Information security
What is information security?
Information security refers to the tools and procedures an organization adopts to protect information and associated systems against unauthorized access, use, disclosure, disruption, modification, or destruction. All organizations deal with some type of information, from intellectual property to classified documents to the data of users or customers. Keeping this information safe can involve technology, physical security, and more.
The practice of information security (InfoSec for short) encompasses policies and procedures, hardware, software, training, and physical infrastructure. Businesses, governments, and other organizations use these tools to both protect information they are responsible for, and ensure that if something happens, they can reduce the resulting harm of that loss. Protected information can be electronic or physical (paper files, prototypes, etc).
The basics of InfoSec
InfoSec is a large and complex field. The specific tools and procedures used are unique to each organization, depending on their circumstances and the kind of information they protect. However, there are a few principles that apply in all cases:
- Information needs to be protected from people who have no right to it
- Information needs to be accurate, up-to-date, and reliable
- Information needs to be accessible to those who do have a right to it, and those tasked with maintaining its accuracy
Achieving all three objectives is a balancing act. On the one hand, making information difficult to access means that the “wrong” people can’t get to it (e.g. hackers). But if access is too difficult, the “right” people (e.g. system admins) will also have a hard time accessing. This in turn can mean the information is not well maintained. Too strong of an effort to meet the first objective can mean falling short on the second.
The field of information security is not the same as cybersecurity. Rather, cybersecurity is considered an area within InfoSec, since cybersecurity focuses on protecting electronic information while InfoSec involves both electronic and non-electronic information.
What does InfoSec protect against?
Threats to an organization’s data can come from many sources. Some are malicious and intentional, like bad actors trying to steal personal information. Some risks can originate with human error or carelessness. Regardless of the source of the threat, the dangers are the same: one or more of the basic goals of securing information are compromised.
Malicious threats can be both electronic and physical. Physical threats are primarily theft of assets. This can happen on the organization’s property or offsite, like theft of a laptop while traveling. Today, the larger threat is electronic. Phishing and other forms of social engineering can lead to installation of malware and ransomware. Dangers like botnets can launch DDoS (denial of service) attacks or use sophisticated password cracking software to “brute force” their way into secure systems. Man-in-the-middle attacks can sneak inside an organization’s network and listen to the messages being passed through the network.
Natural disasters, system malfunctions, and human error are not malicious events, but they have the potential to do just as much damage. InfoSec procedures should include plans for system outages, power outages, and damage to infrastructure. Staff training can help address the risks of human error.
Elements of InfoSec protection
InfoSec practices involve various elements, including:
- Application security: Protects data and systems against software and API vulnerabilities. Application security can utilize anti-virus monitoring, firewalls, and strong password/login requirements.
- Data encryption: Encrypted data can only be deciphered by those who are authorized and are using accepted channels to access the data. The best practice is to encrypt data both in transit and while stored.
- Infrastructure security: This piece of InfoSec focuses on controlling who has physical access to the information or the systems that store and maintain data. Infrastructure security covers who can access places like office buildings and data centers, and how to protect things like laptops and mobile devices from theft.
- Cloud security: With more organizations using remote data platforms managed by third parties, assessing and monitoring the security of these service providers has become an important element of InfoSec.
- Human training: “Insider” threats are considered the biggest challenge of InfoSec. An insider threat simply means the threat originates from within the organization. It can be malicious activity but often it’s accidental, like an email sent to the wrong person; an employee clicking the wrong link and downloading malware via phishing; or a former, disgruntled employee retaining access credentials. InfoSec addresses some of these threats through staff training—how security processes work, why they need to be followed, and the staff member’s part in maintaining good security.
- Response plans: Taking the steps discussed above will lessen the risk of a successful attack, but they can’t eliminate the risk entirely. It’s important to have response plans for what to do if there is a successful attack. These plans address how to recover lost or compromised data, and how the organization can continue to function while recovering.
- Monitoring: Attacks on information systems are always changing. An organization needs to monitor their InfoSec process for effectiveness, and update as needed to improve results and prepare for new sorts of threats.
An organization’s InfoSec program is tailored to meet their individual needs. However, they can also be influenced by outside forces, such as regulations. GDPR and HIPAA are two examples of regulations that dictate standards to be met.
How can I know my data is being protected?
As an individual, you have limited influence on the security protocols of an outside organization. Once your data is in someone else’s database, you have to rely on their InfoSec programs to keep it safe from events like a data breach. However, you can exercise care about where and when to supply your personal data, so it’s less exposed in the first place:
- Use different passwords for every site and app. Use a password manager to securely store all your passwords, and to generate random, unique passwords for every account and website you access. If all of your passwords are different, it’s much more likely that a breach exposing one password will only compromise that one account.
- Minimize the number of places your data is stored, to thus reduce possible exposure to data theft. For instance, set up automatic payments through your bank’s bill pay system rather than at each account website. This reduces the number of databases your bank account information is stored on.
- Don’t give your data to organizations that seem to want to collect more data than necessary, or have a poor track record for information security.
- Enable two-factor authentication (2FA), or multi-factor authentication, on every account that supports it. (This is usually a unique, one-time numeric code that’s also required before you can gain access to your account on a site or app). Even if a data breach exposes your password, those who get your password won’t have the second, required portion of your login (or factor), and thus will still be blocked from accessing your accounts. In general, SMS-based 2FA is not recommended either unless it’s the only available option. SMS-based 2FA is susceptible to attacks that make it less secure than other options.
Using a browser with strong privacy and security protections, such as the Brave browser, will also limit the risk of your data getting into the wrong hands:
- The Brave browser includes Safe Browsing, which can help prevent data breaches by protecting against malicious websites.
- Brave’s built-in ad blocker—Brave Shields—can block malicious and deceptive advertising, partly through the use of filter lists. It’s also more secure than browser extensions, which can themselves introduce new security risks.
Brave automatically upgrades connections to the more secure HTTPS, meaning your data is encrypted during transfer. While this isn’t a guarantee your data is stored encrypted, it might improve the odds. Just check that the URL begins with https:// (not “http://”) to be sure.