IT security, which is short for information technology security, is the practice of protecting an organization’s IT assets—computer systems, networks, digital devices, data—from unauthorized access, data breaches, cyberattacks and other malicious activity.
The scope of IT security is broad and often involves a mix of technologies and security solutions. These work together to address vulnerabilities in digital devices, computer networks, servers, databases and software applications.
The most commonly cited examples of IT security include digital security disciplines such as endpoint security, cloud security, network security and application security. But IT security also includes physical security measures—for example, locks, ID cards, surveillance cameras—required to protect buildings and devices that house data and IT assets.
IT security is often confused with cybersecurity, a narrower discipline that is technically a subset of IT security. Cybersecurity focuses primarily on protecting organizations from digital attacks, like ransomware, malware and phishing scams. Whereas IT security services an organization’s entire technical infrastructure, including hardware systems, software applications and endpoints, like laptops and mobile devices. IT security also protects the company network and its various components, like physical and cloud-based data centers.
Cyberattacks and security incidents can exact a huge toll measured in lost business, damaged reputations, regulatory fines and, in some cases, extortion and stolen assets.
For example, IBM’s Cost of a Data Breach 2024 report studied over 550 companies who suffered a data breach between March 2022 and March 2022. The average cost of a data breach to those companies was USD 4.45 million—up 2.3% from findings of a similar study a year earlier, and up 15.3% over a 2020 study. Factors contributing to the cost include everything from notifying customers, executives and regulators to regulatory fines, revenues lost during downtime, and customers lost permanently.
Some security incidents are more costly than others. Ransomware attacks encrypt an organization’s data, rendering systems unusable, and demand an expensive ransom payment for a decryption key to unlock the data. Increasingly, the cybercriminals demand a second ransom to prevent sharing sensitive data with the public or other cybercriminals. According to IBM's Definitive Guide to Ransomware 2023, ransom demands have risen to 7- and 8-figure amounts, and in extreme cases have been as high as USD 80 million.
Predictably, investments in IT security continue to rise. Industry analyst Gartner® predicted that in 2023 organizations would spend USD 188.3 billion on information security and risk management resources and services. The forecast also projects the market to continue to balloon in the coming years, surpassing USD 260 billion by 2026, following its compound annual growth rate of 11% from 2021.
Cloud security addresses external and internal cyberthreats to an organization’s cloud-based infrastructure, applications and data. Cloud security operates on the shared responsibility model: Generally speaking, the cloud service provider (CSP) is responsible for securing the infrastructure with which it delivers cloud services, and the customer is responsible for securing whatever it runs on that infrastructure. However, details of that shared responsibility vary depending on the cloud service.
Endpoint security protects end-users and endpoint devices, like desktops, laptops, cellphones and servers, against cyberattacks. Endpoint security also protects networks against cybercriminals who try to use endpoint devices to launch cyberattacks on their sensitive data and other assets.
Network security has three chief objectives: The first objective is to prevent unauthorized access to network resources. Second, it aims to detect and stop cyberattacks and security breaches in real-time. Third, it ensures that authorized users have secure access to the network resources they need when needed.
Application security refers to measures developers take while building an app. These steps address potential vulnerabilities, and protect customer data and their own code from being stolen, leaked or compromised.
Internet security protects data and sensitive information transmitted, stored or processed by browsers or apps. Internet security involves a range of security practices and technologies that monitor incoming internet traffic for malware and other malicious content. Technologies in this area include authentication mechanisms, web gateways, encryption protocols and, most notably, firewalls.
Internet of Things (IoT) security focuses on preventing Internet-connected sensors and devices, for example doorbell cameras, smart appliances, modern automobiles. IoT aims to stop hackers from taking control of these devices. It also prevents hackers from using these devices to infiltrate an organization’s network. Operational technology (OT) security focuses more specifically on connected devices that monitor or control processes within a company—for example, sensors on an automated assembly line.
Every organization is susceptible to cyberthreats from inside and outside their organizations. These threats can be intentional, as with cybercriminals, or unintentional, as with employees or contractors who accidentally click malicious links or download malware.
IT security aims to address this wide range of security risks and account for all types of threat actors and their varying motivations, tactics and skill levels.
Malware is malicious software that can render infected systems inoperable, destroying data, stealing information and even wiping files critical to the operating system.
Well-known types of malware include:
Ransomware is malware that locks a victim’s data or device and threatens to keep it locked—or worse—unless the victim pays a ransom to the attacker. According to the IBM X-Force® Threat Intelligence Index, ransomware attacks are the most commonly deployed form of malware.
A Trojan horse is malware that tricks people into downloading it by disguising itself as a useful program or hiding within legitimate software. A remote access Trojan (RAT) creates a secret backdoor on the victim’s device, while a dropper Trojan installs additional malware once it has a foothold.
Spyware secretly gathers sensitive information, such as usernames, passwords, credit card numbers and other personal data, and transmits it back to the hacker.
A worm is self-replicating malware that can automatically spread between apps and devices.
Frequently referred to as "human hacking," social engineering manipulates victims into taking actions that expose sensitive information, compromise their organization’s security, or threaten their organization's financial well-being.
Phishing is the best-known and most pervasive type of social engineering attack. Phishing attacks use fraudulent emails, text messages or phone calls to trick people. These attacks aim to get people to share personal data or access credentials, download malware, send money to cybercriminals, or take other actions that might expose them to cybercrimes. Special types of phishing include:
Spear phishing—highly targeted phishing attacks that manipulate a specific individual, often using details from the victim’s public social media profiles to make the ruse more convincing.
Whale phishing—spear phishing that targets corporate executives or wealthy individuals.
Business email compromise (BEC)—scams in which cybercriminals pose as executives, vendors or trusted business associates to trick victims into wiring money or sharing sensitive data.
Another social engineering tactic, tailgating, is less technical but no less a threat to IT security: it involves following (or ‘tailing’) an individual with physical access to a data center (say, someone with an ID card) and literally sneaking in behind them before the door closes.
A DoS attack overwhelms a website, application or system with volumes of fraudulent traffic, rendering it too slow to use or altogether unavailable to legitimate users. A distributed denial-of-service (DDoS) attack uses a network of internet-connected, malware-infected devices—called a botnet—to cripple or crash the target application or system.
A zero-day exploit takes advantage of an unknown or as-yet-unaddressed security flaw in computer software, hardware or firmware. ‘Zero day’ refers to the fact that the software or device vendor has zero days, or no time, to fix the flaw, because malicious actors can already use it to gain access to vulnerable systems.
Insider threats originate from employees, partners and other users with authorized access to the network. Whether unintentional (for example, a third-party vendor tricked into launching malware) or malicious (for example, a disgruntled employee bent on revenge), insider threats have teeth. A recent report from Verizon reveals that while the average external threat compromises around 200 million records, threats involving an inside threat actor have exposed as many as 1 billion records.
In an MITM attack, a cybercriminal eavesdrops on a network connection and intercepts and relays messages between two parties to steal data. Unsecured wifi networks are happy hunting grounds for hackers launching MITM attacks.
As cybersecurity threats continue to escalate in ferocity and complexity, organizations are deploying IT security strategies that combine a range of security systems, programs and technologies.
Overseen by experienced security teams, these IT security practices and technologies can help protect an organization’s entire IT infrastructure, and avoid or mitigate the impact of known and unknown cyberthreats.
Because many cyberattacks, such as phishing attacks, exploit human vulnerabilities, employee training has become an important line of defense against insider threats.
Security awareness training teaches employees to recognize security threats and use secure workplace habits. Topics covered often include phishing awareness, password security, the importance of running regular software updates, and privacy issues, like how to protect customer data and other sensitive information.
Multi-factor authentication requires one or more credentials in addition to a username and password. Implementing multi-factor authentication can prevent a hacker from gaining access to applications or data on the network. This authentication works even if the hacker is able to steal or obtain a legitimate user's username and password.
Multi-factor authentication is critical for organizations that use single sign-on systems. These systems enable users to log in to a session once and access multiple related applications and services during that session without logging in again.
Incident response, sometimes called cybersecurity incident response, refers to an organization’s processes and technologies for detecting and responding to cyberthreats, security breaches and cyberattacks. The goal of incident response is to prevent cyberattacks before they happen, and to minimize the cost and business disruption resulting from any cyberattacks that occur.
Many organizations create a formal incident response plan (IRP) that defines the processes and security software they use to identify, contain and resolve to different types of cyberattacks. According to the Cost of a Data Breach report, at organizations that create and regularly test a formal IRP the cost of a data breach was USD 232,008 less than the average USD 4.45 million.
No single security tool can prevent cyberattacks altogether. Still, several tools can play a role in mitigating cyber risks, preventing cyberattacks and minimizing damage when an attack occurs.
Common security software to help detect and divert cyberattacks include:
Email security tools, including AI-based anti-phishing software, spam filters and secure email gateways
Antivirus software to neutralize spyware or malware attackers might use to target network security to conduct research, eavesdrop on conversations, or takeover email accounts
System and software patches to close technical vulnerabilities commonly exploited by hackers
Secure web gateways and other web filtering tools to block malicious websites often linked to phishing emails
Threat detection and response solutions use analytics, artificial intelligence (AI) and automation to help security teams detect known threats and suspicious activity. They enable security teams to take action to eliminate the threat or minimize its impact. These technologies include security orchestration, automation and response (SOAR), security incident and event management (SIEM), endpoint detection and response (EDR), network detection and response (NDR), and extended detection and response (XDR).
Offensive security operations are often carried out by ethical hackers, cybersecurity professionals who use their hacking skills to find and fix IT system flaws. Common offensive security methods include:
Penetration testing—launching a mock cyberattack to uncover vulnerabilities and weaknesses in computer systems, response workflows and users' security awareness. Some data privacy regulations, such as the Payment Card Industry Data Security Standard (PCI-DSS), specify regular penetration texting as a requirement for compliance.
Red teaming—authorizing a team of ethical hackers to launch a simulated, goal-oriented cyberattack on the organization.
Offensive security complements security software and other defensive security measures—it discovers unknown cyberattack avenues, or vectors, that other security measures might miss. And it yields information security teams can use to make their defensive security measures stronger.
Given their significant overlap, the terms ‘IT security,’ ‘information security’ and ‘cybersecurity’ are often (and mistakenly) used interchangeably. They differ primarily in scope.
Learn how to navigate the challenges and tap into the resilience of generative AI in cybersecurity.
Understand the latest threats and strengthen your cloud defenses with the IBM X-Force Cloud Threat Landscape Report.
Find out how data security helps protect digital information from unauthorized access, corruption or theft throughout its entire lifecycle.
A cyberattack is an intentional effort to steal, expose, alter, disable or destroy data, applications or other assets through unauthorized access.
Gain insights to prepare and respond to cyberattacks with greater speed and effectiveness with the IBM X-Force Threat Intelligence Index.
Stay up to date with the latest trends and news about security.