Bandler's Four Pillars of Cybersecurity by John Bandler
My Four Pillars of Cybersecurity model is a user-friendly cybersecurity framework which small and mid-sized organizations (and individuals) can use as guidance for their cybersecurity plan and practice. It consists of continual improvement of:
- Knowledge and awareness of cybercrime threats, information security, technology, and legal requirements
- Protection of computing devices
- Protection of data
- Protection of networks and safe use of the internet.
The beauty of this conceptual framework is its simplicity and efficiency. It is understandable and accessible to every person, from the newest hire to the head of the organization, and importantly for those without a technical background. That is essential because cybersecurity is for everyone, from the end users to the leaders who make important decisions about information assets. The Four Pillars of Cybersecurity involves focus on these important areas, with continual and cyclical growth and improvement. Let's review each pillar.
1. Knowledge and awareness
Imaging trying to secure your home without knowledge of how a door operates, or how to engage the lock. Imagine trying to drive a car safely without understanding basic principles of how a car works, rules of the road, or the basic rules of physics that we learn with common sense (e.g. we cannot navigate that curve at 100mph, nor can we survive a crash at that speed).
Every employee needs a degree of knowledge and awareness to make good decisions. The employee's lack of knowledge might result in a devastating cybercrime. The organization head's lack of knowledge might result in disastrous decisions regarding information technology and security.
Knowledge and awareness should extend to:
- Legal requirements
- Organization internal rules (including written policies, procedures, and more)
- Cybercrime threats, including
- Social engineering (con artistry) and similar threats aimed at people
- Email based funds transfer frauds (“business email compromise” and “CEO Fraud”)
- Malware, including ransomware
- Data breaches and data theft
- Identity theft
- Privacy threats
- Basic information security principles
- How computers work
- How networks and the internet work
- How to implement basic security measures and make good security decisions
- The importance of cybersecurity in the home, and how security at work and home are interrelated
- How working remotely creates security risks.
2. Protection of computing devices
Computing devices need to be secured. This includes smartphones, tablets, laptops, desktops, servers, networking devices, and more. This means:
- Inventory all devices, and develop a process for bringing them into service securely (commissioning) and taking them out of service securely when no longer needed (decommissioning).
- Ensure physical security and control over these devices. Devices need to be protected from loss, damage, or theft.
- Proper device configuration.
- Updating (patching) of devices.
- Malware protection.
- Intrusion protection.
- Controlled access.
- Periodic review of security and privacy settings.
3. Protection of data
Data needs to be protected from data breach, and needs to be available when needed. Certain data breaches could trigger reporting requirements. This means:
- Inventory data (to a reasonable degree of detail).
- Secure cloud accounts properly with complex, unique passwords, and a second factor of authentication (multi-factor authentication, MFA, or 2FA)
- Control access to data.
- Secure data in a manner commensurate with its sensitivity.
- Encrypt certain data where warranted.
- Delete unneeded data.
- Back up data regularly.
4. Protection of networks and safe use of the internet
Data is constantly flowing between our internal devices and through the internet. Key concepts include:
- Inventory network hardware and physically secure it.
- Routers and switches are security configured.
- Unique (and non-default) passwords.
- Kept updated (patched).
- Unneeded features will be disabled.
- Wi-Fi networks will be encrypted and require a strong password to join. The password will be changed periodically.
- Consider intrusion prevention and monitoring.
- Be conscious of the route that data takes.
- Avoid or minimize the use of public networks.
- Encrypt data in transit whenever practical.
- Encrypt certain data at the file level for transmittal.
A quick word on other cybersecurity and information security frameworks
There are many cybersecurity frameworks out there, which I will discuss in more detail in this article (coming soon). These other frameworks are written by excellent teams of smart people in excellent organizations, but are geared for readers with a high degree of technology and information security knowledge, and for organizations with mature information security programs. This means they are too technical for most individuals to understand, and for most smaller and mid sized organizations to implement. In contrast, my Four Pillars framework is perfect for individuals, small organizations, and many medium sized organizations. It is also a helpful tool for individuals in larger organizations to better comprehend the cybersecurity framework their organization has adopted. Should an organization using the Four Pillars framework increase in size and maturity to the point where it requires a more complex framework, it is simple for the organization to begin a transition by supplementing with more complex and detailed guidance, such as the NIST Cybersecurity Framework, or the CIS Twenty Critical Security Controls.
My Four Pillars of Cybersecurity will serve individuals, small businesses, and most medium sized businesses well. The framework is also conceptually helpful for individuals in larger organizations to help understand basic cybersecurity principles.
This is a brief summary with simplifications, attempting to bring complex subject matter to all readers in an understandable and accessible manner. This article is for anyone in need of a quick summary, including students, clients, and those seeking to learn about and improve their cybersecurity. It is not legal advice nor consulting advice, and is not tailored to your circumstances.
If your organization needs help to protect from cybercrime, improve cybersecurity, create or improve policies, or comply with cybersecurity related laws and regulations, please contact me.
Some additional helpful articles and resources on this site (including information about my two books) include:
- Cybersecurity Tips from John Bandler (single page tip sheet)
- Cybersecurity forms for the home or small office
- Cybercrime Frauds Involving Email and Funds Transfers (Email based funds transfer frauds, like business email compromise (BEC) and CEO fraud)
- Data Breaches
- Cybersecurity for the Home and Office (page about my first book)
- Chapter 4 is devoted to introducing the reader to information security and cybersecurity
- Chapter 8 is about securing devices
- Chapter 9 is about securing data
- Chapter 10 is about securing networks
- Cybercrime Investigations (page about my second book).
- The Need for Improved Cybercrime Investigations: Why We Wrote This Book
- Cybersecurity, Privacy, You, and Your Organization
- Policies, Procedures, and Governance of an Organization
- New York Cybersecurity Requirements and the SHIELD Act
- Privacy, You, Your Organization, and the New NIST Privacy Framework
- Introduction to Cybersecurity and Information Security
- Cybersecurity Laws and Regulations Part 1 (general legal overview)
- Cybersecurity Laws and Regulations Part 2 (listing and brief summary of some laws and regulations)
- Cybersecurity Frameworks and Guidance (Coming Soon!)
This article is hosted at https://johnbandler.com/bandlers-four-pillars-of-cybersecurity. Copyright John Bandler, all rights reserved.
A version of this article is available on Medium.com, at https://johnbandler.medium.com/bandlers-four-pillars-of-cybersecurity-6d0761f04f82 (though perhaps not as current).
Originally Posted 7/2/2021. Updated 9/17/2021.