The 3-2-1 Backup Strategy: How Not to Lose Your Data
The 3-2-1 backup strategy: three copies, two media, one offsite. Learn how to protect data from failure, human error and ransomware.
Read
Information security is the set of measures, processes and technologies an organization uses to protect its data from unauthorized access, modification and loss. At the heart of the entire discipline sits the so-called CIA triad: confidentiality, integrity and availability. These three pillars are not abstract theory but a practical framework for measuring how well a company is actually protected - from a small office in Mostar to a regional company with dozens of branches.
Our solution
Cyber protection for businesses - complete protection of people, data and systems. You don't have to do it alone; we handle it for your company. Request a free assessment.
Many business owners think security is just antivirus and a strong password. In reality, it is a balance of three requirements that sometimes conflict with one another. Lock data down too tightly and people cannot work. Leave it too open and you expose yourself to risk. The CIA triad helps you set that balance deliberately rather than by accident.
What is the CIA triad in information security
The CIA triad is the foundational model underpinning almost every serious risk assessment and every security standard. When we talk about information security, every control can be assigned to at least one of these three objectives.
Confidentiality
Confidentiality means that only those who are authorized can access data. The payroll list must not be visible to all employees, client contracts must not leak to competitors, and medical or financial data must stay protected. Typical measures include encryption (at rest and in transit), access control, multi-factor authentication and data classification. When you hear about a "data breach", it is usually a hit against confidentiality.
Integrity
Integrity means that data is accurate and has not been altered without authorization by anyone, whether an attacker or a system error. Imagine someone changing the account number on an invoice or an amount in an ERP system's database. The data still exists and is accessible, but it is no longer trustworthy. Integrity is preserved through digital signatures, checksums (hashes), versioning, change logs and strict rules about who is allowed to change what.
Availability
Availability means that data and systems are there when you need them. The strongest encryption is worthless if your server goes down in the middle of the workday or if ransomware locks you out. Availability is ensured through regular backups, redundancy, protection against DDoS attacks, a disaster recovery plan and 24/7 system monitoring, the kind the SOC team at NeoBit provides.
| CIA triad pillar | What it protects | Typical attack / risk | Example control |
|---|---|---|---|
| Confidentiality | Who is allowed to see the data | Data breach, phishing | Encryption, MFA, access control |
| Integrity | That the data is accurate and unaltered | Unauthorized modification, fraud | Digital signatures, hashes, logs |
| Availability | That the data is there when needed | Ransomware, DDoS, server failure | Backup, redundancy, DR plan |
Information security or cyber security: what is the difference
The terms are often used as synonyms, but they are not the same. Information security is the broader concept and refers to protecting information in any form: a digital record, a paper contract in a cabinet, a conversation in a meeting room, or knowledge in an employee's head. Cyber security is the narrower concept and deals with protecting digital systems, networks and data from attacks over the internet.
- Information security: covers people, processes, physical security and technology. It asks "how do we protect information regardless of where it resides".
- Cyber security: the focus is on the digital world, networks, servers and threats such as malware, phishing and hacking.
- In practice: a locked cabinet of documents and a "clean desk" rule belong to information security, but not to cyber security. A firewall and EDR belong to both.
For a company, this means it is not enough to buy technical solutions alone. The largest number of incidents in the region begins with human error: clicking a link, sending data to the wrong person, leaving a password on a sticky note. That is why a good information security strategy always combines technology, clear procedures and employee education.
Core principles of information security
Alongside the CIA triad, there are several proven principles that form the backbone of every good security system. They are not complicated, yet many companies neglect them until it is too late.
Least privilege
Every user, application or service should have only as many rights as are strictly necessary for the job, not a bit more. An accountant does not need administrator privileges on the server, and an intern does not need access to the entire client database. When an attacker compromises a single account, least privilege limits the damage they can do. Similarly, the "need to know" principle states that you share information only with those who genuinely require it.
Defense in depth
Never rely on a single layer of protection. Defense in depth means multiple independent layers: firewall, network segmentation, EDR on devices, email filtering, MFA, backup and monitoring. If one layer gives way, the next stops the attacker. Think of it like a medieval town: a moat, a wall, a gate, a guard. Breaching one wall is not the same as entering the town.
Other important principles
- Separation of duties: the same person should not both create and approve a payment. It reduces the risk of fraud and errors.
- Assume breach: act as if the attacker is already inside and build the ability to detect and respond quickly.
- Security by design: security is built in from the start, not bolted on afterwards.
- Regular backups and recovery testing: a backup you have never tried to restore is not a backup, it is hope.
The link to ISO 27001 and GDPR
The CIA triad and the principles above were not invented as an exercise; they are the foundation of international standards and laws that increasingly bind companies in Bosnia and Herzegovina, Croatia and Serbia as well.
ISO/IEC 27001 is the best-known standard for an information security management system (ISMS). It gives an organization a structured framework for risk assessment, control selection and continuous improvement. All of its controls ultimately serve to protect confidentiality, integrity and availability. ISO 27001 certification is increasingly demanded by large clients and partners before they entrust you with their data, so it becomes a business advantage and not just a technical obligation.
GDPR (the General Data Protection Regulation) and similar local laws on personal data protection require "appropriate technical and organizational measures". In practice, this means exactly encryption, access control, record keeping, incident reporting and the ability to demonstrate how you protect citizens' personal data. If you do business with clients or partners from the EU, GDPR applies to you too, regardless of the fact that your company is headquartered in Bosnia and Herzegovina.
| Framework | What it is | Why it matters to a company |
|---|---|---|
| CIA triad | The foundational security model | Provides the language and logic for everything else |
| ISO 27001 | A standard for managing security | Structure, certification, partner trust |
| GDPR | A law on personal data protection | Legal obligation, fines, doing business with the EU |
How NeoBit helps
The theory is clear, but it is in practical application that companies get stuck. NeoBit from Mostar helps organizations across the region turn the CIA triad and the core principles of information security into concrete steps: risk assessment, penetration testing to reveal where the real gaps are, deployment of EDR and SIEM solutions, monitoring through a SOC team, and preparation for ISO 27001 and GDPR compliance.
The best first step is an assessment of the current state. If you want to find out how resilient your company really is to attacks and where the priorities lie, contact NeoBit for a free initial conversation and security assessment. It is better to uncover weaknesses in time than to pay for them after an incident.
Frequently asked questions
What does the CIA triad mean in information security?
The CIA triad is the foundational model that describes three goals of data protection: confidentiality (only authorized people see the data), integrity (the data is accurate and unaltered) and availability (the data is there when needed). In practice, every security control serves at least one of these three goals.
What is the difference between information security and cyber security?
Information security is the broader concept and protects information in every form, including paper, conversations and people, not just digital data. Cyber security is the narrower concept and focuses on protecting digital systems, networks and data from attacks over the internet.
What is the principle of least privilege?
Least privilege means that every user or system is granted only the rights that are necessary to perform their work, and nothing more. This limits the damage if an attacker takes over an account, because that account has minimal access.
Do we need ISO 27001 if we already comply with GDPR?
These are two different things that complement each other. GDPR is a legal obligation to protect personal data, while ISO 27001 is a voluntary standard that provides a structured security management system. ISO 27001 actually helps you meet GDPR requirements more easily and build trust with partners.
Related guides: Cyber security in Bosnia and Herzegovina - a complete guide · The 3-2-1 backup strategy: how not to lose your data · Two-factor authentication (2FA) for businesses - a practical guide
