Bandler’s Four Pillars of Cybersecurity
My Four Pillars of Cybersecurity model is a user-friendly cybersecurity framework which small and mid-sized organizations (and individuals) can use as guidance for their cybersecurity plan and practice. It consists of continual improvement of:
- Knowledge and awareness of cybercrime threats, information security, technology, and legal requirements
- Protection of computing devices
- Protection of data
- Protection of networks and safe use of the internet.
The beauty of this conceptual framework is its simplicity and efficiency. It is understandable and accessible to every person, from the newest hire to the head of the organization, and importantly for those without a technical background. That is essential because cybersecurity is for everyone, from the end users to the leaders who make important decisions about information assets. The Four Pillars of Cybersecurity involves focus on these important areas, with continual and cyclical growth and improvement. Let’s review each pillar.
1. Knowledge and awareness
Imaging trying to secure your home without knowledge of how a door operates, or how to engage the lock. Imagine trying to drive a car safely without understanding basic principles of how a car works, rules of the road, or the basic rules of physics that we learn with common sense (e.g. we cannot navigate that curve at 100mph, nor can we survive a crash at that speed).
Every employee needs a degree of knowledge and awareness to make good decisions. The employee’s lack of knowledge might result in a devastating cybercrime. The organization head’s lack of knowledge might result in disastrous decisions regarding information technology and security.
Knowledge and awareness should extend to:
- Legal requirements
- Organization internal rules (including written policies, procedures, and more)
- Cybercrime threats, including Social engineering (con artistry) and similar threats aimed at people, Email based funds transfer frauds (“business email compromise” and “CEO Fraud”), Phishing, Malware, including ransomware, Data breaches and data theft, Identity theft
- Privacy threats
- Basic information security principles
- How computers work
- How networks and the internet work
- How to implement basic security measures and make good security decisions
- The importance of cybersecurity in the home, and how security at work and home are interrelated
- How working remotely creates security risks.
2. Protection of computing devices
Computing devices need to be secured. This includes smartphones, tablets, laptops, desktops, servers, networking devices, and more. This means:
- Inventory all devices, and develop a process for bringing them into service securely (commissioning) and taking them out of service securely when no longer needed (decommissioning).
- Ensure physical security and control over these devices. Devices need to be protected from loss, damage, or theft.
- Proper device configuration.
- Updating (patching) of devices.
- Malware protection.
- Intrusion protection.
- Controlled access.
- Periodic review of security and privacy settings.
3. Protection of data
Data needs to be protected from data breach, and needs to be available when needed. Certain data breaches could trigger reporting requirements. This means:
- Inventory data (to a reasonable degree of detail).
- Secure cloud accounts properly with complex, unique passwords, and a second factor of authentication (multi-factor authentication, MFA, or 2FA)
- Control access to data.
- Secure data in a manner commensurate with its sensitivity.
- Encrypt certain data where warranted.
- Delete unneeded data.
- Back up data regularly.
4. Protection of networks and safe use of the internet
Data is constantly flowing between our internal devices and through the internet. Key concepts include:
- Inventory network hardware and physically secure it.
- Routers and switches are security configured, including: Unique (and non-default) passwords. Kept updated (patched). Unneeded features will be disabled.
- Wi-Fi networks will be encrypted and require a strong password to join. The password will be changed periodically.
- Consider intrusion prevention and monitoring.
- Be conscious of the route that data takes.
- Avoid or minimize the use of public networks.
- Encrypt data in transit whenever practical.
- Encrypt certain data at the file level for transmittal.
A quick word on other cybersecurity and information security frameworks
There are many cybersecurity frameworks out there, which I will discuss in more detail in a future article. These other frameworks are written by excellent teams of smart people in excellent organizations, but are geared for readers with a high degree of technology and information security knowledge, and for organizations with mature information security programs. This means they are too technical for most individuals to understand, and for most smaller and mid sized organizations to implement. In contrast, my Four Pillars framework is perfect for individuals, small organizations, and many medium sized organizations. It is also a helpful tool for individuals in larger organizations to better comprehend the cybersecurity framework their organization has adopted. Should an organization using the Four Pillars framework increase in size and maturity to the point where it requires a more complex framework, it is simple for the organization to begin a transition by supplementing with more complex and detailed guidance, such as the NIST Cybersecurity Framework, or the CIS Twenty Critical Security Controls.
My Four Pillars of Cybersecurity will serve individuals, small businesses, and most medium sized businesses well. The framework is also conceptually helpful for individuals in larger organizations to help understand basic cybersecurity principles.
This is a brief summary with simplifications, attempting to bring complex subject matter to all readers in an understandable and accessible manner. This article is for anyone in need of a quick summary, including students, clients, and those seeking to learn about and improve their cybersecurity. It is not legal advice nor consulting advice, and is not tailored to your circumstances.
Additional Reading & Learning
This article is also hosted at my website at https://johnbandler.com/bandlers-four-pillars-of-cybersecurity/, where I include links for additional reading, and it may be kept more current and with improved formatting.
Copyright John Bandler, all rights reserved.
Posted 8/18/2021. Updated 9/17/2021.