Hopp til hovedinnhold
Go to front page
Back
Chapter 2 / Part 4 of 4 / Topic 1

What Does Digital Security Entail?

When you think of cyber attacks, you may think of attacks that hit large organisations and businesses, from the Parliament to Hydro. As an employee in a company, large or small, it is also important to be aware of privacy and data security—which are closely related.
But don't think that you, as a private individual, are not attractive to cybercriminals. In recent years, we’ve seen how identity theft, digital fraud, and other types of security breaches are increasingly affecting individuals.
Privacy can be defined as “the right to a private life and the right to decide over one's personal information”, according to the Norwegian Data Protection Authority. Ensuring privacy involves, among other things, making sure that our data is secure—that it can’t get astray or be accessed by unauthorised individuals.
There is a lot to consider here, so let's take a step back. We’ll start with some definitions, namely distinguishing the terms cybersecurity, information security, and ICT security. All of these are related to data. The concepts do overlap, but they also differ.

Cybersecurity, information security, and ICT security

What's the difference?

Insight

New technology, new vulnerabilities

Increasingly more information is being stored on the Internet, in the cloud. This applies to both organisations’ and individuals’ data. This is something that in turn has changed the digital threat picture.
Network technologies such as 5G and Narrowband IoT (NB-IoT) have also made it even easier than before to connect all conceivable devices over the network, from smartwatches to sensors connected to power masts or placed out in a field. Not least, smart cities—which can be thought of as cities with digital twins—are increasingly becoming a reality. “Everything” in the cityscape is connected and large amounts of data are exchanged and analysed. All these things also make us vulnerable in new ways, where, for example, anonymous players can inflict harm on critical infrastructure, both at state-level and against companies.
Another point here is that digitalisation—for reasons we talked a lot about in the first chapter—has made us increasingly dependent on commercial actors, who then gain increased influence in large and small matters.
These are things that should be taken, and are taken, seriously—all of this is part of Norwegian Police Security Service’s national security assessments.

Security in organisations

In terms of security in organisations, the responsibility has traditionally been with the IT department. But when damage occurs as a result of security incidents, the legal responsibility lies with the management, and possibly the board in a limited company.
When we say “security incidents”, we refer to a security-related deviation, which can occur due to data attacks, technical errors or incorrect use of a system.
For the management of a company, it is about assessing the threat picture and the risk of being attacked, as well as estimating the cost that can follow a security breach. For the IT department, it is about making more technical measures to try to prevent security incidents. Through security measures, organisations should ensure continuity and try to minimise the damage that potentially follows from security incidents.
It is unfortunate but true that the weakest link in many companies’ security is their own employees. Therefore, it is very important to work with the employees about awareness and competence. To put it simply: It is much more difficult to hack into a well-secured data system than to get someone to hand you the key (login information). And the methods to cheat such information have become very sophisticated and effective over the years.

Information security

We remember from earlier that information security is about the protection of information, and therefore also the security of the processes of storage, processing, presentation and transmission of information.
It's important for an organisation to safeguard and secure the confidentiality, integrity and availability of its data. Collectively, these security themes are known as the CIA triad.
  • Confidentiality means keeping data inaccessible to unauthorised individuals. This can apply to data that is stored on a computer (for example in a database) and data that is being transferred (for example via the Internet). Encryption is a measure to ensure confidentiality.
  • Integrity means keeping the data correct, that is, ensuring that it does not change unintentionally or by manipulation. Here, in addition to taking security measures, you can, for example, make backups and check the data against other registers and systems. There are various reasons why data can change unintentionally, such as faults in the storage medium or a user making a mistake.
  • Availability is about having access to data when you need them. DDoS attacks (Distributed Denial of Service), for example, are a type of data attack that can temporarily make data inaccessible from the Internet. This often involves many synchronised computers trying to overload a system, so that it no longer has enough resources—such as processing or transmission capacity—to handle all the requests. The result is that many users cannot log in or view the content.
Note that ICT security and cybersecurity breaches could also affect the confidentiality, integrity, and availability of data.

ICT security

As we’ve already seen, ICT security encompasses protection of the technology-based systems that store, process, and transmit data.
Here, too, the CIA triad is relevant. Additionally, there are four topics that are particularly relevant for ICT security: authentication, authorisation, auditing and non-repudiation.
  • Authentication, in this context, is about being able to identify who you are communicating with.
  • Authorisation means granting the correct access rights to a person for various resources in a system. This can, for example, be about files and databases, which in turn contain data. It is the management of an organisation that determines who has access, and usually the IT department that implements it technically. In practice, authorisation will depend on authentication, meaning that the system first knows who the user is.
  • Auditing is about continuously tracking the user's actions on the system, for example, through log files. This could be about seeing if there have been attempts at data attacks, or to identify misuse of a system.
  • Non-repudiation involves preventing another party from withdrawing responsibility for a digital action. This can be relevant, for example, in connection with online shopping or using online banking.
It is also worth noting that the CIA triad is explicitly included in the GDPR. The same applies to the necessity of technical and organisational measures related to personal data. You will learn more about the GDPR in chapter 3.
It might be helpful to remember that responsibility related to data security is also anchored in legislation—it is not just something that is “smart to do".

Fundamental principles of ICT security

Many businesses and organisations may find it difficult to know where to start with ICT security. Therefore, the Norwegian National Security Authority (NSM) has established some fundamental principles for ICT security to provide guidance. By following these, businesses, companies, and organisations can secure systems against damage, misuse, and unauthorised access.
We will not go into depth on these here, but overall they involve: