Harden your business against internal and external cybersecurity threats with a single accessible resource.

In 8 Steps to Better Security: A Simple Cyber Resilience Guide for Business, cybersecurity researcher and writer Kim Crawley delivers a grounded and practical roadmap to cyber resilience in any organization. Offering you the lessons she learned while working for major tech companies like Sophos, AT&T, BlackBerry Cylance, Tripwire, and Venafi, Crawley condenses the essence of business cybersecurity into eight steps.

Written to be accessible to non-technical businesspeople as well as security professionals, and with insights from other security industry leaders, this important book will walk you through how to:

• Foster a strong security culture that extends from the custodial team to the C-suite
• Build an effective security team, regardless of the size or nature of your business
• Comply with regulatory requirements, including general data privacy rules and industry-specific legislation
• Test your cybersecurity, including third-party penetration testing and internal red team specialists

Perfect for CISOs, security leaders, non-technical businesspeople, and managers at any level, 8 Steps to Better Security is also a must-have resource for companies of all sizes, and in all industries.

Foreword xi

Introduction xiii

Chapter 1: Step 1: Foster a Strong Security Culture 1

Kevin Mitnick, Human Hacker Extraordinaire 3

The Importance of a Strong Security Culture 5

Hackers Are the Bad Guys, Right? 6

What is Security Culture? 7

How to Foster a Strong Security Culture 9

Security Leaders on Security Culture 12

What Makes a Good CISO? 13

The Biggest Mistakes Businesses Make When It Comes to Cybersecurity 14

The Psychological Phases of a Cybersecurity Professional 15

Chapter 2: Step 2: Build a Security Team 19

Why Step 2 is Controversial 20

How to Hire the Right Security Team. . .the Right Way 28

Security Team Tips from Security Leaders 29

The “Culture Fit”—Yuck! 30

Cybersecurity Budgets 34

Design Your Perfect Security Team 35

Chapter 3: Step 3: Regulatory Compliance 39

What Are Data Breaches, and Why Are They Bad? 40

The Scary Truth Found in Data Breach Research 45

An Introduction to Common Data Privacy Regulations 49

The General Data Protection Regulation 49

The California Consumer Privacy Act 50

The Health Insurance Portability and Accountability Act 52

The Gramm-Leach-Bliley Act 52

Payment Card Industry Data Security Standard 53

Governance, Risk Management, and Compliance 53

More About Risk Management 54

Threat Modeling 55

Chapter 4: Step 4: Frequent Security Testing 57

What is Security Testing? 58

Security Testing Types 58

Security Audits 58

Vulnerability Assessments Versus Penetration Testing 59

Red Team Testing 61

Bug Bounty Programs 61

What’s Security Maturity? 63

The Basics of Security Audits and Vulnerability Assessments 64

Log Early, Log Often 66

Prepare for Vulnerability Assessments and Security Audits 67

A Concise Guide to Penetration Testing 69

Penetration Testing Based on Network Knowledge 70

Penetration Testing Based on Network Aspects 73

Security Leaders on Security Maturity 76

Security Testing is Crucial 78

Chapter 5: Step 5: Security Framework Application 79

What is Incident Response? 80

Preparation 80

Identification or Analysis 82

Containment, Mitigation, or Eradication 83

Recovery 84

Post-incident 86

Your Computer Security Incident Response Team 86

Cybersecurity Frameworks 89

NIST Cybersecurity Framework 89

Identify 90

Protect 92

Detect 95

Respond 97

Recover 99

ISO 27000 Cybersecurity Frameworks 101

CIS Controls 102

COBIT Cybersecurity Framework 105

Security Frameworks and Cloud Security 106

Chapter 6: Step 6: Control Your Data Assets 109

The CIA Triad 110

Access Control 112

Patch Management 113

Physical Security and Your Data 115

Malware 116

Cryptography Basics 119

Bring Your Own Device and Working from Home 123

Data Loss Prevention 124

Managed Service Providers 126

The Dark Web and Your Data 128

Security Leaders on Cyber Defense 130

Control Your Data 132

Chapter 7: Step 7: Understand the Human Factor 133

Social Engineering 134

Phishing 139

What Can NFTs and ABA Teach Us About Social Engineering? 141

How to Prevent Social Engineering Attacks on Your Business 146

UI and UX Design 147

Internal Threats 148

Hacktivism 152

Chapter 8: Step 8: Build Redundancy and Resilience 155

Understanding Data and Networks 156

Building Capacity and Scalability with the Power of the Cloud 158

Back It Up, Back It Up, Back It Up 161

RAID 162

What Ransomware Taught Business About Backups 164

Business Continuity 167

Disaster Recovery 168

Chapter 9: Afterword 173

Step 1 173

The Most Notorious Cyberattacker Was Actually a Con Man 174

A Strong Security Culture Requires All Hands on Deck 174

Hackers Are the Good Guys, Actually 174

What Is Security Culture? 175

What Makes a Good CISO? 175

The Psychological Phases of a Cybersecurity Professional 176

Recommended Readings 177

Step 2 178

Tackling the Cybersecurity Skills Gap Myth 178

Take “Culture Fit” Out of Your Vocabulary 179

Your Cybersecurity Budget 180

Recommended Readings 180

Step 3 181

Data Breaches 181

Data Privacy Regulations 182

Risk Management 183

Recommended Readings 183

Step 4 184

Security Audits 184

Vulnerability Assessments 185

Penetration Testing 185

Bug Bounty Programs 185

Recommended Reading 186

Step 5 187

Incident Response 187

Cybersecurity Frameworks 187

Recommended Reading 188

Step 6 188

The CIA Triad 188

Access Control 189

Patch Management 189

Physical Security 189

Malware 189

Cryptography 190

BYOD and Working from Home 190

Data Loss Prevention 191

Managed Service Providers 191

Recommended Reading 191

Step 7 192

Social Engineering 192

UI and UX Design 193

Internal Threats 193

Recommended Readings 194

Step 8 194

Cloud Networks 195

Data Backups 195

Business Continuity and Disaster Recovery 196

Recommended Readings 196

Keeping Your Business Cyber Secure 197

Index 199