Confidentiality in a cyber security context refers to ensuring information is accessed and used by only those who are authorised to, and for the purpose and to the extent of that authorisation. That is, ensuring information is only seen and used by those people and systems that are supposed to see and use it, and that the information is only seen and used for the intended purpose of that access.
If we were to take a patient record as an example, that information may only be seen by the doctor and perhaps the patient. Confidentiality of that patient record – that patient’s information – could be breached if, for example, the doctor’s computer screen were to be left on while still logged into the system without a screen lock risking accidentally displaying the information to other patients and staff sitting in the surgery. As another example, if a malicious link were to be clicked on in a phishing email and an attacker were to be able to have or escalate their rights to do and see things within the doctor’s or surgery’s computer or cloud server holding that record or multiple patient records, then that too could breach confidentiality of patient records and other information. These examples could also put at risk the integrity and availability of information.
These are examples of breaches of confidentiality of information. Confidentiality can also be breached through improper use. That is, a person or system may have access to information for a specific purpose. If we were to take a customer bank record as an example. A bank employee may have access to customer bank records for the purpose of allowing a customer to transact with the bank. If the bank employee were to access and use that information for a different purpose, such as to look the bank’s customers details up out of interest or copy them to take them to a competitor, this would also be a breach of confidentiality. It would also be a breach of that customer’s or customers’ privacy, and similarly in the patients’ case as described in the previous example.
Beyond technical controls, this is also why policies such as Acceptable Use Policies with training are important to ensure employees understand what the can and can’t access and for what purpose they can access that information. Similarly with Privacy Policies so customers and others can understand how their information will be accessed, used and for what purpose.
From a technical standpoint, access and use can be restricted with access controls and also monitored to detect if something unusual is happening. The logs can also be maintained to review should something go wrong so experts have evidence to work with.
Keeping software up-to-date, using strong unique passwords, avoiding clicking on phishing links, limiting access to information to what is needed to for each user to perform their role, maintaining valid encrypted backups that are timestamped to restore from, and monitoring are a combination of techniques that may help with resilience to these issues – as could a communications plan.