Tuesday, 30 April 2013

What is Cyber Security?

A question that I am often asked is "What is Cyber Security?"

Cybersecurity or Cyber Security is a widely used term and one that most people will now have heard of. Many will need to understand the term if they are tasked with protecting information systems. Cyber Security as a term can be found in news articles from the
mid-late 1990s when the US Government started to understand how interconnected their systems had become and therefore potentially at risk of compromise. 

However, there are many definitions that use the word 'Cyber' and I find that they are often confusing, for example:

"Cyber security involves protecting information and systems from major cyber threats, such as cyber terrorism, cyber warfare, and cyber espionage." 

Great, so Cyber Security is protecting you from Cyber <insert problem here>? Is that it, or am I missing something?

Unfortunately it is often used as part of a sales pitch and can often be misused to create a state of fear, uncertainty and doubt (FUD) aimed at generating interest in a product or service. You will often see terms such as Cyber Crime, Cyber Strategy  Cyber Security Awareness and Cyber Threat.

Lets deconstruct this further.

So, what have we got so far, well Cyber is essentially a buzz word used widely within the Information Security world to capture all 'evil' activity conducted over the Internet or interconnected networks and systems.

Time to define Cyber.

What do I understand the term Cyber to mean? Well lets get away from the hype and go back to basics. To do this, we can take a look and see how the term cyber is defined within the Oxford Dictionary:

Pronunciation: /ˈsʌɪbə/

Definition of cyber
·          relating to or characteristic of the culture of computers, information technology, and virtual reality:the cyber age"            

Therefore, Cyber can be defined as the use of information technology and computers. I think that this is a straight forward and an understandable way of looking at it. It is therefore, no longer a 'scary' word used to frighten us.

Time to define Cyber Security.

So, looking at how to define Cyber Security, if we build upon our understanding of Cyber, we can see that what we are now talking about is the security of information technology and computers. Which is basically good old fashioned information security controls.

For me, Cyber Security should be replaced with:

"Information Security"

Doesn't that sound so much clearer!

If you are looking for a more formal definition of Cyber Security then the Centre for the Protection of National Infrastructure (CPNI) has a great example that is easy to follow and avoids over use of the word Cyber:

"Almost every business relies on the confidentiality, integrity and availability of its data. Protecting information, whether it is held electronically or by other means, should be at the heart of the organisation’s security planning. The key questions to keep under constant review are:

  • Who would want access to our information and how could they acquire it?
  • How could they benefit from its use?
  • Can they sell it, amend it or even prevent staff or customers from accessing it?
  • How damaging would the loss of data be? What would be the effect on its operations?"