Why cybersecurity? A philosophical approach

Image © 2023 Gavin George

Plato said "Wonder is the beginning of philosophy.” If you are wondering about the relevance of cybersecurity to your business, you might appreciate a philosophical approach to the topic:

What does it even mean to be secure? What do you even need to secure in the first place? How do you secure it?

Media hysteria over cyberattacks and high-profile breaches might make "cybersecurity" start to sound like a meaningless buzzword. This should not lead you to underestimate its importance to your business; at least, not without asking a few questions first.

What does “cybersecurity” mean?

The first component of the word, “cyber” means “of, relating to, or involving computers or computer networks (such as the Internet)” according to Merriam-Webster. You probably knew that before reading that definition, but in order to situate that meaning in a context that will help you to better understand cybersecurity, it is helpful to think of a different term used to denote “computers and computer networks”: information technology.

Cybersecurity is the measures taken to secure information technology, and the data that it processes, transmits, and stores.

So what does the “security” component mean? There are a number of definitions of “security” ranging from "the state of being able to reliably… access what is needed to meet… [a set of] needs” to “measures taken to guard against espionage or sabotage, crime, attack, or [loss].” These accurately describe what information security entails; however, the most apt definition of “security” in regards to information comes from a legal definition put forward in a rule from one of the most famous information security laws: HIPAA.

What does it mean to be secure?

The HIPAA Security Rule (HSR) puts forth three components that define what it means for electronic information to be “secure.” These are confidentiality, integrity and availability.

The aspect of confidentiality is what HIPAA is most known for: securing privacy. To restrict access to electronic information to those who have the right and the need to view it is to secure its confidentiality.

Integrity has to do with securing the reliability of information. To secure the integrity of information is to ensure that it is complete and accurate. This is generally accomplished by ensuring that those authorized to make changes to the data do so correctly.

The aspect of availability has to do with the ability to access data. Information is always kept for a purpose - as a means to an end - to secure the availability of information is to secure its utility. If information is inaccessible to those who utilize it as a means to an end (e.g. recalling patient health records to inform a diagnosis or pulling someone’s credit score for underwriting purposes) then it cannot be considered secure.

What does my business need to secure?

Any information that you intend to keep private, reliable, and/or accessible for your use is an information security concern. Information of this kind that you store on a computer or otherwise utilize information technology for purposes of accessing and processing it is a cybersecurity concern.

There are four main categories of important information that your business likely accesses through a computer: contacts, credentials, critical records, and client information.

If you rely on a computer to store, process, or access any of these, the question regarding the relevance of cybersecurity to your business is related to the question regarding the relevance of this information to your operations.

What would you do if you lost access to this data or its reliability? What if your business contact list was no longer available? What if confidential information such as financial credentials, or legally-protected client information had their confidentiality breached? What if critical accounting records were corrupted, if their integrity or accuracy were compromised?

How do you secure electronic information?

Electronic information is secured by practices and procedures that your business follow informally or may explicitly outline in a cybersecurity policy. Components to be considered in a cybersecurity policy can range far and wide in their mode of implementation, their cost, and yes - their relevance to your business.

In the end, it all comes down to authorization of access. This raises numerous questions, which are beyond the scope of this article, but can be properly addressed in a cybersecurity assessment.

That aside, the implication of outlining a policy on authorization includes many considerations. For example, here are three:

  • How do you ensure that the physical equipment storing electronic information does not compromise its security (physical security: theft prevention measures, surge protection, backups)

  • How is access information organized to accommodate different levels and types of authorization (network/data access: ZTNA, whitelists, blacklists, user permissions)

  • How do you ensure that authorized persons are who they say they are (authentication: biometrics, passwords, multi-factor authentication/MFA, device security)

 

Creating an effective cybersecurity policy

If you are interested in learning more about cybersecurity, how to set up awareness training, how to establish a company cybersecurity policy, or about how secure your data and IT infrastructure is; please contact us or text “SECURE” to 33339 and we will be in touch to set up a complementary cybersecurity solutions assessment for your business.