Organizations frequently focus on ensuring confidentiality when it comes to information protection. However, confidentiality is only one of three elements; integrity and availability combine with confidentiality to make the triumvirate of information protection – C, I, and A.
Confidentiality is about protecting information from unauthorized disclosure. Integrity focuses on maintaining the accuracy, completeness, and trustworthiness of information throughout the information lifecycle (create, process, store, transmit, destroy). Availability ensures that information is available when it is needed by authorized individuals and systems.
Examples of breaches of information protection include a lost USB stick containing unencrypted personally identifiable information (confidentiality), hacking a university’s marking system to change grades (integrity), and attacking a computer system so that information cannot be accessed (availability). These are all real-world examples.
Digital transformation initiatives, which have exponentially increased the volumes of digital information requiring protection, have left enterprises of all sizes and kinds exposed to a cyberthreat landscape that grows daily. The threats to information confidentiality, integrity, or availability are often adversarial (e.g. malicious nation-state attackers, organized criminal groups, lone-wolf attackers) but can also be accidental (e.g. untrained employee) or environmental (e.g. fire at a data center).
Ovum’s latest release of its ICT Enterprise Insights survey (2018/19) shows that good progress is being made on having a proactive approach to cybersecurity and digital risk, but still fewer than 15% of organizations have “completed” this part of their digital transformation journey.
The information security policy of organizations is generally based on protecting the C, I, and A of information, but legislation including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) have put the spotlight on keeping information about individuals private and can sometimes pull hard-pressed security professionals towards a bias on confidentiality.
Attacks on the integrity of information can be low level and difficult to detect. Consider this: an unscrupulous competitor from Company 1 places an insider into Company 2, and the insider alters pieces of information that ultimately result in reputational damage for Company 2. Sounds far-fetched? It isn’t; incidents such as this are happening all the time.
Availability is crucial for the “always on” enterprise. Organizations of all sizes require the capability to ensure that, should disaster strike (adversarial, accidental, or environmental), operations can continue as near normally as possible and information is available to those required to access it. One high-profile example of an attack on availability was the 2016 Dyn attack by the Mirai botnet using Internet of Things (IoT) devices, which brought down much of the internet in America at the time.
Clearly, although protecting the confidentiality of information is crucial, integrity and availability carry equal weight in this triumvirate and must be fully included in an organization’s approach to cybersecurity and digital risk.
Straight Talk is a weekly briefing from the desk of the Chief Research Officer. To receive this newsletter by email, please contact us.