Information security is the process of protecting information, whatever form that information takes. We store and communicate information in many ways and forms, and information security is about protecting it. The need for information security has existed for millennia, and there is a well established profession devoted to it. Cybersecurity is a newer and indispensable subset of information security, focused on protecting information assets in digital form. Organizations should build comprehensive and holistic information security programs, which will encompass cybersecurity.
This brief and introductory article is designed to get you started on this concept, and additional resources are provided below.
To protect information assets properly, we need to apply proper risk management principles, and consider the threats and potential harms. The threats include cybercrime, natural disaster, and more. The potential harms are varied and significant so risk should be managed, but risk can never be eliminated. Individuals and organizations should focus on three priority cybercrimes, data breach, ransomware, and email based funds transfer frauds (click the links to read my articles on each topic). As a matter of good management, reasonable cybersecurity is a requirement for organizations. Further, there are laws and regulations that impose requirements for cybersecurity, and certain actions after a cybercrime. Compliance with these rules is necessary.
There are three objectives (goals) of information security, which you can remember with the initialism of “CIA”. Protect the confidentiality, integrity, and availability of information assets. Confidentiality means keeping unauthorized users from accessing the systems or data. Integrity means that only authorized users can make changes. Availability means that authorized users can access their systems and data when needed.
In order to achieve the three objectives, organizations (and individuals) should apply appropriate controls, also known as safeguards. You can remember these with the initialism of “PAT”, which stands for physical, administrative, and technical. Physical controls restrict physical access in one way or another. Administrative controls include rules, policies, and training. Technical controls are electronic protections, such as a firewall, antivirus, or monitoring software. Thus, cybersecurity is about more than just technical controls and electronic wizardry. Nearly every cyber incident involves a significant human element, and the role of policies and training is significant, thus my emphasis on my first pillar of cybersecurity, knowledge and awareness.
Another information security concept to consider is authentication, the process through which an information system identifies the user. There are three factors of authentication, something you know (like a password), something you have (like a smart phone), and something you are (like your fingerprint or facial features). Also consider the principle of least privilege: users should get the abilities they need to do their work, but no more than that.
The above is information security and cybersecurity in really simple terms, and a great starting point.
Now consider that laws, regulations, and other “external rules” may impose requirements on an organization that affects what they should do. I will cover that in a short article titled Cybersecurity Laws and Regulations to be completed some day. These laws address data breach notification, reasonable cybersecurity requirements, privacy rules, negligence law, contract requirements, and more. Applicable laws might come from federal government, various state governments, and there are rules and regulations for certain sectors and professions, such as finance and health.
Further, consider that cybersecurity can require a level of detail and complexity, which many very smart people have been thinking about for a long time. I will cover that in a short article titled Cybersecurity Frameworks and Guidance (also to be completed “some day”). To deal with this complexity, and not reinvent wheels, organizations might seek and follow cybersecurity or information security framework to help them with their cybersecurity program. I call this “guidance” for organizations, to distinguish it from the external rules. A well known example is the NIST Cybersecurity Framework (official name “Framework for Improving Critical Infrastructure”).
But such frameworks might be overly complex for individuals, small businesses, and many medium sized businesses, who are not yet ready for them. Those cybersecurity frameworks are are difficult for people outside of the information technology and information security professions to understand. Individuals and small, medium businesses (SMB) should consider my simple framework, termed “Bandler’s Four Pillars of Cybersecurity”. This intuitive concept provides for focus on four critical areas, (i) knowledge and awareness, (ii) computer devices, (iii) data, and (iv) networks and internet usage.
This is a brief summary with simplifications, attempting to bring complex subject matter to all readers in an understandable and accessible manner. This article is for anyone in need of a quick summary, including students, clients, and potential clients. It is not legal advice nor consulting advice, and is not tailored to your circumstances.
If your organization needs help to protect from cybercrime, improve cybersecurity, create or improve policies, or comply with cybersecurity related laws and regulations, feel free to contact me.
This article is also hosted at my website at https://johnbandler.com/introduction-cybersecurity-information-security/ where I provide many additional resources. Chapter 4 of both of my books discuss this topic in greater detail, and my website has many helpful and practical articles.
Page posted 5/15/2021, updated 6/4/2021.