Information Security (IS) is often confused with the phrases ‘computer security’ and ‘Internet security’. The term ‘Information Security’ is more encompassing than its Computer and Internet counterparts, as Information Security includes the protection of the Confidentiality, Integrity and Availability (CIA) of all your information and data. This could be electronic or print data, versus just online activities or the security of a computer system. Within the realm of Information Security, the protection of the CIA triad comes from ensuring there is no unauthorised access, use, disclosure, disruption, modification or destruction of any form of your data or information. So, let’s look at some of the common myths about Information Security:
1. Information Security is Far Advanced from One Year Ago
Just as security technologies are advancing every day, the means of breaching those advanced barriers are also improving and ever-changing. Much as with Newton’s Law of Motion (“For every action, there is an equal and opposite reaction”), for every security advancement, there is an equal and opposite breach advancement. Information Security is not a means to an end. There will always be threats and risks that must be proactively worked against and overcome.
You can’t defend. You can’t prevent. The only thing you can do is detect and respond. Bruce Schneier
2. Technology Equals Security
The belief that technological advancements hold the key to Information Security is false on many levels. Don’t forget that Information Security is relative to any form of data and information, not just computer systems, networks and data centres. A simple sheet of paper left on a copy machine or use of public computers for data retrieval while on business travel can pose major threats.
It is insufficient to protect ourselves with laws; we need to protect ourselves with mathematics. Bruce Schneier
3. Frequent Changes of Passwords and Complex Access Codes Protect Data
While a simple solution at the surface, frequent changes of passwords introduce potential for breaches due to the human element. If you are frequently requiring password changes, users are more likely to record their passwords on pieces of paper within their desks, in wallets, in spreadsheets or within 3rd party password-management tools.
4. Information Security Staff Should Consist of Only Consultants (As They are Most Qualified)
The optimum manner of implementing and ensuring Information Security is to utilise current staff (according to their talents and expertise) and compliment them with external information security consultants to fill-in the knowledge gap. It is often claimed that marketing and finance departments rarely see eye to eye. The same applies to Information Security personnel. If they are to communicate throughout the organisation to ensure potential risks are contained, shouldn’t the Information Security personnel speak the language of each of the departments and have intimate knowledge of the delineation of duties (and thus the risks) within those departments?
5. Government Regulations are the “Expert” Source for Information Security
Regulations in information security do serve a solid purpose and work at the best ability of the government to oversee the security of the collective of organisations within a country. However, your organisation is the expert at determining where your own risks lie. Don’t wait for the government to find the holes in your system; by then it will be too late.
6. The “Human Factor” Will Always Be the Biggest Point of Risk
It is not necessarily true that an organisation’s biggest vulnerability is its people. If a company-wide system of expectations, policies, procedures and accountability is enforced, the corporate culture can move closer toward minimising the risk derived from human error and accidental conveyance of confidential data and information. A system of checks and balances will create an environment of greater accountability and heightened awareness of the need for company-wide cooperation at all levels.