What will I learn from this book?

Due to the cost and frequency of data breaches, cybersecurity is “quickly moving from being considered by business leaders as a purely technical issue to a larger business risk,” and thus companies need to exercise due diligence and due care in terms of cybersecurity, to reduce or eliminate liability due to negligence. Organizations need to learn how to manage cybersecurity risks to protect their business, assets, systems, data, and employees. This book will provide you with general concepts related to cybersecurity, along with options and approaches that can help you manage cybersecurity for your organization. This book is a great resource for engaged and active readers who follow the links and perform additional research to ensure they understand the concepts provided, and how the concepts apply to their organization specifically. Engaged readers will learn how to manage cybersecurity risk by implementing the NIST Cybersecurity Framework to:

Identify cybersecurity threats, compliance requirements, deficiencies, and more.
Protect the organization’s business needs, employees, and assets with 108+ safeguards.
Detect cybersecurity events by implementing suitable actions and monitoring processes.
Respond to detected cybersecurity incidents and reduce the impact on the business.
Recover from cybersecurity incidents with business continuity and disaster recovery planning.

Cybersecurity is a business risk that if neglected, can put an organization out of business and even lead to personal liability. Learn how to protect yourself and your organization before it is too late.

Cybercriminals target your organization and employees

Hackers constantly and tirelessly target organizations across all industries, regardless of their size. Large organizations are likely to have the appropriate budget and resources for their Information Technology (IT) and Information Security (IS or Cybersecurity) needs. They usually establish and maintain an Information Security Program staffed with full-time executives, officers, security managers, and IT staff who can design and implement a cybersecurity awareness program to help protect the organization. The Information Security Program allows the organization to identify and manage cybersecurity-related risks and to make informed decisions to reduce the impact of cybersecurity incidents and data breaches. Large organizations tend to have better defenses against cyber-attacks and are better prepared to reduce and deal with the devastating impact of data breaches. Small and midsize businesses at their peril, often fail to consider that:

• Multiple legal, regulatory, and contractual requirements apply to their organization.
• According to Verizon’s Data Breach Investigations Report, 58% of all cyberattacks target small businesses.
• Small and midsize businesses are targeted because they are less prepared and protected than larger organizations, making them easier targets.
• Lack of an Information Security Program and employee Cybersecurity Awareness and Training Program puts the organization at a high risk for compromise, and leaves the organization unable to reduce, withstand, and/or recover from the devastating impact of successful cyberattacks or data breaches.
• They may be not able to withstand the unexpected costs and impact associated with cyber-attacks and data breaches. In fact, 60% of small businesses fail within six months of a major cybersecurity
incident.8
• The devastating impact and long-lasting effects of data breaches include, but are not limited to:
 - notification requirement to law enforcement and regulatory agencies;
 - legal, regulatory, and/or contractual fines;
 - notification to affected customers and identity protection costs;
 - media coverage and public relations associated costs;
 - inability to cover the fallout costs, resulting in the inability to remain in business;
 - loss of reputation, customer confidence, resulting in loss of current and future sales;
 - loss of current and future customers, partners, business opportunities, etc.

The board of directors and executives can be held personally liable on charges of negligence, in the event of a data breach. It is part of due diligence and due care to manage cybersecurity, and identify risks to help mitigate the impact of a data breach.

 

Cybersecurity is a business risk

Most small and midsize organizations see cybersecurity as an Information Technology (IT) problem, and not as a business risk. As a result, when a data breach or cyber-attack takes place within an unprepared organization, the devastating impact can easily put that organization out of business within a few months. Attackers are constantly targeting weaknesses in your organization and employees; attackers only need to exploit one weakness to obtain unauthorized access. Instead of trying to overcome security mechanisms (firewall, spam filter, antivirus, encryption, etc.), attackers usually target employees to obtain unauthorized access. Without an information security program, the organization is at risk and likely unaware of:

• applicable legal, regulatory, and contractual requirements;
• assets they need to protect, including systems (computers, servers, etc.) and data;
• how vulnerable their employees are to social engineering attacks like phishing emails;
• what the sensitive data is, on what systems that data is stored, and whether it is encrypted;
• the weaknesses of processes and technology supporting the business;
• how to implement a Cybersecurity Awareness and Training program;
• assets, their vulnerabilities, what could exploit those vulnerabilities, and the associated impact as a result of not knowing or being able to manage those risks;
• how to handle a data breach and whether the business can survive its impact;
• how to implement an information security program to protect the organization.

Cybersecurity is a business risk and as the famous line from G.I. Joe states, “knowing is half the battle.” The other half is acting to protect your organization and employees. The purpose of this book is to empower organizations and their employees with a better understanding of cybersecurity, how cybersecurity applies to their organization, and how to develop and take steps to exercise due care and due diligence. Members of the board of directors, the president/CEO, and senior executives have a fiduciary responsibility to protect the organization, employees, and sensitive data. However, they may be unaware that they can be held personally liable for negligence if they do not practice due diligence and due care to properly protect data by ensuring that the organization meets its legal, regulatory, industry standard, and contractual obligations to protect sensitive and customer data.

Larger organizations have full-time employees and departments that have proper training and skills to help address cybersecurity requirements. This book aims to promote cybersecurity awareness and to provide the different roles with guidance, and a basic but essential understanding of how to approach the cybersecurity needs of their organization. 

Cybersecurity has become a serious business risk; data breaches can put an organization out of business overnight. As Verizon’s Data Breach Investigations Report puts it:
“Most cybercriminals are motivated by cold, hard cash. If there’s some way they can make money out of you, they will. That could mean stealing payment card data, personally identifiable information, or your intellectual property. And they don’t care who they take it from. Ignore the stereotype of sophisticated cybercriminals targeting billion-dollar businesses. Most attacks are opportunistic and target not the wealthy or famous, but the unprepared.”

The reality is that no industry or organization is bulletproof or too small when it comes to the compromise of data. Federal and state laws, Industry Standards, and International Regulations require organizations to protect their customers' data and to report confirmed data breaches to law enforcement, regulatory compliance agencies, media, and affected customers.

Different cybersecurity laws, regulations, and standards apply to organizations depending on their industry and sector, which is part of business risk because it affects how the company does business, how their Information Technology (IT) department operates, and how the company operates. While businesses of all sizes, small, medium and large, are affected by these problems, the available budget, staff, and expertise needed to combat them vary from one organization to another. Large organizations usually have an IT budget, a separate cybersecurity budget, and dedicated full-time roles that manage cybersecurity. Some of those fulltime roles include but are not limited to Chief Information Officer (CIO), Chief Information Security Officer (CISO), Information Security Officer (ISO), Information Security Manager (ISM), Security Administrators, etc. A large organization’s IT needs are usually met by an internal IT department. Cybersecurity and internal audit may be internal departments, and some functions may be outsourced to a Managed Security Service Provider (MSSP).

Small and midsize businesses may not be able to afford a proper IT budget, and may not have a cybersecurity budget or a cybersecurity program. Those organizations are at a higher risk due to a lack of funds for a proper internal IT department or one outsourced to a Managed Service Provider (MSP), a cybersecurity budget and cybersecurity program, or even a full-time compliance officer or staff dedicated to addressing cybersecurity as a business risk. Organizations with under 200 employees may not have personnel dedicated to compliance or IT, and senior executives may be unaware of the extent of the legal, regulatory, and contractual requirements that put their organization at risk. Organizations cannot afford to ignore legal and
regulatory compliance such as HIPAA (Health Insurance Portability and Accountability Act), PCI (Payment Card Industry), GLBA (Gramm-Leach-Biley Act), etc., or cyber risk in general. The purpose of this book is to give small and midsize businesses a fighting chance by providing guidance and options on how to implement or improve a cybersecurity program. Cybersecurity and information technology are business enablers. Their function is to help the organization meet its mission, vision, and business objectives, while also helping protect its data, assets, employees, and competitive advantage.

The goal of this book is to empower organizations to understand cybersecurity better and to take actionable steps to improve their cybersecurity posture. This book leverages the widely used and accepted NIST Cybersecurity Framework and its subcategories to help organizations establish or improve a cybersecurity program.