You have valuable content that you want to protect from third-party attackers, hackers, and other unauthorized users. If a hacker gained access to your company's customer list, they could send those clients fake messages or use your customers' personal information to impersonate them. If a competitor got access to the prototype for your company's next big idea, they could copy it and rush it to market before you release your version.
Protecting your company's content is critical for your continued success and peace of mind. One way to protect your content is to implement a security policy that outlines procedures and expectations. Plus, the Content Cloud comes with built-in security and compliance features that also help you keep your information safe throughout the entire content lifecycle.
As you go about putting together a security policy, you're likely to come across two concepts — information security, also called "infosec," and cybersecurity concepts. While there is overlap between infosec and cybersecurity, the two aren't identical. To help you protect your content as effectively as possible, let’s take a look at the similarities and differences between information and cybersecurity.
What is information security?
The simplest way to define information security is the process an organization uses to protect its content from unauthorized use, access, disruption, disclosure, modification, or deletion. Information, in this case, can take many forms. It can be content in digital formats, such as videos and spreadsheets. It can also be content in physical formats, such as paper files or printed documents.
Infosec can use several methods to protect content. Among those ways to safeguard physical and digital information are:
Setting up barriers
Barriers keep unauthorized individuals away from sensitive content. Depending on the form the content takes, the barriers can be tangible or not. In the case of printed files or physical copies of marketing videos, the barrier might be a locked filing cabinet or a room where people need a key or security code to enter. If the content is digital, the barrier can involve using a password or PIN or storing the content on a platform that only a select few can access.
Passwords also act as a barrier, limiting access to content to only the people who should be looking at it. The types of passwords people create matter. Ideally, an information security policywill require strong passwords, which are difficult for individuals and computer programs to guess. Using a variety of letters, numbers, and special characters, along with randomized combinations instead of words, can result in stronger passwords. You might also implement regular password changes for everyone on your team.
Requiring multi-factor authentication
Authentication is a crucial part of information security. You want to verify that people accessing your content are those who should be accessing it. Multi-factor authentication asks a person to verify their identity beyond putting in a username and password. For information stored in a physical location, multi-factor authentication might ask a person to swipe an ID badge and present a fingerprint. Multi-factor authentication for digital content might ask someone to put in their credentials and share a code sent to a separate device.
Encrypting content means that even if an unauthorized individual did get access to it, they wouldn't be able to do much with it. Encryption transforms meaningful content into a series of letters and numbers that require a key to break. Encryption keys vary in strength, with 256-bit keys requiring millions of different combinations to crack the code. Content can be encrypted when it's in transit, such as when a user is downloading it or when it is at rest.
Assigning user permissions
User permissions limit who can access or alter the content. You most likely don't want every individual employed by your organization to have the same level of access to all of your information. The temp working with you on a two-week assignment shouldn't be able to change people's contracts or alter your company's top-secret formula, for instance.
Content classification goes hand in hand with user permissions. If a piece of content is classified as "restricted," only users who have that permission level can access it or change it. Anyone can view public content or, if applicable, alter it.
What is cybersecurity?
While infosec focuses on protecting content from unauthorized access, use, and so on, cybersecurity takes a broader approach. Infosec falls under the cybersecurity umbrella, but cybersecurity is about much more than protecting information and content. It also involves protecting networks and devices, such as computers and smartphones, from unauthorized use, access, modification, and disruption. Computer security and network security are also part of cybersecurity.
A cybersecurity policy can use various methods to protect devices, networks, and data. Many of those strategies overlap with infosec, such as requiring passwords, using multi-factor authentication, and assigning user permissions. Some techniques that also apply to cybersecurity include:
A cybersecurity policy should have a plan for keeping devices, such as computers, smartphones, and tablets, secure. The plan should include measures that keep devices physically safe, such as requiring people to keep their smartphones on them at all times or to set up barriers on the phones that limit access to them. The phone could require a person to show a fingerprint before the screen unlocks or scan a person's face to verify their identity before opening. Usernames, passwords, and PINs can also help keep devices secure.
Creating an acceptable-use policy
An acceptable-use policy helps protect devices and networks from breaches and unauthorized access by limiting what people can download and install on particular devices. The policy might restrict downloads of certain types of content or certain types of apps, for instance. You'll then share that acceptable-use policy with everyone on your staff, likely having them sign and agree to it.
Limiting remote connectivity
Devices can connect to other devices in multiple ways. Remote connectivity, such as Bluetooth, allows a phone or computer to "talk" to a nearby device, such as a speaker or refrigerator. While convenient, remote connectivity can also open up devices to hackers. Restricting its use or hiding a device that uses it are two ways to protect your organization's security.
Using antivirus or anti-malware software
Viruses and malware can get on a computer or other devices in several ways. They can be concealed in an attachment that looks legitimate or hide in a software program that claims to do one thing while it actually does something else. Antivirus and anti-malware programs are crucial components of a cybersecurity policy.
Keeping software up to date
As software programs age, they become more vulnerable to attack. Updates seek to fix security issues or improve the overall safety of the platform. Updating software regularly will help minimize the number of cyber threats your organization faces, and, as a bonus, it can keep your devices and systems efficient.
Avoiding unknown networks
When employees are on the go, they might connect to unknown Wi-Fi networks using your organization's devices, which can put your content, devices, and network at risk. Encouraging or requiring employees who are using company-owned devices to verify any network identities before they connect should be part of a cybersecurity policy.
Using a firewall
In some cases, cybersecurity threats can travel through your company's network. A firewall blocks particular threats, keeping them from coming into contact with your data or devices.
Information security vs. cybersecurity: What they have in common
Since information security is part of cybersecurity, it makes sense that the two approaches share some common features. The principles governing infosec and cybersecurity are the same, as are some of the threats and possible responses.
Confidentiality, integrity, and availability, also known as the CIA triad, are the three principles that govern infosec. The principles also apply to cybersecurity. When developing either an infosec or cybersecurity policy, your organization should evaluate how the policy relates to each of the three principles.
The confidentiality principle ensures that only people who should have access to content, a network, or a device can access it. You can put multiple types of controls in place to increase confidentiality, such as encryption, password protection, and user classification. Your organization can also use educational programming to inform employees and other relevant parties of the importance of ensuring confidentiality.
Integrity is often directly linked to confidentiality. It refers to the condition of the content or network. The focus is on ensuring that information, devices, or networks aren't altered or compromised. If someone changes bank account information on a payment form, that affects the form's integrity. If a hacker installs a virus on a computer, and that virus travels through the network, infecting other devices, the network's integrity and relevant devices are affected.
While a cybersecurity or infosec program must protect the confidentiality and integrity of information, devices, and networks, it's also vital that the programs don't impede access. Anyone on your staff who needs access to content, networks, and devices should have them available. Factors that limit availability include power outages, denial-of-service attacks, and hardware or software failures. In some cases, an employer who forgets their password or leaves their device at home can accidentally limit their own access to the content they need.
Certain threats can affect your company's data or content as well as its networks and devices. Some of the threats that a cybersecurity policy and an infosec policy should address include:
Ransomware is a software program that restricts your access to content, your network, or a device until you pay the hacker or "kidnapper" a ransom fee. Often, paying the ransom doesn't guarantee the hacker removes the program and returns access to your data, network, or device. Since it can affect your organization's content and other components, ransomware is a threat that should be addressed by an information security and a cybersecurity policy. Focus on ways to prevent ransomware and back up your content to retain access.
During a phishing attack, a hacker will send a legitimate-looking message, usually an email, asking a user for their password or other critical information. The hacker uses that information to access content or a device. From there, they can modify the content or hack the device, affecting the integrity of either. Controls such as multi-factor authentication can lessen the impact of a phishing attack, while training employees to recognize the signs of one can help reduce the damage. For example, you might use a fake phishing email to test employees.
Phishing is just one example of a social engineering threat to infosec or cybersecurity. Other social engineering tactics hackers might use include posing as an attractive individual to get an employee to reveal passwords or additional confidential information, buying a domain with a typo, or posing as security software to demand money from affected users.
Encrypting content keeps prying eyes away. Depending on the decryption key's strength, it can be easy for a hacker to crack it. Using a strong encryption key is one way to minimize the threat to your content, network, or devices.
Data manipulation affects the integrity of content, a network, or a device. A user might receive a manipulated email that instructs them to share a device password or otherwise grant access to your company's network. A hacker who gets access to content can make changes to it that hurt your organization. Classifying content and requiring verification help reduce the threat of manipulation.
Several of the controls you'd use to protect your organization's information security and cybersecurity are the same. You can look at the individual device level of computer security and information security or consider protections for both stand-alone machines and the network as a whole with cybersecurity. No matter the scope, cyber and information policies have these controls in common:
- Encryption: Just as you can encrypt content, you can also encrypt data on devices or networks
- Password protection: Passwords restrict access to content, networks, and devices
- User authentication: Authentication tools such as multi-factor authentication allow you to verify a person's identity before they can access a piece of content, a device, or your company's network
- Content or data classification: Classifying content or data means you have control over who accesses it, where it can be downloaded or used, and what changes can be made to it
- Audit logs: Audit logs let you see who's accessed content, a network, or a particular device, and the logs also allow you to track activity, such as edits made or websites visited
- Education: Teaching your employees the importance of security will help reduce the risk of threats to your network, devices, and content, and you can train people to recognize hazards and teach them what to do if they think they are under attack — use education as an opportunity to explain other control methods to your staff and why they're important
Cybersecurity vs. information security: What sets them apart
Depending on the policy you're referring to or what you want to do, you might take slightly different approaches to security. You'll base those choices on whether you're focusing on information security or your organization's more comprehensive cybersecurity policy.
Some of the differences between cybersecurity and information security include the scope of each, as well as individual controls. Information security is part of cybersecurity but not the whole of it. To ensure that all your company's data, network, and devices are secure, you typically need to take broader action.
Some of the controls that you need to use to take a comprehensive approach to security include:
Software assets inventory
Knowing what software is installed on your organization's devices and how up-to-date that software is will help you avoid attacks from hackers who program malware that exploits vulnerabilities. For example, the WannaCry ransomware was able to infect computers running an older version of Windows that had a vulnerability. Keeping track of your software and keeping it up to date are vital for protecting your company's devices and network.
Hardware assets inventory
If your organization has a bring-your-own-device policy, it's especially critical that you keep track of who is accessing what, using which device, and when. Unknown devices on the network can put you at risk of attacks or make it easier for hackers to access your network. One way to protect your network is to limit what devices can access certain areas. If an employee wants to use their own smartphone to get onto your company's intranet, they'll need to have the IT department vet the device beforehand.
An appropriate configuration of hardware and software
You can configure software platforms and hardware devices to have restrictive security features. Many devices and programs come configured with less restrictive controls and access to allow for ease-of-use. Reconfiguring your devices and network for maximum security is one way to keep unauthorized third parties from gaining access.
Backup and data recovery processes
Data backup and recovery are essential components of safeguarding your company's content. If a hacker does get access to a critical piece of content, such as a formula or top-secret project plan, and makes dramatic changes to it or deletes it, you need to recover the content. Storing a backup of your content in the cloud is one way to ensure that it'll be there for you should an unauthorized user get their hands on it.
Firewalls and network configurations
Just as software and hardware should be configured with security in mind, your organization should set up its network with maximum security, including firewalls and password protection.
Wi-Fi access control
Wireless access control can take the form of limiting who gets access to your organization's Wi-Fi network. It can also involve limiting what types of networks your employees can access while using a company device. Public, unsecured Wi-Fi networks are notorious for enabling "man in the middle" attacks, which involve hackers intercepting data sent over an unsecured network. A hacker might get onto your company's Wi-Fi network from an exterior location or by using an unauthorized device in some cases.
Information security vs. cybersecurity at a glance
Knowing the difference between information and cybersecurity lets you develop plans to protect your company's data, computers, and networks. Here's an at-a-glance guide to the key differences between the two:
- Information security focuses on protecting content and data, whether it's in physical or digital form
- Cybersecurity focuses on protecting data, networks, and devices from electronic or digital threats
- Information security threats include the theft of physical data, deletion of content, damage to the integrity of content, and unauthorized access to data and content
- Cybersecurity threats include gaining authorized access to a network, device, or content and the installation of malware on a device or network
- Information security controls can be digital, such as encryption and password protection, and physical, such as locks on a filing cabinet
- Cybersecurity controls include network and Wi-Fi access, hardware and software configurations, and firewalls
Protect your information security with Box
Work today travels quickly, making it more critical than ever to protect your company's data and content. The Content Cloud keeps your information secure without disrupting your business workflow. Our platform includes security features that limit access to your content to only those who should see it or edit it. It also uses AES 256-bit encryption when your content is in transit or at rest, offers multi-factor authentication, and provides in-depth audit logs.
With features like Device Trust,Smart Access, and Threat Detection — as well as training through Box Education — see why Box is the top choice for 67% of the Fortune 500. Contact us today to get started.