Introduction to Cybersecurity and Information Security

By John Bandler

Information security is the process of protecting information, whatever form that information takes. We store and communicate information in many ways and forms, and information security is about protecting it. The need for information security has existed for millennia, and there is a well established profession devoted to it. Cybersecurity is a newer and essential subset of information security, focused on protecting information assets in digital form, and also protecting from myriad cybercrimes. Organizations should build a comprehensive information security program and seek continual improvement.

This brief and introductory article is designed to get you started on this concept, and additional resources are provided below.

It starts with people and good decision making

Cybersecurity starts with people, at every level of every organization. Every person makes decisions, whether the newest hire or the CEO. Those choices affect cybersecurity and management of information assets. Put differently, cybersecurity is not just for "techies", nor is it a purely technical discipline. Every person is subject to cybercrime attacks and must decide how to respond. Managers, executives, and owners must make critical choices about how to protect their organization, including from the Three Priority Cybercrime Threats.

Good decisions can help manage risks

To protect information assets properly, we need to apply proper risk management principles, and consider the threats and potential harms. The threats include cybercrime, natural disaster, and more. The potential harms can be varied and significant. Risk should be managed, but risk can never be eliminated. Individuals and organizations should focus on the Three Priority Cybercrimes:

Reasonable cybersecurity is a requirement for every organization. Further, there are laws and regulations that impose requirements for cybersecurity and what organizations must do after a cybercrime. Compliance with these rules is necessary.

I focus on the dual and related goals of (1) prevent cybercrime and (2) comply with legal requirements.

The three objectives of information security

There are three objectives (goals) of information security, which you can remember with the initialism of "CIA". Protect the confidentiality, integrity, and availability of information assets.

  • Confidentiality means keeping unauthorized users from accessing the systems or data.
  • Integrity means that only authorized users can make changes.
  • Availability means that authorized users can access their systems and data when needed.

The three types of controls for information security

In order to achieve the three objectives, organizations (and individuals) should apply appropriate controls, also known as safeguards. You can remember these with the initialism of “PAT”, which stands for physical, administrative, and technical controls.

  • Physical controls restrict physical access in one way or another.
  • Administrative controls include rules, policies, and training.
  • Technical controls are electronic protections, such as a firewall, antivirus, or monitoring software.

Thus, cybersecurity is about more than just technical controls and electronic wizardry. Nearly every cyber incident involves a significant human element, and often there were choices that -- in hindsight -- were not good. Thus my emphasis on my first pillar of cybersecurity (knowledge and awareness) and having good policies (internal rules) in place.

Authentication and least privilege

Another information security concept to consider is authentication, the process through which an information system identifies the user. There are three factors of authentication:

  • Something you know (like a password)
  • Something you have (like a smart phone), and
  • Something you are (like your fingerprint or facial features).

Then there is the principle of least privilege: users should get the abilities they need to do their work, but no more than that.

External rules

Now consider that laws, regulations, and other "external rules" may impose requirements on an organization that affects what they should do. I explain how organizations should align these external rules with internal rules and action in my article on Bandler's Three Platforms to Connect.  I also provide more information about what these external rules are in my first of two articles on Cybersecurity Laws and Regulations. These laws include data breach notification, reasonable cybersecurity requirements, privacy rules, negligence law, contract requirements, and more. Applicable laws might come from federal government, various state governments, and there are rules and regulations for certain sectors and professions, such as finance and health.

Frameworks and other guidance

As we plan an information security program, we realize that cybersecurity can require a level of detail and complexity, which many very smart people have been thinking about for a long time. To deal with this complexity, and not reinvent wheels, organizations might seek and follow cybersecurity or information security framework to help them with their cybersecurity program. I call this “guidance” for organizations, to distinguish it from the external rules. A well known example is the NIST Cybersecurity Framework (official name "Framework for Improving Critical Infrastructure").

Bandler's Four Pillars of Cybersecurity
Bandler's Four Pillars of Cybersecurity

Many of these frameworks are excellent, but also are complex and technical. This means that the average person may not understand them, and they are too complex for individual use, small businesses, and many medium sized businesses, who are not yet ready for them. That is why I created my simple framework, "Bandler’s Four Pillars of Cybersecurity" which is ideal for individuals and small and medium sized businesses (SMB). This intuitive concept provides for focus on four critical areas:

  • Build knowledge and awareness
  • Secure computer devices
  • Secure data, and
  • Secure networks and Internet usage.

Repeat!

Written documentation (policies and procedures)

Almost every organization needs written documentation on its cybersecurity program, such as a cybersecurity policy or written information security program (WISP) and incident response plan (IRP). These documents need to be quality and followed by organization members. Having it just "on paper" doesn't count (or arguably can be worse than not having it at all). I discuss these documents more in my article on Policies and Procedures.

Most organizations need to devote some resources and expertise to build and maintain good cybersecurity policies. If they have the time and expertise to build them in house, that is great. Some will need to seek external assistance (I can help there).

A few organizations are very small and lack resources and are likely never to hire a professionals. But they still need good cybersecurity and I think they need to have a good internal policy. For them I have created and offer my free cybersecurity policy. I am proud of this free policy, but remember it is only for the smallest of organizations that could not afford professional assistance, and is not a substitute for professional advice..

Conclusion

Having a basic knowledge of cybersecurity is essential for everyone because no individual or organization is immune from cybercrime, and because making good decisions on cybersecurity is a responsibility of every member of an organization.

I have many more free resources on this site, and my books dive deeper.

This is a brief summary with simplifications, attempting to bring complex subject matter to all readers in an understandable and accessible manner. This article is (of course) not legal advice nor consulting advice, nor is it tailored to your circumstances.

If your organization needs help to protect from cybercrime, improve cybersecurity, create or improve policies, or comply with cybersecurity related laws and regulations, contact me.

Additional reading

This article is hosted at https://johnbandler.com/introduction-cybersecurity-information-security. Copyright John Bandler, all rights reserved.

A version of this article is available on Medium.com, at https://johnbandler.medium.com/introduction-to-cybersecurity-and-information-security-3be68511140a (though not kept as current).

Page posted 5/9/2021. Updated 3/31/2022