CHAPTER 1: INFORMATION SECURITY AND CYBER SECURITY

The terms ‘information security’ and ‘cyber security’ are often used interchangeably, when in fact they refer to different (albeit related) things.

Information security is concerned with ensuring the confidentiality, integrity and availability (C, I and A) of all information held by an organisation, irrespective of whether the information is electronic or in hard-copy format. As a result, information security generally involves considering physical and environmental controls alongside technological ones (lockable filing cabinets, key-code doors, etc.).

Cyber security is a subset of information security and is concerned with the same things, but where information security takes a generalist approach, cyber security focuses specifically on electronic information (including the physical aspects of defending that information). New cyber risks emerge almost daily, and the successful organisation must do all it can to stay ahead of the curve.

Laws, regulations and contracts

The days of cyber security as an afterthought are long past. Today’s organisations collect, use and store more information than ever before, and the global regulatory system is beginning to catch up.

The introduction of the EU General Data Protection Regulation (GDPR) in 2018 marked a major milestone for data protection and privacy laws across the globe. Most of us remember the flood of ‘we need your consent’ emails that arrived in our inboxes in the days leading up to (and after) the GDPR took effect, but those emails were only the tip of the iceberg.

The GDPR places a wide range of security and privacy obligations on organisations that process EU residents’ data and is supported by a regime of significant financial penalties (up to 4% of annual turnover or €20 million, whichever is greater). The Regulation also requires organisations based outside of the EU that process data on EU residents to appoint an EU representative, extending the reach of those obligations and penalties far beyond the EU’s physical borders.

Another law that may be relevant is the Directive on security of network and information systems (NIS Directive). This places specific cyber security and business continuity obligations on digital service providers and operators of essential services such as power and water, with a view to mitigating the disruption that could occur as the result of a major cyber security incident.

While many organisations still grapple with the GDPR and NIS Directive, new laws such as the California Consumer Privacy Act (CCPA) or the Brazilian General Data Privacy Law (Lei Geral de Proteção de Dados Pessoais) are being introduced around the world, and further legislation is expected in the coming years. The increasing regulatory focus on data protection, privacy and continuity of key services inevitably leads to a greater focus on cyber security, as so much of the information held by organisations is in electronic formats, and the majority of essential services rely on electronic infrastructure.

It’s not just laws that mandate effective cyber security. Cyber security obligations in contracts are increasingly common, as organisations begin to recognise the risks posed by information sharing between suppliers and partners. If your organisation takes card payments, for example, banks will expect you to adhere to the requirements of the Payment Card Industry Data Security Standard (PCI DSS), while many government contracts mandate a minimum level of cyber security to enter the tendering process.