Harden your business against internal and external cybersecurity threats with a single accessible resource.
In 8 Steps to Better Security: A Simple Cyber Resilience Guide for Business, cybersecurity researcher and writer Kim Crawley delivers a grounded and practical roadmap to cyber resilience in any organization. Offering you the lessons she learned while working for major tech companies like Sophos, AT&T, BlackBerry Cylance, Tripwire, and Venafi, Crawley condenses the essence of business cybersecurity into eight steps.
Written to be accessible to non-technical businesspeople as well as security professionals, and with insights from other security industry leaders, this important book will walk you through how to:
- Foster a strong security culture that extends from the custodial team to the C-suite
- Build an effective security team, regardless of the size or nature of your business
- Comply with regulatory requirements, including general data privacy rules and industry-specific legislation
- Test your cybersecurity, including third-party penetration testing and internal red team specialists
Perfect for CISOs, security leaders, non-technical businesspeople, and managers at any level, 8 Steps to Better Security is also a must-have resource for companies of all sizes, and in all industries.
Table of Contents
Foreword xi
Introduction xiii
Chapter 1: Step 1: Foster a Strong Security Culture 1
Kevin Mitnick, Human Hacker Extraordinaire 3
The Importance of a Strong Security Culture 5
Hackers Are the Bad Guys, Right? 6
What is Security Culture? 7
How to Foster a Strong Security Culture 9
Security Leaders on Security Culture 12
What Makes a Good CISO? 13
The Biggest Mistakes Businesses Make When It Comes to Cybersecurity 14
The Psychological Phases of a Cybersecurity Professional 15
Chapter 2: Step 2: Build a Security Team 19
Why Step 2 is Controversial 20
How to Hire the Right Security Team. . .the Right Way 28
Security Team Tips from Security Leaders 29
The “Culture Fit” - Yuck! 30
Cybersecurity Budgets 34
Design Your Perfect Security Team 35
Chapter 3: Step 3: Regulatory Compliance 39
What Are Data Breaches, and Why Are They Bad? 40
The Scary Truth Found in Data Breach Research 45
An Introduction to Common Data Privacy Regulations 49
The General Data Protection Regulation 49
The California Consumer Privacy Act 50
The Health Insurance Portability and Accountability Act 52
The Gramm-Leach-Bliley Act 52
Payment Card Industry Data Security Standard 53
Governance, Risk Management, and Compliance 53
More About Risk Management 54
Threat Modeling 55
Chapter 4: Step 4: Frequent Security Testing 57
What is Security Testing? 58
Security Testing Types 58
Security Audits 58
Vulnerability Assessments Versus Penetration Testing 59
Red Team Testing 61
Bug Bounty Programs 61
What’s Security Maturity? 63
The Basics of Security Audits and Vulnerability Assessments 64
Log Early, Log Often 66
Prepare for Vulnerability Assessments and Security Audits 67
A Concise Guide to Penetration Testing 69
Penetration Testing Based on Network Knowledge 70
Penetration Testing Based on Network Aspects 73
Security Leaders on Security Maturity 76
Security Testing is Crucial 78
Chapter 5: Step 5: Security Framework Application 79
What is Incident Response? 80
Preparation 80
Identification or Analysis 82
Containment, Mitigation, or Eradication 83
Recovery 84
Post-incident 86
Your Computer Security Incident Response Team 86
Cybersecurity Frameworks 89
NIST Cybersecurity Framework 89
Identify 90
Protect 92
Detect 95
Respond 97
Recover 99
ISO 27000 Cybersecurity Frameworks 101
CIS Controls 102
COBIT Cybersecurity Framework 105
Security Frameworks and Cloud Security 106
Chapter 6: Step 6: Control Your Data Assets 109
The CIA Triad 110
Access Control 112
Patch Management 113
Physical Security and Your Data 115
Malware 116
Cryptography Basics 119
Bring Your Own Device and Working from Home 123
Data Loss Prevention 124
Managed Service Providers 126
The Dark Web and Your Data 128
Security Leaders on Cyber Defense 130
Control Your Data 132
Chapter 7: Step 7: Understand the Human Factor 133
Social Engineering 134
Phishing 139
What Can NFTs and ABA Teach Us About Social Engineering? 141
How to Prevent Social Engineering Attacks on Your Business 146
UI and UX Design 147
Internal Threats 148
Hacktivism 152
Chapter 8: Step 8: Build Redundancy and Resilience 155
Understanding Data and Networks 156
Building Capacity and Scalability with the Power of the Cloud 158
Back It Up, Back It Up, Back It Up 161
RAID 162
What Ransomware Taught Business About Backups 164
Business Continuity 167
Disaster Recovery 168
Chapter 9: Afterword 173
Step 1 173
The Most Notorious Cyberattacker Was Actually a Con Man 174
A Strong Security Culture Requires All Hands on Deck 174
Hackers Are the Good Guys, Actually 174
What Is Security Culture? 175
What Makes a Good CISO? 175
The Psychological Phases of a Cybersecurity Professional 176
Recommended Readings 177
Step 2 178
Tackling the Cybersecurity Skills Gap Myth 178
Take “Culture Fit” Out of Your Vocabulary 179
Your Cybersecurity Budget 180
Recommended Readings 180
Step 3 181
Data Breaches 181
Data Privacy Regulations 182
Risk Management 183
Recommended Readings 183
Step 4 184
Security Audits 184
Vulnerability Assessments 185
Penetration Testing 185
Bug Bounty Programs 185
Recommended Reading 186
Step 5 187
Incident Response 187
Cybersecurity Frameworks 187
Recommended Reading 188
Step 6 188
The CIA Triad 188
Access Control 189
Patch Management 189
Physical Security 189
Malware 189
Cryptography 190
BYOD and Working from Home 190
Data Loss Prevention 191
Managed Service Providers 191
Recommended Reading 191
Step 7 192
Social Engineering 192
UI and UX Design 193
Internal Threats 193
Recommended Readings 194
Step 8 194
Cloud Networks 195
Data Backups 195
Business Continuity and Disaster Recovery 196
Recommended Readings 196
Keeping Your Business Cyber Secure 197
Index 199
