Introduction to Cybersecurity and Information Security By John Bandler
Information security is the process of protecting information, whatever form that information takes. We store and communicate information in many ways and forms, and information security is about protecting it. The need for information security has existed for millennia, and there is a well established profession devoted to it. Cybersecurity is a newer and indispensable subset of information security, focused on protecting information assets in digital form. Organizations should build comprehensive and holistic information security programs, which will encompass cybersecurity.
This brief and introductory article is designed to get you started on this concept, and additional resources are provided below.
To protect information assets properly, we need to apply proper risk management principles, and consider the threats and potential harms. The threats include cybercrime, natural disaster, and more. The potential harms are varied and significant so risk should be managed, but risk can never be eliminated. Individuals and organizations should focus on three priority cybercrimes, data breach, ransomware, and email based funds transfer frauds (click the links to see my articles on each topic). As a matter of good management, reasonable cybersecurity is a requirement for organizations. Further, there are laws and regulations that impose requirements for cybersecurity, and certain actions after a cybercrime. Compliance with these rules is necessary.
There are three objectives (goals) of information security, which you can remember with the initialism of "CIA". Protect the confidentiality, integrity, and availability of information assets. Confidentiality means keeping unauthorized users from accessing the systems or data. Integrity means that only authorized users can make changes. Availability means that authorized users can access their systems and data when needed.
In order to achieve the three objectives, organizations (and individuals) should apply appropriate controls, also known as safeguards. You can remember these with the initialism of “PAT”, which stands for physical, administrative, and technical. Physical controls restrict physical access in one way or another. Administrative controls include rules, policies, and training. Technical controls are electronic protections, such as a firewall, antivirus, or monitoring software. Thus, cybersecurity is about more than just technical controls and electronic wizardry. Nearly every cyber incident involves a significant human element, and the role of policies and training is significant, thus my emphasis on my first pillar of cybersecurity, knowledge and awareness.
Another information security concept to consider is authentication, the process through which an information system identifies the user. There are three factors of authentication, something you know (like a password), something you have (like a smart phone), and something you are (like your fingerprint or facial features). Also consider the principle of least privilege: users should get the abilities they need to do their work, but no more than that.
The above is information security and cybersecurity in really simple terms, and a great starting point.
Now consider that laws, regulations, and other "external rules" may impose requirements on an organization that affects what they should do. I cover this in a two part article on Cybersecurity Laws and Regulations starting here. These laws address data breach notification, reasonable cybersecurity requirements, privacy rules, negligence law, contract requirements, and more. Applicable laws might come from federal government, various state governments, and there are rules and regulations for certain sectors and professions, such as finance and health.
Further, consider that cybersecurity can require a level of detail and complexity, which many very smart people have been thinking about for a long time. I will cover that in a short article titled Cybersecurity Frameworks and Guidance (also to be completed "some day"). To deal with this complexity, and not reinvent wheels, organizations might seek and follow cybersecurity or information security framework to help them with their cybersecurity program. I call this “guidance” for organizations, to distinguish it from the external rules. A well known example is the NIST Cybersecurity Framework (official name "Framework for Improving Critical Infrastructure").
But such frameworks might be overly complex for individuals, small businesses, and many medium sized businesses, who are not yet ready for them. Those cybersecurity frameworks are are difficult for people outside of the information technology and information security professions to understand. Individuals and small, medium businesses (SMB) should consider my simple framework, termed "Bandler’s Four Pillars of Cybersecurity". This intuitive concept provides for focus on four critical areas, (i) knowledge and awareness, (ii) computer devices, (iii) data, and (iv) networks and internet usage.
Having a basic knowledge of cybersecurity is essential for everyone today, no individual or organization is immune from cybercrime.
This is a brief summary with simplifications, attempting to bring complex subject matter to all readers in an understandable and accessible manner. This article is for anyone in need of a quick summary, including students, clients, and those seeking to learn about and improve their cybersecurity.
If your organization needs help to protect from cybercrime, improve cybersecurity, create or improve policies, or comply with cybersecurity related laws and regulations, contact me.
Some additional helpful articles and resources on this site (including information about my two books) include:
- Cybersecurity Tips from John Bandler (single page tip sheet)
- Cybersecurity forms for the home or small office
- Cybercrime Frauds Involving Email and Funds Transfers (Email based funds transfer frauds, like business email compromise (BEC) and CEO fraud)
- Data Breaches
- Bandler's Four Pillars of Cybersecurity
- Cybersecurity for the Home and Office (page about my first book) Chapter 4 is devoted to introducing the reader to information security and cybersecurity.
- Cybercrime Investigations (page about my second book). Chapter 4 is devoted to introducing the reader to information security and cybersecurity.
- The Need for Improved Cybercrime Investigations: Why We Wrote This Book
- Cybersecurity, Privacy, You, and Your Organization
- Policies, Procedures, and Governance of an Organization
- New York Cybersecurity Requirements and the SHIELD Act
- Privacy, You, Your Organization, and the New NIST Privacy Framework
- Cybersecurity Laws and Regulations Part 1 (general legal overview)
- Cybersecurity Laws and Regulations Part 2 (listing and brief summary of some laws and regulations)
- Cybersecurity Frameworks and Guidance (Coming someday)
This article is hosted at https://johnbandler.com/introduction-cybersecurity-information-security. Copyright John Bandler, all rights reserved.
A version of this article is available on Medium.com, at https://johnbandler.medium.com/introduction-to-cybersecurity-and-information-security-3be68511140a (though perhaps not kept as current).
Page posted 5/9/2021. Updated 9/19/2021.