One of the greatest challenges for organizations attempting to address cybersecurity risks is the number of fundamental security myths that cause organizations to incorrectly assess threats, misallocate resources, and set inappropriate goals. Dispelling those myths is key to developing a sophisticated, appropriate approach to information security.
MYTH #1: "IT'S ALL ABOUT THE DATA."
All too frequently, "security" is thought of as ensuring data cannot be accessed or used for unauthorized purposes or by unauthorized users. While this is certainly a key concern, the systems and networks on which the data resides must also be protected against attack. For example, a Denial of Service (DoS) attack is not aimed at gaining access to a business' sensitive data, but at preventing others, such as the business' customers and business partners, from accessing and using that data.
MYTH #2: "IT'S ALL ABOUT PRIVACY."
Another common misconception is that security only relates to the protection of personally identifiable information. While protecting personal information is clearly of critical importance, other types of information assets must also be protected. Additional information assets include trade secrets and other intellectual property (such as source code for a company's software products), competitive information (such as customer and supplier lists), pricing and marketing data, company financial information, and more. It is particularly important to ensure all forms of confidential and proprietary information are protected in entering into relationships with vendors and business partners.
MYTH #3: "IT'S ALL ABOUT CONFIDENTIALITY."
When talking about security, the tendency is to focus on the most obvious element: ensuring data is held in confidence (i.e., the data is not used by unauthorized individuals or for unauthorized purposes). For data to be truly secure, it must be confidential, its integrity must be maintained, and it must be available when needed. These are the three prongs of the well-known information security acronym "CIA."
"Confidentiality" means the data is protected from unauthorized access and disclosure.
"Integrity" means the data can be relied upon as accurate and has not been subject to unauthorized alteration. A few years ago, a well-known hacker magazine ran an article designed to educate employees who thought they were going to be laid off how to harm their employers. In particular, the article suggested ways employees could easily corrupt company databases to render them unreliable (e.g., changing account numbers for key suppliers, changing invoice addresses, etc.).
"Availability" means the data is available for access and use when required. It does no good to have data that is confidential and the integrity maintained, but the data is not actually available when a user requires it. For example, DoS attacks are specifically designed to prevent availability of key systems and data, instead of compromising confidentiality or integrity.
Sign up for CIO Asia eNewsletters.