Introduction to Cybersecurity and Information Security
By John Bandler
Learn about cybersecurity to protect yourself and your organization, and to improve your decision making. This article gets you started, more resources are provided within and at the end.
Information security is the process of protecting information, whatever form that information takes. We store and communicate information in many ways and forms, and information security is about protecting it. The need for information security has existed for millennia, and there is a well established profession devoted to it. Cybersecurity is a newer and essential subset of information security, focused on protecting information assets in digital form, and also protecting from myriad cybercrimes. Organizations should build a comprehensive information security program and seek continual improvement.
This brief and introductory article is designed to get you started on this concept, with links for additional detail.
It starts with people and good decision making
Cybersecurity starts with people, at every level of every organization. Every person makes decisions, whether the newest hire or the CEO. Those choices affect cybersecurity and management of information assets. Put differently, cybersecurity is not just for "techies", nor is it a purely technical discipline. Every person is subject to cybercrime attacks and must decide how to respond. Managers, executives, and owners must make critical choices about how to protect their organization, including from the Three Priority Cybercrime Threats.
Good decisions can help manage risks
To protect information assets properly, we need to apply proper risk management principles, and consider the threats and potential harms. The threats include cybercrime, natural disaster, and more. The potential harms can be varied and significant. Risk should be managed, but risk can never be eliminated.
Individuals and organizations should focus on the Three Priority Cybercrimes:
Reasonable cybersecurity is a requirement for every organization. Further, there are laws and regulations that impose requirements for cybersecurity and what organizations must do after a cybercrime. Compliance with these rules is necessary.
I focus on the dual and related goals of (1) prevent cybercrime and (2) comply with legal requirements.
Good planning and preparation usually requires written documents
Cybersecurity and privacy is a complex mixture of risk, technology, crime, protection, compliance, long term strategy and short term tactics.
For organizations this typically means written documents will be required, such as having quality policies and procedures in place. Consider my Five Components for Policy Work (more later).
The three objectives of information security
There are three objectives (goals) of information security, which you can remember with the initialism of "CIA". Protect the confidentiality, integrity, and availability of information assets.
- Confidentiality means keeping unauthorized users from accessing the systems or data.
- Integrity means that only authorized users can make changes.
- Availability means that authorized users can access their systems and data when needed.
The three types of controls for information security
In order to achieve the three objectives, organizations (and individuals) should apply appropriate controls, also known as safeguards. You can remember these with the initialism of “PAT”, which stands for physical, administrative, and technical controls.
- Physical controls restrict physical access in one way or another.
- Administrative controls include rules, policies, and training.
- Technical controls are electronic protections, such as a firewall, antivirus, or monitoring software.
Thus, cybersecurity is about more than just technical controls and electronic wizardry. Nearly every cyber incident involves a significant human element, and often there were choices that -- in hindsight -- were not good. Thus my emphasis on my first pillar of cybersecurity (knowledge and awareness) and having good policies (internal rules) in place.
There are other ways to categorize controls as well (for example, preventive, detective, corrective) but that can get murky. So I like to put the main focus on the above PAT controls.
Authentication and least privilege
Another information security concept to consider is authentication, the process through which an information system identifies the user. There are three factors of authentication:
- Something you know (like a password)
- Something you have (like a smart phone), and
- Something you are (like your fingerprint or facial features).
Then there is the principle of least privilege: users should get the abilities they need to do their work, but no more than that.
Cybersecurity is about protecting the organization from cybercrime and protecting information assets. Privacy is a broader discipline, and for organizations it means information privacy -- protecting consumer and employee data the organization holds. This type of privacy will always include cybersecurity component, plus other considerations on collection, storage, sharing, choice, and more.
Now consider that laws, regulations, and other "external rules" may impose requirements on an organization that affects what they must or should do. I explain how organizations should align these external rules with internal rules and action in my article on Bandler's Three Platforms to Connect. I also provide more information about what these external rules are in my article on Cybersecurity Laws and Regulations (part 1). These laws include data breach notification, reasonable cybersecurity requirements, privacy rules, negligence law, contract requirements, and more. Applicable laws might come from federal government, various state governments, and there are rules and regulations for certain sectors and professions, such as finance and health.
Written documentation (policies and procedures) and internal rules
As mentioned earlier, almost every organization needs written documentation on its cybersecurity program. This could include a cybersecurity policy or written information security program (WISP) and incident response plan (IRP). These documents need to be high quality, practical, and followed by organization members. Having it just "on paper" without following it does not count, or arguably is even worse than not having it at all.
Most organizations need to devote some resources and expertise to build and maintain good cybersecurity policies. If they have the time and expertise to build them internally, that is great. Some will need to seek external assistance (I can help there) and should always remain involved in the process.
Building this documentation is part of the creation of "internal rules", which I discuss more here.
A few organizations are very small or just starting and lack resources and are not ready or perhaps never will hire a cyber professional. But they still need to have reasonable cybersecurity and (I think) they need to have a good internal policy. For them I offer the free resources on this site and have created and offer my free cybersecurity policy. I am proud of this free policy but always remind people that it is only for the smallest of organizations which can not afford professional assistance, and it is not a substitute for professional advice.
External guidance including frameworks
As we plan an information security program, we realize that cybersecurity can require a level of detail and complexity, which many very smart people have been thinking about for a long time. To deal with this complexity and not reinvent wheels organizations might seek and follow cybersecurity or information security framework to help them with their cybersecurity program. I call this “guidance” for organizations, to distinguish it from the external rules. A well known example is the NIST Cybersecurity Framework (official name "Framework for Improving Critical Infrastructure").
Many of these frameworks are excellent, but also are complex and technical. This means that the average person may not understand them, and they are too complex for individual use, small businesses, and many medium sized businesses, who are not yet ready for them. That is why I created my simple framework, "Bandler’s Four Pillars of Cybersecurity" which is ideal for individuals and small and medium sized businesses (SMB). This intuitive concept provides for focus on four critical areas:
- Build knowledge and awareness
- Secure computer devices
- Secure data, and
- Secure networks and Internet usage.
Repeat! It is a continual process of improvement.
Five components for policy work
The above evolved into the Five Components for Policy Work:
- Mission and business needs: The reason the organization exists in the first place.
- External rules: Laws, regulations, and other legal requirements.
- External guidance: Helpful and relevant voluntary guides to our policies and actions.
- Internal rules: Policies, procedures, and more (that currently exist).
- Practice or action: what is actually done.
More in my article Five Components for Policy Work, linked to below.
Everyone should have a foundational knowledge of cybersecurity because no individual or organization is immune from cybercrime, and because good decisions on cybersecurity and technology require this knowledge.
I have many more free resources on this site, and my books dive deeper.
This is a brief summary with simplifications, attempting to bring complex subject matter to all readers in an understandable and accessible manner. This article is (of course) not legal advice nor consulting advice, nor is it tailored to your circumstances.
If your organization needs help to protect from cybercrime, improve cybersecurity, create or improve policies, or comply with cybersecurity related laws and regulations, contact me.
- Cybersecurity Tips from John Bandler (single page tip sheet)
- Five Components for Policy Work
- Bandler's Three Platforms to Connect
- Bandler's Fourth Platform to Connect
- Cybersecurity forms for the home or small office
- The Three Priority Cybercrime Threats
- Cybercrime Frauds Involving Email and Funds Transfers (Email based funds transfer frauds, like business email compromise (BEC) and CEO fraud)
- Data Breaches
- Bandler's Four Pillars of Cybersecurity
- Free Cybersecurity Policy
- Cybersecurity, Privacy, You, and Your Organization
- Policies and Procedures
- Policies, Procedures, and Governance of an Organization
- Cybersecurity Laws and Regulations Part 1 (general legal overview)
- Cybersecurity Laws and Regulations Part 2 (listing and brief summary of some laws and regulations)
- Cybersecurity Frameworks and Guidance
This article is hosted at https://johnbandler.com/introduction-cybersecurity-information-security. Copyright John Bandler, all rights reserved.
A version of this article is available on Medium.com, at https://johnbandler.medium.com/introduction-to-cybersecurity-and-information-security-3be68511140a (though not kept as current).
Page posted 5/9/2021. Updated 2/12/2023