IT security alone is not enough – information security necessary

In recent years, cyberattacks have affected both companies and countries in increasingly wide-ranging ways. It’s not surprising that IT security requirements and investment in this area are rising, too. But IT security cannot provide comprehensive protection.

EY Global Information Security Survey – Employees greatest vulnerability for IT security

Why is information security necessary?

Striving for complete information security makes sense. Information security involves protecting IT systems, but also extends to shielding all of a company’s information, no matter where it is processed. Examples range from printed documents to employees’ knowledge.

Three core values are at the heart of information security:

  • Availability – users within the organization should be able to access information during applicable periods.
  • Confidentiality – no unauthorized person should be able to access the information.
  • Integrity – manipulating the information should be impossible.

Why an Information Security Management System (ISMS)?

An information security management system (ISMS) can support companies in upholding these values. But many companies – especially small- and medium-sized businesses (SMBs) – assume that they can’t manage the cost and organizational effort involved.

It’s true that building and maintaining an ISMS can be an organizational challenge. For example, the ISMS standard from Germany’s Federal Office for Information Security (BSI) – known as “IT-Grundschutz” – includes more than 1,000 recommendations. But starting small also brings big benefits. For this reason, the BSI has specified “basic protection“ measures within the IT-Grundschutz framework to make it easier for SMBs to take initial ISMS steps. Other options exist as well: the ISMS requirements laid out in ISO 27001 take a relatively conceptual approach that give organizations more room to develop an ISMS tailored to their needs.

The financial commitment required is frequently cited as a reason for not putting an ISMS in place. Decision makers often argue that they need to concentrate on areas that directly increase sales and point to the large investments they have already made in firewalls and other tools to protect IT systems. One counterargument: successful phishing attacks account for about 15 percent of all incidents (Verizon Data Breach Investigations Report 2020). In other words, employees play a key role in information security. Furthermore, every businessperson should think about the high costs of an information security breach. IT systems and the data they contain could be destroyed – and restoring them is an expensive proposition. Companies can suffer competitive disadvantages when their internal information is made public. And if personal data is leaked, data protection authorities can impose hefty fines.

In short, it’s essential that IT security goes hand in hand with measures to protect all the company’s information. A highly secured IT is pointless if employees allow information to escape – for example, by making sensitive calls in public. Setting up an ISMS can help prevent such problems, and it makes sense to start small. In the long term, information security is very likely to pay off financially as well.

Is cybersecurity a topic of interest for your company? As an independent entity with a portfolio of proven security providers, CyberCompare can provide you with comparative offers at no charge and with no obligation. Reach out to us or use our diagnostic to learn more about your cyber risk profile.

Please remember: this article is based our knowledge at the time it was written – but we learn more every day. Do you think important points are missing or do you see the topic from a different perspective? We would be happy to discuss current developments in greater detail with you and your company’s other experts and welcome your feedback and thoughts.

And one more thing: the fact that an article mentions (or does not mention) a provider does not represent a recommendation from CyberCompare. Recommendations always depend on the customer’s individual situation.