Cybersecurity and Cybercrime Prevention
by John Bandler
This page is a brief outline to assist individuals and organizations by providing a framework and references. I also use this as a presentation landing page and structure some courses and speaking presentations around it.
This is a comprehensive outline, but remember that not every section gets equal weight or time devoted to it. It is tailored for the audience and the need. Some sections might be covered in a minute or two, some might require extensive discussion.
1. Introduction
Cybersecurity and cybercrime prevention requires knowledge of some important areas, and is a process of continual improvement.
Important areas include:
- Cybercrime threats
- Technology basics
- Cybersecurity basics
- Organizing and improving a personal or family cybersecurity plan
- Establishing and improving an organization's cybersecurity program
- Cybercrime criminal laws (mostly for organizations)
- Civil laws and regulations regarding cybersecurity and data breach notification (mostly for organizations)
- Privacy concepts and laws (mostly for organizations)
- References and digging into deeper details
As we go through each area I will keep the text short and simply provide relevant references.
2. Cybercrime threats
If we understand the cybercrime threats and risks, we can protect against them and spot them when they occur.
By analogy, if we understand that burglars might try to break into a residence or business, we can think about measures to try prevent or deter that crime, or detect it as soon as it happens.
Immediate focus should be on the Three Priority Cybercrime Threats, and it helps to have a general knowledge of cybercrime and identity theft.
- The Three Priority Cybercrime Threats
- Cybercrime
- Identity theft
- Cybersecurity for the Home and Office Chapter 2, The Black Market for Your Data: The Cybercrime Economy
- Cybercrime Investigations Chapter 2, What is Cybercrime and Why is it Committed
3. Technology basics
A foundation in technology is often a prerequisite. Not that you have to become an expert, just have some knowledge.
As another analogy, we know that burglars might look to see if a door or window is open, and if not, they might try to use a certain amount of force. So we know that shutting and locking a door is a good security measure. High security locks and alarms are also available. We need to think how technology works and where our electronic windows and doors are.
Think about your technology as four components
- The human that configures and uses technology
- Computer devices
- Data and online accounts
- Networks and internet
To learn a little bit more, see these:
- Technology basics
- Cybersecurity for the Home and Office Chapters 5 and 6
- Cybercrime Investigations Chapter 3
4. Cybersecurity basics
People need a foundation in basics of cybersecurity, and what measures can be employed, and their relative effectiveness.
Cybersecurity is about human decisions, including about managing risk.
A foundation in cybersecurity is essential:
- Introduction to Cybersecurity and Information Security
- Cybersecurity things to know
- Risk
- Cybersecurity for the Home and Office Chapter 4, Basic Information Security Principles
- Cybercrime Investigations Chapter 4, Introduction to Information Security and Cybersecurity
5. Organizing and improving a personal or family cybersecurity plan
Now that we have some basic knowledge, how do we use that to protect ourselves?
Also consider that our personal life and home are the most important for us, so let's protect it, and get some hands-on practical skills with technology and cybersecurity while we do that. Cybersecurity starts in the home.
I would love for you to buy and read my first book, but few of you will do that. But you can read my blog article here for free and follow my four pillars of cybersecurity, which are:
- Improve Knowledge and awareness to improve decision making from the CEO to newest hire. Learn about cybercrime threats, information security, technology, and legal requirements
- Secure computing devices
- Secure data
- Secure networks and use of the Internet
[Repeat! It's a continual process of improvement]
Some references include:
- Cybersecurity Tips from John Bandler (one page tip sheet)
- Bandler's Four Pillars of Cybersecurity
- Cybersecurity for the Home and Office (entire book)
- Cybersecurity Asset Inventory Forms for the Home to keep track of devices, data, accounts, network information in your home
Individuals can skip to Point 10
Organization cybersecurity continues
If you are concerned solely with personal or family cybersecurity you can just skip to Point 10 (or so) where we start discussing if this is too much, not enough, and additional references.
If you are concerned about your organization's cybersecurity, keep reading. We build upon all of the above and keep going.
6. Establishing and improving an organization's cybersecurity program
Now we add some degrees of difficulty to the cybersecurity problem.
Hopefully, we have a degree of knowledge, awareness, and experience, thanks to all of the above, including working to protect and learn about our information systems at home and for the family.
We need to apply all we have covered to the organization, and that adds a number of challenges.
The good news is the four pillars of cybersecurity remains valid and helpful for organizations, especially small and mid-size organizations, but even for large ones too.
Now you are going to need some additional formality and documentation. As you do that we focus on the business mission, how to improve management and protection, be profitable and resilient, and comply with legal requirements.
- Cybersecurity Tips from John Bandler (one page tip sheet)
- Bandler's Four Pillars of Cybersecurity
- Bandler's Free Starter Cybersecurity Policy
- Three Platforms to Connect (for compliance)
- Four Platforms to Connect (for compliance and mission too)
- Five Components for Policy Work
- Policy Project Planning and Execution
- Cybersecurity, Privacy, You, and Your Organization
- Cybersecurity Laws and Regulations Part 1
- Cyber Insurance
- Cybersecurity and Working from Home
- Cybersecurity related forms you can use to inventory the information assets in your home or small organization (computer devices, data, accounts, network, etc.)
We tiptoed into the law there, and remember that businesses and organizations face many legal issues, including relating to cyber. So more on law and cyber related law next.
7. Laws and cyberlaws introduced
Here is where we introduce some legal concepts, including law, cyberlaw, and all that entails.
- Law
- Cyberlaw
- External Rules
- Introduction to law things to know
- Cybercrime Investigations Chapter 5
Organizations need to be aware of all legal requirements that apply to them.
8. Cybercrime criminal laws (for organizations)
The average organization only needs to know a tiny bit about criminal law: so they can properly investigate and report it if it happens to them, and how to avoid inadvertently violating it.
But those in law enforcement or who work regularly with law enforcement should have a solid understanding of criminal law, including substantive criminal law (the crimes people can be charged with) and procedural criminal law (you guessed it, the process, or procedure of investigating, arresting, and prosecuting defendants).
- Cybercrime
- Identity theft
- Substantive criminal laws
- Procedural criminal laws and evidence gathering
- Cybercrime Investigations Chapters 5, 6, 7
9. Civil laws and regulations regarding cybersecurity and data breach notification (for organizations)
All organizations need to know about the civil laws relating to cybersecurity and data breach reporting and notification.
Some organizations may have a legal duty to have a certain level of cybersecurity for certain data. All organizations have a duty to notify and report if certain data is breached. All organizations may have certain cyber duties in accord with traditional law concepts relating to contract and negligence.
- Cybersecurity Laws and Regulations Part 1
- Cyber Insurance
- Cybersecurity for the Home and Office Chapter 14
- Cybercrime Investigations Chapter 9
- NYS SHIELD Act, NYS GBL 899-aa and NYS GBL 899-bb
- FTC Act
Organizations need to manage other areas of a law also, including basic business law, contract, negligence, and intellectual property. Links for those at the bottom.
10. Privacy concepts and laws (mostly for organizations)
Privacy laws will almost always include a cybersecurity requirement and a data breach notification requirement, as covered above.
Privacy laws will also include specifics relating to consumer data, what information is collected from consumers, how it is used, shared, stored, and etc.
11. Wait, I'm feeling...
11a. Wait, I'm overwhelmed! This outline (and resources) is too much!
Relax, it's OK. Between this article and everything I directly link to, plus everything those articles link to, it can seem overwhelming.
You don't have to learn everything at once. Try to learn one thing at a time, improve one priority item at a time. Think of it as a process of continual improvement (not about perfection).
Start with general principles and foundational basics. When I provide links, usually that's the links at the top.
Sometimes, professional expertise can help cut through some of the most difficult parts of getting started with or improving cybersecurity. I provide that expertise so see my services or contact me.
11b. I want more details! This isn't enough, it's too general!
I try to layer things, simple up front, links to more articles on this website. If this page seems simple or basic, that's what the linked articles are for. If you have read everything on this website, you've covered a lot of material. But still, there is only so much I can cover, and I try keep these articles relatively short.
So remember that I have written two books, and they have considerable information within.
And consider that many of my articles point to external resources, so check those out too.
There is plenty of good knowledge here and out there, through reading, formal education, and certification study. Or customized training or expert help with your situation.
11c. This is perfect! I love how it is organized!
Thank you!
12. Conclusion
Thus we conclude this outline.
As always, none of this is legal advice nor consulting advice, nor tailored to your situation. Nothing can make you immune and impervious to cybercrime, but you should try to continually improve your cybersecurity and how you manage your information assets.
13. References and additional reading
Many references were provided above within each section. Here's a more complete compilation.
Cybersecurity and cybercrime basics
- Cybersecurity Tips from John Bandler (one page tip sheet)
- Bandler's Four Pillars of Cybersecurity
- The Three Priority Cybercrime threats to protect against, including:
- Cybercrime
- Identity theft
- Risk
- Introduction to Cybersecurity and Information Security
- Cybersecurity things to know
- Cybersecurity, Privacy, You, and Your Organization
- Cybersecurity Laws and Regulations Part 1
- Cyber Insurance
- Cybersecurity and Working from Home
- Cybersecurity book overview page
- Cybercrime Investigations book overview page
- Cybersecurity review and improvement for your organization - a checklist
Cybersecurity related forms you can use to identify and list the information assets in your home or small organization (computer devices, data, accounts, network, etc.)
Basic Law resources
- Rules
- Law
- Introduction to law things to know
- Introduction to Law (outline)
- Cyberlaw
- Business Basics and Law
- Intellectual Property Law
- Contract Law
- Negligence Law
- About my course on Udemy, “Introduction to Law”
Cyber law resources
- Cyberlaw
- Cybersecurity Laws and Regulations Part 1 (general legal overview and link to Part 2)
- Privacy
More details on privacy law
Learn about the CIPP/US certification and my course on privacy and cybersecurity law.
- About the CIPP/US Certification, How to Study for It, and Reference List
- My coupon code at the Infosec Institute for my CIPP/US course (and others)
- Privacy (My simple blog article gets you started)
John's online courses on privacy, security policies, and law
Now organized from a perspective of organization management, compliance, and efficiency with the Five Components
- Five Components for Policy Work
- External Guidance
- External Rules
- Internal Rules
- Five Components for Policy Work (yes, it's a little recursive)
- Policies and Procedures (and other governance documents)
- Policies, Procedures, and Governance of an Organization
- Policy Checklist
- Internal Rules Planning
- Internal Rules Building
- Policy and Procedure Research and References (I have researched and built out many articles on the topic and they are all listed here)
- Bandler's Free Starter Cybersecurity Policy
- Mission and Business Needs
- Practice and Action
Books
- Cybersecurity for the Home and Office, by John Bandler, Published by the American Bar Association (ABA) in 2017, ISBN-13: 978-1634259071
- Cybercrime Investigations: A Comprehensive Resource for Everyone, John Bandler and Antonia Merzon, CRC Press, 2020, ISBN-13: 978-0367196233 (Chapter 3 introduces technology, Chapter 4 introduces cybersecurity)
Speaking, training, and cybersecurity program development
14. External references
- NYC Cybersecurity page, https://www.nyc.gov/site/em/ready/cybersecurity.page
- US Ready.gov cybersecurity, https://www.ready.gov/cybersecurity
- US CISA cybersecurity, https://www.cisa.gov/topics/cybersecurity-best-practices
- FTC Federal Trade Commission https://www.ftc.gov/
- FTC small business cybersecurity
https://www.ftc.gov/tips-advice/business-center/small-businesses/cybersecurity - FTC Small business and NIST CSF
https://www.ftc.gov/tips-advice/business-center/small-businesses/cybersecurity/nist-framework - FTC understanding NIST CSF
https://www.ftc.gov/system/files/attachments/understanding-nist-cybersecurity-framework/cybersecurity_sb_nist-cyber-framework.pdf
- FTC small business cybersecurity
- National Institute of Standards and Technology (NIST) resources
- NIST Small Business Cybersecurity Center,
https://www.nist.gov/itl/smallbusinesscyber - NIST Cybersecurity Framework Small and Medium Business Resources
https://www.nist.gov/cyberframework/small-and-medium-business-resources - NIST Small Business Information Security: The Fundamentals, NISTIR 7621,
https://www.nist.gov/publications/small-business-information-security-fundamentals
https://nvlpubs.nist.gov/nistpubs/ir/2016/NIST.IR.7621r1.pdf - NIST small business incident response guidance, https://www.nist.gov/itl/smallbusinesscyber/responding-cyber-incident
- NIST Computer Security Incident Handling Guide, Special Pub 800-61 Revision 2 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
- NIST Cybersecurity Framework, https://www.nist.gov/cyberframework
- NIST Small Business Cybersecurity Center,
This page is hosted at https://johnbandler.com/cybersecurity-and-cybercrime-prevention, copyright John Bandler all rights reserved.
Posted 2/28/2023 (building on prior work). Updated 06/17/2023.