Bandler's Four Pillars of Cybersecurity
by John Bandler
My Four Pillars of Cybersecurity is a cybersecurity framework everyone can understand. It is a great starting point for individuals, small and mid-sized organizations as guidance for cybersecurity plan and practice.
It is is an ongoing process to:
- Improve Knowledge and awareness to improve decision making from the CEO to newest hire. Learn about cybercrime threats, information security, technology, and legal requirements
- Secure computing devices
- Secure data
- Secure networks and use of the Internet
[Repeat! It's a continual process of improvement].
The beauty of this conceptual framework is its simplicity and efficiency. It is understandable and accessible to every person, from the newest hire to the head of the organization, from the luddite to the IT professional. That is essential because cybersecurity is for everyone, from the end users to the leaders who make important decisions about information assets. Bandler's Four Pillars of Cybersecurity focuses on these important areas, with continual and cyclical growth and improvement. Let's review each pillar.
1. Knowledge and awareness
Every employee needs a degree of knowledge and awareness to make good decisions. The employee's lack of knowledge might result in a devastating cybercrime. The organization leader's lack of knowledge might result in disastrous decisions regarding information technology and security.
Imagine trying to secure your home without knowledge of how a door operates, or how to engage the lock. Imagine trying to drive a car safely without understanding basic principles of how a car works, rules of the road, or the basic rules of physics that we learn with common sense. We know we cannot navigate that curve at 100mph, nor can we survive a crash at that speed.
Knowledge and awareness should extend to:
- Legal requirements
- Organization internal rules (including written policies, procedures, and more)
- Cybercrime threats, including
- Social engineering (con artistry) and similar threats aimed at people
- Email based funds transfer frauds (“business email compromise” and “CEO Fraud”)
- Malware, including ransomware
- Data breaches and data theft
- Identity theft
- Privacy threats
- Basic information security principles
- How computers work
- How networks and the internet work
- How to implement basic security measures and make good security decisions
- The importance of cybersecurity in the home, and how security at work and home are interrelated
- How working remotely creates security risks.
Links below lead to information to boost your knowledge.
2. Protect computing devices
Computing devices need to be secured. This includes smartphones, tablets, laptops, desktops, servers, networking devices, and more. This means:
- Inventory all devices, and develop a process for bringing them into service securely (commissioning) and taking them out of service securely when no longer needed (decommissioning).
- Ensure physical security and control over these devices. Devices need to be protected from loss, damage, or theft.
- Proper device configuration.
- Updating (patching) of devices.
- Malware protection.
- Intrusion protection.
- Controlled access.
- Periodic review of security and privacy settings.
3. Protect data
Data needs to be protected from data breach, and needs to be available when needed. Certain data breaches could trigger reporting requirements. This means:
- Inventory data (to a reasonable degree of detail).
- Inventory applications (to a reasonable degree of detail)
- Inventory cloud-based services and apps (to a reasonable degree of detail)
- Secure cloud accounts properly with complex, unique passwords, and a second factor of authentication (multi-factor authentication, MFA, or 2FA)
- Control access to data.
- Secure data in a manner commensurate with its sensitivity.
- Encrypt certain data where warranted.
- Delete unneeded data.
- Back up data regularly.
This protection of data extends to online accounts and applications which store data and are critical for organization operation. Many applications and services are cloud-based and those need to be protected.
4. Protect networks and safe use of the internet
Data is constantly flowing between our internal devices and through the internet. Key concepts include:
- Inventory network hardware and physically secure it.
- Routers and switches are security configured.
- Unique (and non-default) passwords.
- Kept updated (patched).
- Unneeded features will be disabled.
- Wi-Fi networks will be encrypted and require a strong password to join. The password will be changed periodically.
- Consider intrusion prevention and monitoring.
- Be conscious of the route that data takes.
- Avoid or minimize the use of public networks.
- Encrypt data in transit whenever practical.
- Encrypt certain data at the file level for transmittal.
Repeat (continually improve)
Cybersecurity is never "done", but we take small continual steps, and look to continually improve our security and the strength of each of the four pillars.
Bandler's Four Pillars is a simple entry point while other frameworks can be complex
There are many cybersecurity frameworks out there, which I will discuss in more detail in this article. These other frameworks are written by excellent teams of smart people in excellent organizations. The NIST frameworks are excellent and freely available at no cost, with no license agreement. Other frameworks may be part of a business model, proprietary, cost money, and be subject to licensing agreements. All are geared for readers with a high degree of technology and information security knowledge, and for organizations with mature information security programs. This means they are too technical for most individuals to understand, and for most smaller and mid sized organizations to implement.
In contrast, Bandler's Four Pillars of Cybersecurity framework is perfect for individuals, small organizations, and many medium sized organizations. It is also a helpful tool for individuals in larger organizations to better comprehend the cybersecurity framework their organization has adopted.
Bandler's Four Pillars is defensible and extensible
My Four Pillars of Cybersecurity is a defensible framework. It is simple and comprehensible for every organization employee. Other frameworks have far more detail and are way more complex. But frameworks that are not read, or are not understood, do not impart their full value.
- The 18 security critical security controls (CSC) (formerly 20) from the Center for Internet Security (CIS) are respected, detailed, and complex. My Four Pillars includes four essential categories that the CSC covers in greater detail.
- Every cybersecurity framework has details pertaining to securing these four areas.
- No cybersecurity expert would disagree about the importance of knowledge, good decision making, and securing of devices, data, networks, and internet usage.
- Most small businesses without cybersecurity expertise in-house would be unable to properly understand or implement a traditional cybersecurity frameworks.
- The NIST Cybersecurity Framework (NIST CSF) is one of the shortest and simplest frameworks out there (other than mine). Still, it is 55 pages, has significant technical language, five framework functions and 23 categories.
The Four Pillars framework is extensible. It can be extended to add greater detail, and organizations can adopt more complex frameworks as they increase in size and maturity. It is simple for the organization to begin a transition by supplementing with more complex and detailed guidance, such as the NIST Cybersecurity Framework, or the CIS Eighteen
Twenty Critical Security Controls. Even as maturation takes place the Four Pillars remains helpful because cybersecurity is a responsibility of every employee, and every employee cannot be a cybersecurity expert.
Bandler's Four Pillars of Cybersecurity will serve individuals, small businesses, and most medium sized businesses well. The framework is also conceptually helpful for individuals in larger organizations to help understand basic cybersecurity principles.
This is not legal advice nor consulting advice, and is not tailored to your circumstances.
If your organization needs help to protect from cybercrime, improve cybersecurity, create or improve policies, or comply with cybersecurity related laws and regulations, please contact me.
- Introduction to Cybersecurity and Information Security
- Cybersecurity Tips from John Bandler (single page tip sheet)
- Cybersecurity forms for the home or small office
- The Three Priority Cybercrime Threats
- Cybercrime Frauds Involving Email and Funds Transfers (Email based funds transfer frauds, like business email compromise (BEC) and CEO fraud)
- Data Breaches
- Cybersecurity Laws and Regulations Part 1 (general legal overview)
- Cybersecurity Laws and Regulations Part 2 (listing and brief summary of some laws and regulations)
- Cybersecurity Frameworks and Guidance
- NIST Cybersecurity Framework
- Free Starter Cybersecurity Policy
- Cybersecurity, Privacy, You, and Your Organization
- Five Components for Policy Work
- Policies, Procedures, and Governance of an Organization
- New York Cybersecurity Requirements and the SHIELD Act
- Privacy, You, Your Organization, and the New NIST Privacy Framework
- Cybersecurity for the Home and Office (page about my first book, where I pioneered the Four Pillars)
- Chapter 4 is devoted to introducing the reader to information security and cybersecurity
- Chapter 8 is about securing devices
- Chapter 9 is about securing data
- Chapter 10 is about securing networks
This article is hosted at https://johnbandler.com/bandlers-four-pillars-of-cybersecurity. Copyright John Bandler, all rights reserved.
A version of this article is available on Medium.com, at https://johnbandler.medium.com/bandlers-four-pillars-of-cybersecurity-6d0761f04f82 (though perhaps not as current).
Originally Posted 7/2/2021. Updated 12/08/2023.