Cybersecurity Program Development for Business
eBook - ePub

Cybersecurity Program Development for Business

The Essential Planning Guide

  1. English
  2. ePUB (mobile friendly)
  3. Available on iOS & Android
eBook - ePub

Cybersecurity Program Development for Business

The Essential Planning Guide

About this book

"This is the book executives have been waiting for. It is clear: With deep expertise but in nontechnical language, it describes what cybersecurity risks are and the decisions executives need to make to address them. It is crisp: Quick and to the point, it doesn't waste words and won't waste your time. It is candid: There is no sure cybersecurity defense, and Chris Moschovitis doesn't pretend there is; instead, he tells you how to understand your company's risk and make smart business decisions about what you can mitigate and what you cannot.

It is also, in all likelihood, the only book ever written (or ever to be written) about cybersecurity defense that is fun to read."

ā€”Thomas A. Stewart, Executive Director, National Center for the Middle Market and Co-Author of Woo, Wow, and Win: Service Design, Strategy, and the Art of Customer Delight Get answers to all your cybersecurity questions

In 2016, we reached a tipping pointā€”a moment where the global and local implications of cybersecurity became undeniable. Despite the seriousness of the topic, the term "cybersecurity" still exasperates many people. They feel terrorized and overwhelmed. The majority of business people have very little understanding of cybersecurity, how to manage it, and what's really at risk.

This essential guide, with its dozens of examples and case studies, breaks down every element of the development and management of a cybersecurity program for the executive. From understanding the need, to core risk management principles, to threats, tools, roles and responsibilities, this book walks the reader through each step of developing and implementing a cybersecurity program. Read cover-to-cover, it's a thorough overview, but it can also function as a useful reference book as individual questions and difficulties arise.

  • Unlike other cybersecurity books, the text is not bogged down with industry jargon
  • Speaks specifically to the executive who is not familiar with the development or implementation of cybersecurity programs
  • Shows you how to make pragmatic, rational, and informed decisions for your organization
  • Written by a top-flight technologist with decades of experience and a track record of success

If you're a business manager or executive who needs to make sense of cybersecurity, this book demystifies it for you.

Frequently asked questions

Yes, you can cancel anytime from the Subscription tab in your account settings on the Perlego website. Your subscription will stay active until the end of your current billing period. Learn how to cancel your subscription.
No, books cannot be downloaded as external files, such as PDFs, for use outside of Perlego. However, you can download books within the Perlego app for offline reading on mobile or tablet. Learn more here.
Perlego offers two plans: Essential and Complete
  • Essential is ideal for learners and professionals who enjoy exploring a wide range of subjects. Access the Essential Library with 800,000+ trusted titles and best-sellers across business, personal growth, and the humanities. Includes unlimited reading time and Standard Read Aloud voice.
  • Complete: Perfect for advanced learners and researchers needing full, unrestricted access. Unlock 1.4M+ books across hundreds of subjects, including academic and specialized titles. The Complete Plan also includes advanced features like Premium Read Aloud and Research Assistant.
Both plans are available with monthly, semester, or annual billing cycles.
We are an online textbook subscription service, where you can get access to an entire online library for less than the price of a single book per month. With over 1 million books across 1000+ topics, weā€™ve got you covered! Learn more here.
Look out for the read-aloud symbol on your next book to see if you can listen to it. The read-aloud tool reads text aloud for you, highlighting the text as it is being read. You can pause it, speed it up and slow it down. Learn more here.
Yes! You can use the Perlego app on both iOS or Android devices to read anytime, anywhere ā€” even offline. Perfect for commutes or when youā€™re on the go.
Please note we cannot support devices running on iOS 13 and Android 7 or earlier. Learn more about using the app.
Yes, you can access Cybersecurity Program Development for Business by Chris Moschovitis in PDF and/or ePUB format, as well as other popular books in Computer Science & Cyber Security. We have over one million books available in our catalogue for you to explore.

Information

Publisher
Wiley
Year
2018
Print ISBN
9781119429517
eBook ISBN
9781119430001
Edition
1
Topic
Computer Science
Subtopic
Cyber Security
Index
Computer Science

CHAPTER 1
Understanding Risk

If you're reading this book, I'd hazard a guess that you've read some of the doomā€andā€gloom cybersecurity books out there as well. There are many, and many are great (see the bibliography for suggestions). What's more, I am sure you have had your fill of statistics. Dreadful statistics showing how cybercrime is increasing by the day. I'll include some of those, too, just to satisfy any morbid curiosity left in you, but they are essentially useless. By the time the ink is dry on these pages, the numbers have changed. For the worse.

A BRIEF SAMPLING OF DREAD

  • Hacker Attack Rate: 39 Seconds
    Assistant Professor of Mechanical Engineering Michel Cukier at the A. James Clark School of Engineering conducted the study that profiled the actions of hackers using bruteā€force methods to gain access to a set of exposed computers. The results showed that the computers were attacked about 2,244 times per day.
  • More than 33 percent of United States consumers have experienced a cyberattack.
    This was reported in a survey by Zogby Analytics commission for the Hartford Steam Boiler Inspection and Insurance Company (HSB), with the most likely victims being between 18 and 24 years old. Moreover, the associated incident costs ranged from $500 for 56 percent of the cases to between $1,000 and $5,000 for 23 percent of the cases.
  • According to the ā€œInternet Security Threat Reportā€”Symantec 2017ā€ (Volume 22, April 2017):
    • It takes on average two minutes for an Internet of Things (IoT) device to get attacked.
    • The average ransom amount for a ransomware attack went from $373 in 2014 to $1,077 in 2016.
    • Over the last eight years, more than 7.1 billion identities have been stolen as a result of data breaches.
    • In 2016, the United States was number one both in number of data breaches (1,023) and in identities stolen (791,820,040).
  • According to the ā€œ2017 Data Breach Investigations Reportā€ (Verizon):
    • 75 percent of the breaches are perpetrated by outsiders, versus 25 percent involving insiders.
    • 62 percent of breaches featured hacking, of which 81 percent leveraged stolen or weak passwords.
    • 66 percent of malware was installed through malicious email attachments.
    • 73 percent of the breaches were financially motivated; 21 percent were espionageā€driven.
  • According to the ā€œSmall Business Trendsā€ website (https://smallbiztrends.com):
    • 43 percent of cyberattacks target small business.
    • Only 14 percent of small businesses rate their ability to mitigate cyberrisks vulnerabilities and attacks as highly effective.
    • 60 percent of small companies go out of business within six months of a cyberattack.
    • 48 percent of data security breaches are caused by acts of malicious intent. Human error or system failure account for the rest.
  • According to Juniper Research's study titled ā€œThe Future of Cybercrime & Security: Financial and Corporate Threats & Mitigationā€ (Juniper Research, Ltd.):
    • Cybercrime is expected to cost businesses over $2 trillion by 2019.
    • Although North America has seen the lion's share of these breaches (60 percent in 2015), the proportion will level off as global digitization levels the playing field.
  • According to ā€œCybersecurity Ventures' Predictions for 2017 through 2021ā€:
    • The cost of cybercrime damages worldwide is estimated to be $6 trillion annually by 2021.
    • In 2016, the cybersecurity unemployment rate dropped to zero percent, and it is expected to remain at that level through 2021, with a projected jobā€toā€skills shortfall of 1.5 million positions by 2019.
  • ISACA's 2016 Cybersecurity Global Data Snapshot lists social engineering, insider threats, and advanced persistent threats as the topā€three threats facing organizations.
  • According to Barkly Protects, Inc.:
    • Oneā€third of the IT professionals surveyed by Barkly reported their security had been bypassed by a cyberattack in 2016.
    • 71 percent of organizations targeted with ransomware attacks were successfully infected.
    • Over half the organizations that suffered successful cyberattacks in 2016 are not making any changes to their cybersecurity posture in 2017, with budgetary constraints cited as the main block to improved cybersecurity.

How Much Is It Worth to You?

In the misty past, a person's most valuable possessions were things he could see: his castle, gold, tapestries, even his heirs! Their value was tied to their physical existence.
Today, the concept of value has expanded beyond tangibles to include intangibles such as data, intellectual property, and reputation. As a matter of fact, many intangibles hold more value than tangibles. Consider, which is more important: an artisanal pizza or the recipe for the artisanal pizza? It's no accident that the phase following the Industrial Revolution has been nicknamed the Information Revolution.
The rise of intangible valuables affects every individual as well as businesses of all sizes. These things of value that individuals and businesses create areā€”like all things of valueā€”coveted by others and therefore warrant your protection. So, just like you would protect your valuable jewelry, you must protect your valuable data. It's a simple concept.
What is interesting in this analogy is the assumption that we all share a common understanding of what is of value. You certainly have no problem intuiting that a set of diamond earrings is valuable and should therefore be stored in a secure place. Which place and how secure? That, too, is straightforward to understand. We have an innate sense of value to guide us in these decisionsā€”something that tells us that a $300 pair of earrings is safe in the jewelry box in the apartment while a $30,000 pair of earrings is best protected in a bank's safe deposit box. Easy to understand and easy to make a value judgment on.
We make these types of judgments every day, and we're very good at it. We understand what's of value, and we understand the risks to this value:
  • Earrings? Theft!
  • Property? Fire!
It ends up that we are very good at making complex risk management decisions on a daily basis. Who knew?

Risk! Not Just a Board Game

Consider this situation: It is 11:00 at night, and you just finished dinner with friends at your favorite restaurant. Walking to your car, you reach an intersection and see that the walk signal is red. You look left. You look right. You see a car down the block, shrug it off, and cross the street. No problem.
Now, let's change this scenario a little. Same story, only this time you are pushing a stroller with your baby in it. What's the decision now? Do you cross the street or wait for the signal to change? My bet is you wait.
We just stumbled on the concept of risk acceptance, which will prove to be of real importance in the pages that follow. The bottom line is that we all live with risk every single day of our lives. We constantly make decisions about risk and, when we're done evaluating, we take action signifying our acceptance of this risk.
In the example just suggested, in one case you accepted the risk that you can cross the street against the light, and in the other case, when you had your baby along, you did not. How does this translate to the cyberworld? In some cases, we accept the risk of having our information available out there (e.g., when using Facebook, Instagram, Swarm, and the like), and in others we do not (e.g., when we are using our credit card or revealing our medical records).
Studying risk is taking a trip down a fascinating, complex, and intricate labyrinth. It is hardā€core scienceā€”involving complex mathematics, ethics, and philosophyā€”with potential lifeā€andā€death implications (e.g., the risk of reprisals when we attack a terrorist group, the risks that first responders take every day, etc.). This is certainly not a book to start you on this type of journey, although I have included a selected bibliography for you to consider at the back of this book. The purpose of this book is to expose you to some risk management and tech concepts so that we can develop a common language when discussing how to protect your things of value from cyberā€based threats. With that in mind, let's start...

Table of contents

  1. COVER
  2. TITLE PAGE
  3. TABLE OF CONTENTS
  4. FOREWORD
  5. PREFACE
  6. ABOUT THE AUTHOR
  7. ACKNOWLEDGMENTS
  8. CHAPTER 1: Understanding Risk
  9. CHAPTER 2: Everything You Always Wanted to Know About Tech (But Were Afraid to Ask Your Kids)
  10. CHAPTER 3: A Cybersecurity Primer
  11. CHAPTER 4: Management, Governance, and Alignment
  12. CHAPTER 5: Your Cybersecurity Program: A Highā€Level Overview
  13. CHAPTER 6: Assets
  14. CHAPTER 7: Threats
  15. CHAPTER 8: Vulnerabilities
  16. CHAPTER 9: Environments
  17. CHAPTER 10: Controls
  18. CHAPTER 11: Incidentā€Response Planning
  19. CHAPTER 12: People
  20. CHAPTER 13: Living Cybersecure!
  21. BIBLIOGRAPHY
  22. APPENDIX: Clear and Present Danger
  23. INDEX
  24. END USER LICENSE AGREEMENT