8 Steps to Better Security. Kim Crawley
will take this entire chapter, at the least. But don't be dismayed. This book is designed for businesspeople, not computer nerds. By the time you're done reading the chapter, you'll be ready to initiate the security testing your company needs in order to face the ever-evolving cyber threat landscape with confidence. The security testing your company needs can be a combination of internal red team specialists and third-party penetration testers. They may need to test once per year or every time your network changes in a significant way. Don't know what a red team or penetration testing is? Then this chapter is definitely for you!
Chapter 5, “Step 5: Security Framework Application”: A cybersecurity framework is a set of standards that companies can base their security policies and procedures on. The most popular cybersecurity frameworks focus on how your business should prepare for and respond to cybersecurity incidents. Often companies can choose which framework is most useful for their organization. Unlike security regulation compliance, using a cybersecurity framework is optional, but highly recommended nonetheless. Also, unlike security regulation compliance, cybersecurity frameworks aren't usually tied to a particular state, province, or nation. The same frameworks are used by organizations around the world in many different countries and industries.
The NIST Cybersecurity Framework is the most widely implemented framework, and other frameworks have been inspired by it. Some of the other frameworks I cover in this chapter include ISO 27000 Cybersecurity Framework Series, CIS Cybersecurity Framework, and COBIT Cybersecurity Framework. I explain the basics of each of these frameworks and share what cybersecurity experts believe are their strengths and weaknesses. No matter what, though, your organization must have policies and procedures for preparing for and responding to security incidents. With proper preparation, cyber incidents will do much less harm to your organization, and you will save money in the long run.
Chapter 6, “Step 6: Control Your Data Assets”: Every bit of your organization's data is stored on at least one computing device. Whether your network is on the premises, on the cloud, or on a hybrid network. Whether your company has a bring-your-own-device policy or not. Whether your workers work in the corporate office or from their homes. Your organization must first determine where all of your data resides, how it's transmitted, and which entities own the devices, and then design policies and procedures for securing all of those devices.
These data assets not only contain intellectual property and sensitive data (such as login credentials and financial information), but also keep your business running each and every day. A retail business needs a constantly operating point-of-sale system. An online service needs an always-working web application. A dental practice needs their radiography machines to always work, and so on. Computers with downtime result in lots of lost revenue and customers. Your organization needs to fully understand and control all of your data assets to protect them from cyber incidents.
Chapter 7, “Step 7: Understand the Human Factor”: Many laypeople believe that successful cyberattacks require intense computer wizardry from cyberattackers, but the sad truth is that most cyber incidents, including the most destructive attacks, involve social engineering at one point or another. Fooling the people within your organization who have access to your computer systems is the most common way that cyber threat actors gain unlawful entry into your organization's networks. Phishing is a primary means of social engineering exploits. What is phishing? Phishing is when a threat actor uses a web page, text message, email, or social media post to imitate a trusted entity, such as a bank, a utility company, the government, or a well-known business. Even us cybersecurity professionals sometimes succumb to phishing attacks. We must never get overconfident. This chapter will cover how employees and contractors should be trained to prevent phishing attacks, as well as how to prevent other social engineering attacks, such as downloading Trojan malware. This chapter is also designed to consider how organizations have evolved during the Covid-19 pandemic to support many employees and contractors working from home for the first time.
Chapter 8, “Step 8: Build Redundancy and Resilience”: Any cyber incident or technical glitch that causes network downtime hurts your business's productivity. That loss of productivity has an immediate impact on your bottom line. Here's how to design networks with redundant capacity through the power of the cloud, how to properly back up your data and applications from threats like ransomware, and how to design hot sites and cold sites for business continuity in the face of potential disasters. Your organization needs backed-up data and extra computers to survive the cyber threats that can impact any entity.
Once we cover all eight steps, we finish with Chapter 9, “Afterword.” I have advice for implementing all eight of these steps. But my knowledge is augmented with tips from some of the world's top business cybersecurity professionals. So, as you prepare to improve the cybersecurity of your organization, you'll benefit from an amalgam of the best advice available.
Congratulations, you're ready to prepare your company for the evolving cyber threat landscape, no matter which country or industry you're in or the size of your business! Pat yourself on the back and then get to work. You can do it. I believe in you.
Chapter 1 Step 1: Foster a Strong Security Culture
People generally assume that cybersecurity is a technological area of study and take it for granted that cyber threat actors, called hackers by laypeople, must be computer geniuses. They have to have some mastery of computer programming code and an advanced understanding of how computer networks work. And if you take the Hollywood stereotype really seriously, then you probably believe that the most notorious cyberattackers work from an elaborate computer lab in their mom's basement, wearing a hoodie and typing at 400 words per minute. I imagine something like the movie War Games, but with a more 21st century–style presentation.
So, surely, if you're learning about cybersecurity, it's all about computer science stuff, right? You likely bought this book because you're a businessperson who wants to improve the security posture of your company. So, maybe you expect this book is about hiring the right supernerds for your IT department, and then you just let them do their technical wizardry. Why do you need eight steps for that? Step 1: hire computer experts. Step 2: don't think about cybersecurity ever again.
Actually, it's not that simple. Understanding computer technology is definitely a big part of understanding cybersecurity. But cybersecurity also overlaps with the arts and humanities. To understand cybersecurity properly, you must learn about the psychology of the interactions of people with computers. Then you must also learn the sociology of the interactions of groups of people with computers and how people within those groups influence each other's behavior. Cybersecurity is as much of a human area of study as it is a technological area of study.
The first step to improving your company's security posture is to foster a strong security culture. Culture doesn't manifest in the firmware code on your PC's motherboard. Culture is about the ideas, attitudes, and styles people create and maintain in their interactions with each other. Your company could have the best security policies and the most expensive network security devices. But if the people in your company don't behave in a secure way, improving your security posture will be an uphill battle.
From the balcony of my skyscraper condominium, I can see mighty maple trees thriving near Toronto's lakeshore. Those maple trees evolved over thousands of years to survive harsh Canadian winters. Their genes make them hardy, and they produce a resilient life-form. But if it weren't for the deep nutritious soil and sufficient annual precipitation in their environment, those maple trees wouldn't be able to grow and survive for hundreds of years. That's why you don't see maple trees growing in the desert.
Your company's security culture needs to be the nutritious soil and sufficient precipitation for the seeds and saplings of your computer hardware, software, networking, security policies, and security staff