Introduction to Cybersecurity and Information Security
Learn about cybersecurity to protect yourself and your organization, and to improve your decision making. This article gets you started, more resources are provided within and at the end.
Information security is the process of protecting information, whatever form that information takes. We store and communicate information in many ways and forms, and information security is about protecting it. The need for information security has existed for millennia, and there is a well established profession devoted to it. Cybersecurity is a newer and essential subset of information security, focused on protecting information assets in digital form, and also protecting from myriad cybercrimes. Organizations should build a comprehensive information security program and seek continual improvement.
This brief and introductory article is designed to get you started on this concept, with links for additional detail.
It starts with people and good decision making
Cybersecurity starts with people, at every level of every organization. Every person makes decisions, whether the newest hire or the CEO. Those choices affect cybersecurity and management of information assets. Put differently, cybersecurity is not just for “techies”, nor is it a purely technical discipline. Every person is subject to cybercrime attacks and must decide how to respond. Managers, executives, and owners must make critical choices about how to protect their organization, including from the Three Priority Cybercrime Threats.
Good decisions can help manage risks
To protect information assets properly, we need to apply proper risk management principles, and consider the threats and potential harms. The threats include cybercrime, natural disaster, and more. The potential harms can be varied and significant. Risk should be managed, but risk can never be eliminated. Individuals and organizations should focus on the Three Priority Cybercrimes:
Reasonable cybersecurity is a requirement for every organization. Further, there are laws and regulations that impose requirements for cybersecurity and what organizations must do after a cybercrime. Compliance with these rules is necessary.
I focus on the dual and related goals of (1) prevent cybercrime and (2) comply with legal requirements.
Good planning and preparation usually requires written documents
Cybersecurity and privacy is a complex mixture of risk, technology, crime, protection, compliance, long term strategy and short term tactics.
For organizations this typically means written documents will be required, such as having quality policies and procedures in place. More on this later.
The three objectives of information security
There are three objectives (goals) of information security, which you can remember with the initialism of “CIA”. Protect the confidentiality, integrity, and availability of information assets.
- Confidentiality means keeping unauthorized users from accessing the systems or data.
- Integrity means that only authorized users can make changes.
- Availability means that authorized users can access their systems and data when needed.
The three types of controls for information security
In order to achieve the three objectives, organizations (and individuals) should apply appropriate controls, also known as safeguards. You can remember these with the initialism of “PAT”, which stands for physical, administrative, and technical controls.
- Physical controls restrict physical access in one way or another.
- Administrative controls include rules, policies, and training.
- Technical controls are electronic protections, such as a firewall, antivirus, or monitoring software.
Thus, cybersecurity is about more than just technical controls and electronic wizardry. Nearly every cyber incident involves a significant human element, and often there were choices that — in hindsight — were not good. Thus my emphasis on my first pillar of cybersecurity (knowledge and awareness) and having good policies (internal rules) in place.
Authentication and least privilege
Another information security concept to consider is authentication, the process through which an information system identifies the user. There are three factors of authentication:
- Something you know (like a password)
- Something you have (like a smart phone), and
- Something you are (like your fingerprint or facial features).
Then there is the principle of least privilege: users should get the abilities they need to do their work, but no more than that.
External rules
Now consider that laws, regulations, and other “external rules” may impose requirements on an organization that affects what they should do. I explain how organizations should align these external rules with internal rules and action in my article on Bandler’s Three Platforms to Connect. I also provide more information about what these external rules are in my first article on Cybersecurity Laws and Regulations. These laws include data breach notification, reasonable cybersecurity requirements, privacy rules, negligence law, contract requirements, and more. Applicable laws might come from federal government, various state governments, and there are rules and regulations for certain sectors and professions, such as finance and health.
External guidance including frameworks
As we plan an information security program, we realize that cybersecurity can require a level of detail and complexity, which many very smart people have been thinking about for a long time. To deal with this complexity and not reinvent wheels organizations might seek and follow cybersecurity or information security framework to help them with their cybersecurity program. I call this “guidance” for organizations, to distinguish it from the external rules. A well known example is the NIST Cybersecurity Framework (official name “Framework for Improving Critical Infrastructure”).
Many of these frameworks are excellent, but also are complex and technical. This means that the average person may not understand them, and they are too complex for individual use, small businesses, and many medium sized businesses, who are not yet ready for them. That is why I created my simple framework, “Bandler’s Four Pillars of Cybersecurity” which is ideal for individuals and small and medium sized businesses (SMB). This intuitive concept provides for focus on four critical areas:
- Build knowledge and awareness
- Secure computer devices
- Secure data, and
- Secure networks and Internet usage.
Repeat! It is a continual process of improvement.
Written documentation (policies and procedures) and internal rules
As mentioned earlier, almost every organization needs written documentation on its cybersecurity program. This could include a cybersecurity policy or written information security program (WISP) and incident response plan (IRP). These documents need to be high quality, practical, and followed by organization members. Having it just “on paper” without following it does not count, or arguably is even worse than not having it at all.
Most organizations need to devote some resources and expertise to build and maintain good cybersecurity policies. If they have the time and expertise to build them internally, that is great. Some will need to seek external assistance (I can help there) and should always remain involved in the process.
Building this documentation is part of the creation of “internal rules”, which I discuss more here.
A few organizations are very small or just starting and lack resources and are not ready or perhaps never will hire a cyber professional. But they still need to have reasonable cybersecurity and (I think) they need to have a good internal policy. For them I offer the free resources on this site and have created and offer my free cybersecurity policy. I am proud of this free policy but always remind people that it is only for the smallest of organizations which can not afford professional assistance, and it is not a substitute for professional advice.
Conclusion
Everyone should have a foundational knowledge of cybersecurity because no individual or organization is immune from cybercrime, and because good decisions on cybersecurity and technology require this knowledge.
I have many more free resources on my site, and my books dive deeper.
This is a brief summary with simplifications, attempting to bring complex subject matter to all readers in an understandable and accessible manner. This article is (of course) not legal advice nor consulting advice, nor is it tailored to your circumstances.
If your organization needs help to protect from cybercrime, improve cybersecurity, create or improve policies, or comply with cybersecurity related laws and regulations, contact me.
Additional reading
This article is also hosted at my website at https://johnbandler.com/introduction-cybersecurity-information-security/ where I provide many additional resources and it may be updated more frequently.
Copyright John Bandler all rights reserved.
Posted to Medium on 5/15/2021, last updated here on 8/3/2022.