecurity expert; information security is their responsibility.
Third, as Morris (2015) points out, not all information security relates to cybersecurity. While experts focus on the technical threats to information security, from external hackers and internal staff seeking to access and download information, the real threat of staff not thinking about how they use and share information is overlooked. The bad guys do not need to break into the system, they just need to ask and the information will be given to them without thinking!
Culture of Information Responsibility
Organizations have information security policies and procedures in place, staff are trained and codes of conduct are signed off, but these actions do not address the fundamental issues of information security. A culture of information responsibility is needed where it becomes an automatic response for staff to stop and think about information security before they access and share any information. Organizations need to focus on the practice of information security to embed good practice into routines, rather than just relying on technical cybersecurity solutions.
Physical barriers to accessing paper-based information such as information being held in one location, behind several locked doors and in a locked cabinet or a safe act as triggers about the importance and security of information. As information technology has enabled information to be easily accessed and shared, the triggers have been lost, resulting in the thoughtless treatment of information.
Triggers therefore need to be developed to constantly remind staff about information security until information security becomes second nature. In IT systems, the triggers can take the form of pop-up warnings that the information being accessed is confidential and cannot be shared. In the physical world, signs and posters are needed to ensure that information security is at the forefront of people’s attention until good information practice becomes seamlessly embedded into daily practice.
Organizations rely on cybersecurity to keep information secure but focusing on cybersecurity can detract from the real issue of creating a culture of information responsibility. Information security is everyone’s responsibility and we all need to stop and think before we unwittingly disclose confidential information. Hold onto your Information, not to cybersecurity.
Further Reading: Information Security is discussed in Chapter 5.
Francis, R., (2015), ‘7 Security Buzzwords that need to be put to Rest’, 14 January 2015, http://www.csoonline.com/article/2868515/security-leadership/7-security-buzzwords-that-need-to-be-put-to-rest.html#slide4
Morris, T., (2015), ‘Taking the ‘Cyber’ out of Security’, GCN.com, 22 September 2015, http://gcn.com/articles/2015/09/22/security-physical-electronic.aspx