Most small and midsize organizations see cybersecurity as an Information Technology (IT) problem, and not as a business risk. As a result, when a data breach or cyber-attack takes place within an unprepared organization, the devastating impact can easily put that organization out of business within a few months. Attackers are constantly targeting weaknesses in your organization and employees; attackers only need to exploit one weakness to obtain unauthorized access. Instead of trying to overcome security mechanisms (firewall, spam filter, antivirus, encryption, etc.), attackers usually target employees to obtain unauthorized access. Without an information security program, the organization is at risk and likely unaware of:
• applicable legal, regulatory, and contractual requirements;
• assets they need to protect, including systems (computers, servers, etc.) and data;
• how vulnerable their employees are to social engineering attacks like phishing emails;
• what the sensitive data is, on what systems that data is stored, and whether it is encrypted;
• the weaknesses of processes and technology supporting the business;
• how to implement a Cybersecurity Awareness and Training program;
• assets, their vulnerabilities, what could exploit those vulnerabilities, and the associated impact as a result of not knowing or being able to manage those risks;
• how to handle a data breach and whether the business can survive its impact;
• how to implement an information security program to protect the organization.
Cybersecurity is a business risk and as the famous line from G.I. Joe states, “knowing is half the battle.” The other half is acting to protect your organization and employees. The purpose of this book is to empower organizations and their employees with a better understanding of cybersecurity, how cybersecurity applies to their organization, and how to develop and take steps to exercise due care and due diligence. Members of the board of directors, the president/CEO, and senior executives have a fiduciary responsibility to protect the organization, employees, and sensitive data. However, they may be unaware that they can be held personally liable for negligence if they do not practice due diligence and due care to properly protect data by ensuring that the organization meets its legal, regulatory, industry standard, and contractual obligations to protect sensitive and customer data.
Larger organizations have full-time employees and departments that have proper training and skills to help address cybersecurity requirements. This book aims to promote cybersecurity awareness and to provide the different roles with guidance, and a basic but essential understanding of how to approach the cybersecurity needs of their organization.
Cybersecurity has become a serious business risk; data breaches can put an organization out of business overnight. As Verizon’s Data Breach Investigations Report puts it:
“Most cybercriminals are motivated by cold, hard cash. If there’s some way they can make money out of you, they will. That could mean stealing payment card data, personally identifiable information, or your intellectual property. And they don’t care who they take it from. Ignore the stereotype of sophisticated cybercriminals targeting billion-dollar businesses. Most attacks are opportunistic and target not the wealthy or famous, but the unprepared.”
The reality is that no industry or organization is bulletproof or too small when it comes to the compromise of data. Federal and state laws, Industry Standards, and International Regulations require organizations to protect their customers' data and to report confirmed data breaches to law enforcement, regulatory compliance agencies, media, and affected customers.
Different cybersecurity laws, regulations, and standards apply to organizations depending on their industry and sector, which is part of business risk because it affects how the company does business, how their Information Technology (IT) department operates, and how the company operates. While businesses of all sizes, small, medium and large, are affected by these problems, the available budget, staff, and expertise needed to combat them vary from one organization to another. Large organizations usually have an IT budget, a separate cybersecurity budget, and dedicated full-time roles that manage cybersecurity. Some of those fulltime roles include but are not limited to Chief Information Officer (CIO), Chief Information Security Officer (CISO), Information Security Officer (ISO), Information Security Manager (ISM), Security Administrators, etc. A large organization’s IT needs are usually met by an internal IT department. Cybersecurity and internal audit may be internal departments, and some functions may be outsourced to a Managed Security Service Provider (MSSP).
Small and midsize businesses may not be able to afford a proper IT budget, and may not have a cybersecurity budget or a cybersecurity program. Those organizations are at a higher risk due to a lack of funds for a proper internal IT department or one outsourced to a Managed Service Provider (MSP), a cybersecurity budget and cybersecurity program, or even a full-time compliance officer or staff dedicated to addressing cybersecurity as a business risk. Organizations with under 200 employees may not have personnel dedicated to compliance or IT, and senior executives may be unaware of the extent of the legal, regulatory, and contractual requirements that put their organization at risk. Organizations cannot afford to ignore legal and
regulatory compliance such as HIPAA (Health Insurance Portability and Accountability Act), PCI (Payment Card Industry), GLBA (Gramm-Leach-Biley Act), etc., or cyber risk in general. The purpose of this book is to give small and midsize businesses a fighting chance by providing guidance and options on how to implement or improve a cybersecurity program. Cybersecurity and information technology are business enablers. Their function is to help the organization meet its mission, vision, and business objectives, while also helping protect its data, assets, employees, and competitive advantage.
The goal of this book is to empower organizations to understand cybersecurity better and to take actionable steps to improve their cybersecurity posture. This book leverages the widely used and accepted NIST Cybersecurity Framework and its subcategories to help organizations establish or improve a cybersecurity program.