The latest tech news, backed by expert insights
Stay up to date on the most important—and intriguing—industry trends on AI, automation, data and beyond with the Think newsletter. See the IBM Privacy Statement.
IT security, which is short for information technology security, is the practice of protecting an organization’s IT assets—computer systems, networks, digital devices, data—from unauthorized access, data breaches, cyberattacks and other malicious activity.
The scope of IT security is broad and often involves a mix of technologies and security solutions. These work together to address vulnerabilities in digital devices, computer networks, servers, databases and software applications.
The most commonly cited examples of IT security include digital security disciplines such as endpoint security, cloud security, network security and application security. But IT security also includes physical security measures—for example, locks, ID cards, surveillance cameras—required to protect buildings and devices that house data and IT assets.
IT security is often confused with cybersecurity, a narrower discipline that is technically a subset of IT security. Cybersecurity focuses primarily on protecting organizations from digital attacks, like ransomware, malware and phishing scams. Whereas IT security services an organization’s entire technical infrastructure, including hardware systems, software applications and endpoints, like laptops and mobile devices. IT security also protects the company network and its various components, like physical and cloud-based data centers.
Stay up to date on the most important—and intriguing—industry trends on AI, automation, data and beyond with the Think newsletter. See the IBM Privacy Statement.
Cyberattacks and security incidents can exact a huge toll measured in lost business, damaged reputations, regulatory fines and, in some cases, extortion and stolen assets.
According to IBM’s Cost of a Data Breach 2025 report, the average cost of a data breach is USD 4.44 million. Factors contributing to the cost include everything from notifying customers, executives and regulators to regulatory fines, revenues lost during downtime and customers lost permanently.
Some security incidents are more costly than others. Ransomware attacks encrypt an organization’s data, rendering systems unusable, and demand an expensive ransom payment for a decryption key to unlock the data. Increasingly, the cybercriminals demand a second ransom to prevent sharing sensitive data with the public or other cybercriminals. According to IBM's Definitive Guide to Ransomware, ransom demands have risen to 7- and 8-figure amounts, and in extreme cases have been as high as USD 80 million.
Predictably, investments in IT security continue to rise. Industry analyst Gartner® projects the market will balloon in the coming years, surpassing USD 260 billion by 2026.
Cloud security addresses external and internal cyberthreats to an organization’s cloud-based infrastructure, applications and data.
Cloud security operates on the shared responsibility model: Generally speaking, the cloud service provider (CSP) is responsible for securing the infrastructure with which it delivers cloud services, and the customer is responsible for securing whatever it runs on that infrastructure. However, details of that shared responsibility vary depending on the cloud service.
Endpoint security protects end-users and endpoint devices, like desktops, laptops, cellphones and servers, against cyberattacks. Endpoint security also protects networks against cybercriminals who try to use endpoint devices to launch cyberattacks on their sensitive data and other assets.
Network security has three chief objectives: The first objective is to prevent unauthorized access to network resources. Second, it aims to detect and stop cyberattacks and security breaches in real-time. Third, it ensures that authorized users have secure access to the network resources they need when needed.
Application security refers to measures developers take while building an app. These steps address potential vulnerabilities, and protect customer data and their own code from being stolen, leaked or compromised.
Internet security protects data and sensitive information transmitted, stored or processed by browsers or apps. Internet security involves a range of security practices and technologies that monitor incoming internet traffic for malware and other malicious content. Technologies in this area include authentication mechanisms, web gateways, encryption protocols and, most notably, firewalls.
Internet of Things (IoT) security focuses on protecting Internet-connected sensors and devices such as doorbell cameras, smart appliances and modern automobiles. IoT aims to stop hackers from taking control of these devices. It also prevents hackers from using these devices to infiltrate an organization’s network.
Operational technology (OT) security focuses more specifically on connected devices that monitor or control processes within a company—for example, sensors on an automated assembly line.
Every organization is susceptible to cyberthreats from inside and outside their organizations. These threats can be intentional, as with cybercriminals, or unintentional, as with employees or contractors who accidentally click malicious links or download malware.
IT security aims to address this wide range of security risks and account for all types of threat actors and their varying motivations, tactics and skill levels.
Malware is malicious software that can render infected systems inoperable, destroying data, stealing information and even wiping files critical to the operating system.
Well-known types of malware include:
Ransomware is malware that locks a victim’s data or device and threatens to keep it locked—or worse—unless the victim pays a ransom to the attacker. According to the IBM X-Force® Threat Intelligence Index, ransomware attacks are the most commonly deployed form of malware.
A Trojan horse is malware that tricks people into downloading it by disguising itself as a useful program or hiding within legitimate software. A remote access Trojan (RAT) creates a secret backdoor on the victim’s device, while a dropper Trojan installs additional malware once it has a foothold.
Spyware secretly gathers sensitive information, such as usernames, passwords, credit card numbers and other personal data, and transmits it back to the hacker.
A worm is self-replicating malware that can automatically spread between apps and devices.
Frequently referred to as “human hacking,” social engineering manipulates victims into taking actions that expose sensitive information, compromise their organization’s security, or threaten their organization's financial well-being.
Phishing is the best-known and most pervasive type of social engineering attack. Phishing attacks use fraudulent emails, text messages or phone calls to trick people. These attacks aim to get people to share personal data or access credentials, download malware, send money to cybercriminals, or take other actions that might expose them to cybercrimes. Special types of phishing include:
Spear phishing—highly targeted phishing attacks that manipulate a specific individual, often using details from the victim’s public social media profiles to make the ruse more convincing.
Whale phishing—spear phishing that targets corporate executives or wealthy individuals.
Business email compromise (BEC)—scams in which cybercriminals pose as executives, vendors or trusted business associates to trick victims into wiring money or sharing sensitive data.
Another social engineering tactic, tailgating, is less technical but no less a threat to IT security: it involves following (or “tailing”) an individual with physical access to a data center (say, someone with an ID card) and literally sneaking in behind them before the door closes.
A DoS attack overwhelms a website, application or system with volumes of fraudulent traffic, rendering it too slow to use or altogether unavailable to legitimate users. A distributed denial-of-service (DDoS) attack uses a network of internet-connected, malware-infected devices—called a botnet—to cripple or crash the target application or system.
A zero-day exploit takes advantage of an unknown or as-yet-unaddressed security flaw in computer software, hardware or firmware. “Zero day” refers to the fact that the software or device vendor has zero days, or no time, to fix the flaw, because malicious actors can already use it to gain access to vulnerable systems.
Insider threats originate from employees, partners and other users with authorized access to the network. Whether unintentional (for example, a third-party vendor tricked into launching malware) or malicious (for example, a disgruntled employee bent on revenge), insider threats have teeth.
According to the Cost of a Data Breach Report, breaches caused by malicious insiders are the most expensive, cost an average of USD 4.92 million.
In an MITM attack, a cybercriminal eavesdrops on a network connection and intercepts and relays messages between two parties to steal data. Unsecured wifi networks are happy hunting grounds for hackers launching MITM attacks.
As cybersecurity threats continue to escalate in ferocity and complexity, organizations are deploying IT security strategies that combine a range of security systems, programs and technologies.
Overseen by experienced security teams, these IT security practices and technologies can help protect an organization’s entire IT infrastructure, and avoid or mitigate the impact of known and unknown cyberthreats.
Because many cyberattacks, such as phishing attacks, exploit human vulnerabilities, employee training has become an important line of defense against insider threats.
Security awareness training teaches employees to recognize security threats and use secure workplace habits. Topics covered often include phishing awareness, password security, the importance of running regular software updates, and privacy issues, like how to protect customer data and other sensitive information.
Multifactor authentication requires one or more credentials in addition to a username and password. Implementing multi-factor authentication can prevent a hacker from gaining access to applications or data on the network. This authentication works even if the hacker is able to steal or obtain a legitimate user's username and password.
Multi-factor authentication is critical for organizations that use single sign-on systems. These systems enable users to log in to a session once and access multiple related applications and services during that session without logging in again.
Incident response, sometimes called cybersecurity incident response, refers to an organization’s processes and technologies for detecting and responding to cyberthreats, security breaches and cyberattacks. The goal of incident response is to prevent cyberattacks before they happen, and to minimize the cost and business disruption resulting from any cyberattacks that occur.
Many organizations create a formal incident response plan (IRP) that defines the processes and security software they use to identify, contain and resolve to different types of cyberattacks. According to the Cost of a Data Breach report, at organizations that create and regularly test a formal IRP the cost of a data breach was USD 232,008 less than the average USD 4.45 million.
No single security tool can prevent cyberattacks altogether. Still, several tools can play a role in mitigating cyber risks, preventing cyberattacks and minimizing damage when an attack occurs.
Common security software to help detect and divert cyberattacks include:
Email security tools, including AI-based anti-phishing software, spam filters and secure email gateways.
Antivirus software to neutralize spyware or malware attackers might use to target network security to conduct research, eavesdrop on conversations, or takeover email accounts.
System and software patches to close technical vulnerabilities commonly exploited by hackers.
Secure web gateways and other web filtering tools to block malicious websites often linked to phishing emails.
Threat detection and response solutions use analytics, artificial intelligence (AI) and automation to help security teams detect known threats and suspicious activity. They enable security teams to take action to eliminate the threat or minimize its impact. These technologies include security orchestration, automation and response (SOAR), security incident and event management (SIEM), endpoint detection and response (EDR), network detection and response (NDR), and extended detection and response (XDR).
Offensive security, or “OffSec,” refers to a range of proactive security strategies that use adversarial tactics—the same tactics malicious actors use in real-world attacks—to strengthen network security rather than compromise it.
Offensive security operations are often carried out by ethical hackers, cybersecurity professionals who use their hacking skills to find and fix IT system flaws. Common offensive security methods include:
Penetration testing—launching a mock cyberattack to uncover vulnerabilities and weaknesses in computer systems, response workflows and users' security awareness. Some data privacy regulations, such as the Payment Card Industry Data Security Standard (PCI-DSS), specify regular penetration testing as a requirement for compliance.
Red teaming—authorizing a team of ethical hackers to launch a simulated, goal-oriented cyberattack on the organization.
Offensive security complements security software and other defensive security measures—it discovers unknown cyberattack avenues, or vectors, that other security measures might miss. And it yields information security teams can use to make their defensive security measures stronger.
Given their significant overlap, the terms “IT security,” “information security” and “cybersecurity” are often (and mistakenly) used interchangeably. They differ primarily in scope.