8 Steps to Better Security E-Book

Table of Contents

Cover

Title Page

Foreword

Introduction

Chapter 1: Step 1: Foster a Strong Security Culture

Kevin Mitnick, Human Hacker Extraordinaire

The Importance of a Strong Security Culture

Hackers Are the Bad Guys, Right?

What Is Security Culture?

How to Foster a Strong Security Culture

Security Leaders on Security Culture

What Makes a Good CISO?

The Biggest Mistakes Businesses Make When It Comes to Cybersecurity

The Psychological Phases of a Cybersecurity Professional

Chapter 2: Step 2: Build a Security Team

Why Step 2 Is Controversial

How to Hire the Right Security Team…the Right Way

Security Team Tips from Security Leaders

The “Culture Fit”—Yuck!

Cybersecurity Budgets

Design Your Perfect Security Team

Chapter 3: Step 3: Regulatory Compliance

What Are Data Breaches, and Why Are They Bad?

The Scary Truth Found in Data Breach Research

An Introduction to Common Data Privacy Regulations

Payment Card Industry Data Security Standard

Governance, Risk Management, and Compliance

More About Risk Management

Threat Modeling

Chapter 4: Step 4: Frequent Security Testing

What Is Security Testing?

Security Testing Types

What's Security Maturity?

The Basics of Security Audits and Vulnerability Assessments

A Concise Guide to Penetration Testing

Security Leaders on Security Maturity

Security Testing Is Crucial

Chapter 5: Step 5: Security Framework Application

What Is Incident Response?

Your Computer Security Incident Response Team

Cybersecurity Frameworks

Chapter 6: Step 6: Control Your Data Assets

The CIA Triad

Access Control

Patch Management

Physical Security and Your Data

Malware

Cryptography Basics

Bring Your Own Device and Working from Home

Data Loss Prevention

Managed Service Providers

The Dark Web and Your Data

Security Leaders on Cyber Defense

Control Your Data

Chapter 7: Step 7: Understand the Human Factor

Social Engineering

Phishing

What Can NFTs and ABA Teach Us About Social Engineering?

How to Prevent Social Engineering Attacks on Your Business

UI and UX Design

Internal Threats

Hacktivism

Note

Chapter 8: Step 8: Build Redundancy and Resilience

Understanding Data and Networks

Building Capacity and Scalability with the Power of the Cloud

Back It Up, Back It Up, Back It Up

RAID

What Ransomware Taught Business About Backups

Business Continuity

Disaster Recovery

Chapter 9: Afterword

Step 1

Step 2

Step 3

Step 4

Step 5

Step 6

Step 7

Step 8

Keeping Your Business Cyber Secure

Index

Copyright

Dedication

About the Author

Acknowledgments

End User License Agreement

Guide

Cover

Title Page

Copyright

Dedication

About the Author

Acknowledgments

Foreword

Introduction

Table of Contents

Begin Reading

Index

End User License Agreement

Pages

i

xi

xii

xiii

xiv

xv

xvi

xvii

xviii

xix

xx

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

ii

iii

iv

v

205

8 Steps to Better Security

A Simple Cyber Resilience Guide for Business

Kim Crawley

Foreword

I first met Kim Crawley in person in October 2019, in Toronto at SecTor, Canada's version of DEFCON. We'd been acquainted for a long time via Twitter, and she was the one who originally turned me onto SecTor and inspired me to submit a talk, citing the merits of her hometown and the conference. She was right about both. In between the superb sessions there, amidst the fantastic energy of that conference and the international vibe of the city, we walked around and talked about information security, cyber resilience, and neurodiversity, topics woven deeply into the fabric of both our lives. Over lunch one afternoon, our conversation came around to how our industry can do a better job of helping small and midsize organizations better prepare for strategic response to cybercrime. We agreed that by helping smaller and more vulnerable organizations, the larger organizations and the collective industry as a whole would also benefit. We compared notes on tactics and strategies that don't have to cost a lot of time or money.

Shortly after our time and discussions at SecTor, Covid-19 hit. Kim didn't slow down. She founded DisInfoSec, a pop-up infosec conference showcasing infosec professionals who identify as neurodivergent (including ADD, AHDH, autism, Asperger's, dyslexia, and more). Inspired by Lesley Carhart's PancakesCon and other events, DisInfoSec was a first-of-its-kind event and took place on July 11, 2020. The con included a lot of great talks and raised funds for the Autistic Self Advocacy Network, the Autistic Women and Nonbinary Network, and the Council of Canadians with Disabilities. Kim's commitment to improving inclusion and nudging the world to a better place is showcased in her actions, and this new book is merely an extension of her productive mindset.

If you're new to Kim's work, her past and present articles on infosec and cyber for AT&T Cybersecurity, Cylance, and others are some of the most accessible to read, especially for anyone who is new to those topics. Kim writes with spirit and an intimate awareness of the diverse audiences who may be reading, which makes her style a stand-out. Her new book is no exception: 8 Steps to Better Security: A Simple Cyber Resilience Guide for Business is an easy read for first-timers, seasoned veterans, and anyone else keen to learn more about infosec and cyber resilience using practical, quick-win steps you can take right away to better prepare your organization for a strategic response to unplanned events that would otherwise compromise your productivity, reputation, and bottom line. That's real peace of mind, and I don't know about you, but these days I'll take all of that I can get. Enjoy the book!

Introduction

Pandora's box has been opened. Businesses in all industries run on computer data, and now there's no turning back.

When I was little, offices were still full of filing cabinets. Each customer, patient, client, vendor, and supplier had their own labeled manila folder in one of those cabinets. In fact, many offices have kept their filing cabinets well into the 21st century. Spilling your coffee on a few forms could damage lucrative business data. Unauthorized data access happened if someone found the secretary's physical key and unlocked cabinets they weren't entitled to. Some cabinets were designed to be fire resistant. But backing up all that data to a second location for the sake of business continuity in a disaster is always a good idea, one that was often not conducted because a clerk would have to put each page through the photo copier one by one, ever so tediously.

Now businesses keep their lucrative data on computers, whether that business is Smith's Convenience on the street corner or a multibillion-dollar military contractor. Some of these businesses still have filing cabinets, but they're working hard to digitize as much as possible.

The computer data that flows through businesses in all industries isn't just sensitive data on customers. It isn't all precious financial data, either. Some of it is security patches for our operating systems, applications, and firmware. Some of it is the email your employees are sending and receiving, whether on a company-owned PC or on their phone wherever they are. Some of it even keeps devices in the office running—your smart thermostats and your internet-connected heart monitors.

Keeping all the data that flows through your business secure is absolutely vital. Otherwise, a cybercriminal could steal your trade secrets or your clients' credit card data. Or they could perform a distributed denial-of-service attack on your production systems. Or they could infect your whole network with ransomware, both on the premises and on the cloud. Your company can be liable for any sensitive data that's stolen, especially if it results in your customers and vendors being harmed. And if your production systems face even a couple of hours of downtime, your business could lose millions in productivity. Chances are there are data privacy and security regulations that also apply to your business, and you could face hefty fines for security incidents and noncompliance. Often, fines can be in the millions under laws such as the European Union's General Data Protection Regulation.

A few hundred thousand dollars spent on improving your security will likely save your business millions of dollars in the long run. But simply spending money isn't enough. You need to spend it wisely, and you need to work on security every day. As cybersecurity expert Bruce Schneier says, “Security is a process, not a product.”

I have spent the past several years researching and writing about cybersecurity for business on behalf of many major tech brands, such as AT&T Cybersecurity, Venafi, BlackBerry Cylance, Comodo, and Sophos. And every day I work, I have discussions with people who directly work on improving the security of businesses of all sizes and in a wide variety of industries.

I know it can be overwhelming when people are tasked with improving their company's cybersecurity. Where do you start? More importantly, how do you convince your executives that having a decent security budget and hiring security professionals is important? It's a struggle many people around the world face all the time.

I'm a regular computer security geek. But I've been adjacent to businesspeople my whole life. My (now retired) mother went from working in payroll to being a human resources director and vice president for Bayerische Landesbank back when they had a Toronto branch in the 1990s. I have friends who work as equity traders for companies like Manulife Financial. More importantly, I'm friends with many chief information security officers (CISOs).

So, I'm a geek and a “creative class” person according to Richard Florida. But although I don't fit in with the suits on Bay Street and Wall Street, I know how they think. I know what makes them tick: money, of course!

Ultimately, applying the advice in this book will cost you money, but it will save your business a lot more money over time. Spend $1 now to prevent losing $10 in the future. Think beyond next quarter's profits! Security-harden your business for the years ahead.

I'm going to be honest with you. Looking at the business bestsellers often makes me cringe. I distrust all books that say they're going to make me rich. I'm not an individualist-capitalist (I don't have any capital!); I believe in society, and I believe we're all interdependent. I think some of your success is in your hands, but a lot of your fate is in the hands of other people. I strongly believe that absolutely no one is “self-made.”

I pride myself in sharing honest and useful information with the world, not tips on how to leverage market disruption for maximum capital gains, or whatever. I might as well tell you a 100 percent cabbage soup diet will make you permanently skinny and cure all disease on Earth. Honestly, my conscience doesn't feel good about that stuff. This book is for businesspeople, whether you wear a Brooks Brothers suit or a Lacoste polo shirt and khakis or a hard hat and overalls or jeans and a T-shirt. Cyber threats are bad now, and they'll only get worse. Make sure your business thrives in the ever-evolving cyber threat landscape with the eight steps in this book.

That's what I love to do: take useful information, share it in simple language, and break it down into manageable little bites. This book won't make your brain hurt. You can read one chapter at a time, or even just a few pages at a time, and glean useful insight that you can use in your everyday lives—as long as working in a business is part of your everyday life.

This book is based on the research I've done and knowledge I've acquired through years of work as a cybersecurity news and information scribe. And my knowledge is augmented with the insight of many of the world's top CISOs and other business leaders in security. It was a great pleasure for me to interview all these people and pick their brains a little bit for your benefit. This book is further enhanced with the findings of business security research studies and the aftermath of some of the most notable business security incidents. Mistakes become valuable when we make sure we learn from them!

Let's summarize the topics I cover in this book. Chapters 1 through 8 cover what this book is all about: 8 Steps to Better Security. Each of those chapters is one of those steps. Chapter 9 will show you how to put it all together.

Chapter 1

, “Step 1: Foster a Strong Security Culture”

: This is where everything starts—not with an audit or a security budget, but with how to make sure everyone in your organization takes security seriously, from your janitor to your CEO. Policy is vital, but it's useful only if it influences people's behavior. The best information security policies in the world become ineffective if people don't abide by them and enforce them. I'm fascinated by psychology and sociology, and these areas are a lot more important to cybersecurity than laypeople assume. This chapter will explain how you can begin to foster a strong security culture, whether you're a new startup or a 50-year-old company. If you do something more than three times, it'll become a habit. Making sure your habits and attitudes are good will set the foundation for everything your business does with regard to cybersecurity. Effective information security is paramount in the 21st century, regardless of your company's industry or size. So, let's get off to the best possible start. This chapter will show you how.

Chapter 2

, “Step 2: Build a Security Team”

: If your company is medium-sized or larger, you'll benefit from having staff who work on cybersecurity as their full-time job. If your company is smaller, your one to five IT specialists will need to be tasked to manage your business's information security, even if your IT specialist is the nerd who comes into your little shop once a week to make sure your point-of-sale works properly. How your company builds a security team will vary according to your size and industry. The principles and advice in this chapter are designed to be useful for businesses of all kinds. The buck must stop somewhere. Make sure the buck stops with people who are ready to security-harden your company and rise to the challenge of any potential security incidents. This chapter includes tips on what sort of experience and credentials people should have in particular roles, so you can hire and delegate intelligently

Chapter 3

, “Step 3: Regulatory Compliance”

: In business-speak, this is a major “pain point” for most companies. Pretty much all companies of all sizes and in all industries must comply with your region's general data privacy regulations. On top of that, if your company is in the medical field, there are usually regulations specific to healthcare data that must be complied with. If your company is in finance, there are usually financial-sector data privacy regulations as well. On top of that, if your company is in or deals with the public sector, there is often another whole set of regulations that are also crucial to abide by. Some audits are random and unpredictable, some may be scheduled, and some may occur in response to a data breach or similar incident. This chapter will help you take an inventory of which specific regulations apply to your business. From there, I offer tips to help you make sure you're set up for compliance so your business can continue to comply every day your business operates. Cybersecurity experts debate over how useful regulations are when it comes to preventing or mitigating security incidents. But we all agree that compliance is a must because the hefty fines for violations can really hurt your bottom line. The reputation damage can be immense too. Customers and clients need to feel that you take the security of their data seriously if they're going to be comfortable with spending money on your company's products and services.

Chapter 4

, “Step 4: Frequent Security Testing”

: You absolutely cannot know how well secured your company's networks, computers, and applications are without frequent security testing. Having your assets security tested isn't simply a matter of emailing a third-party security firm and saying, “I need a security test.” Cybersecurity testing comes in many different forms. The kind of testing you need will vary according to many different factors, including but not limited to the types of networks you have, how large they are, and which industry your business is in. So, knowing where to start when it comes to security testing will take this entire chapter, at the least. But don't be dismayed. This book is designed for businesspeople, not computer nerds. By the time you're done reading the chapter, you'll be ready to initiate the security testing your company needs in order to face the ever-evolving cyber threat landscape with confidence. The security testing your company needs can be a combination of internal red team specialists and third-party penetration testers. They may need to test once per year or every time your network changes in a significant way. Don't know what a red team or penetration testing is? Then this chapter is definitely for you!

Chapter 5

, “Step 5: Security Framework Application”

: A cybersecurity framework is a set of standards that companies can base their security policies and procedures on. The most popular cybersecurity frameworks focus on how your business should prepare for and respond to cybersecurity incidents. Often companies can choose which framework is most useful for their organization. Unlike security regulation compliance, using a cybersecurity framework is optional, but highly recommended nonetheless. Also, unlike security regulation compliance, cybersecurity frameworks aren't usually tied to a particular state, province, or nation. The same frameworks are used by organizations around the world in many different countries and industries.

The NIST Cybersecurity Framework is the most widely implemented framework, and other frameworks have been inspired by it. Some of the other frameworks I cover in this chapter include ISO 27000 Cybersecurity Framework Series, CIS Cybersecurity Framework, and COBIT Cybersecurity Framework. I explain the basics of each of these frameworks and share what cybersecurity experts believe are their strengths and weaknesses. No matter what, though, your organization must have policies and procedures for preparing for and responding to security incidents. With proper preparation, cyber incidents will do much less harm to your organization, and you will save money in the long run.

Chapter 6

, “Step 6: Control Your Data Assets”

: Every bit of your organization's data is stored on at least one computing device. Whether your network is on the premises, on the cloud, or on a hybrid network. Whether your company has a bring-your-own-device policy or not. Whether your workers work in the corporate office or from their homes. Your organization must first determine where all of your data resides, how it's transmitted, and which entities own the devices, and then design policies and procedures for securing all of those devices.

These data assets not only contain intellectual property and sensitive data (such as login credentials and financial information), but also keep your business running each and every day. A retail business needs a constantly operating point-of-sale system. An online service needs an always-working web application. A dental practice needs their radiography machines to always work, and so on. Computers with downtime result in lots of lost revenue and customers. Your organization needs to fully understand and control all of your data assets to protect them from cyber incidents.

Chapter 7

, “Step 7: Understand the Human Factor”

: Many laypeople believe that successful cyberattacks require intense computer wizardry from cyberattackers, but the sad truth is that most cyber incidents, including the most destructive attacks, involve social engineering at one point or another. Fooling the people within your organization who have access to your computer systems is the most common way that cyber threat actors gain unlawful entry into your organization's networks. Phishing is a primary means of social engineering exploits. What is phishing? Phishing is when a threat actor uses a web page, text message, email, or social media post to imitate a trusted entity, such as a bank, a utility company, the government, or a well-known business. Even us cybersecurity professionals sometimes succumb to phishing attacks. We must never get overconfident. This chapter will cover how employees and contractors should be trained to prevent phishing attacks, as well as how to prevent other social engineering attacks, such as downloading Trojan malware. This chapter is also designed to consider how organizations have evolved during the Covid-19 pandemic to support many employees and contractors working from home for the first time.

Chapter 8

, “Step 8: Build Redundancy and Resilience”

: Any cyber incident or technical glitch that causes network downtime hurts your business's productivity. That loss of productivity has an immediate impact on your bottom line. Here's how to design networks with redundant capacity through the power of the cloud, how to properly back up your data and applications from threats like ransomware, and how to design hot sites and cold sites for business continuity in the face of potential disasters. Your organization needs backed-up data and extra computers to survive the cyber threats that can impact any entity.

Once we cover all eight steps, we finish with

Chapter 9

, “Afterword.” I have advice for implementing all eight of these steps. But my knowledge is augmented with tips from some of the world's top business cybersecurity professionals. So, as you prepare to improve the cybersecurity of your organization, you'll benefit from an amalgam of the best advice available.

Congratulations, you're ready to prepare your company for the evolving cyber threat landscape, no matter which country or industry you're in or the size of your business! Pat yourself on the back and then get to work. You can do it. I believe in you.

Chapter 1Step 1: Foster a Strong Security Culture

People generally assume that cybersecurity is a technological area of study and take it for granted that cyber threat actors, called hackers by laypeople, must be computer geniuses. They have to have some mastery of computer programming code and an advanced understanding of how computer networks work. And if you take the Hollywood stereotype really seriously, then you probably believe that the most notorious cyberattackers work from an elaborate computer lab in their mom's basement, wearing a hoodie and typing at 400 words per minute. I imagine something like the movie War Games, but with a more 21st century–style presentation.

So, surely, if you're learning about cybersecurity, it's all about computer science stuff, right? You likely bought this book because you're a businessperson who wants to improve the security posture of your company. So, maybe you expect this book is about hiring the right supernerds for your IT department, and then you just let them do their technical wizardry. Why do you need eight steps for that? Step 1: hire computer experts. Step 2: don't think about cybersecurity ever again.

Actually, it's not that simple. Understanding computer technology is definitely a big part of understanding cybersecurity. But cybersecurity also overlaps with the arts and humanities. To understand cybersecurity properly, you must learn about the psychology of the interactions of people with computers. Then you must also learn the sociology of the interactions of groups of people with computers and how people within those groups influence each other's behavior. Cybersecurity is as much of a human area of study as it is a technological area of study.

The first step to improving your company's security posture is to foster a strong security culture. Culture doesn't manifest in the firmware code on your PC's motherboard. Culture is about the ideas, attitudes, and styles people create and maintain in their interactions with each other. Your company could have the best security policies and the most expensive network security devices. But if the people in your company don't behave in a secure way, improving your security posture will be an uphill battle.

From the balcony of my skyscraper condominium, I can see mighty maple trees thriving near Toronto's lakeshore. Those maple trees evolved over thousands of years to survive harsh Canadian winters. Their genes make them hardy, and they produce a resilient life-form. But if it weren't for the deep nutritious soil and sufficient annual precipitation in their environment, those maple trees wouldn't be able to grow and survive for hundreds of years. That's why you don't see maple trees growing in the desert.

Your company's security culture needs to be the nutritious soil and sufficient precipitation for the seeds and saplings of your computer hardware, software, networking, security policies, and security staff to thrive to become the hardy maple trees of a resilient business with a strong security posture. Even though I don't intend for this to be a cheesy self-help book, I'm not going to stop with the flowery analogies. So, just hang on for the ride!

Before I get further into explaining how to foster a strong security culture, I really need you to understand how important psychology and sociology are to cybersecurity. So, I will start with a really abridged version of the story of Kevin Mitnick, the man who may still be the world's most infamous cyberattacker.

Kevin Mitnick, Human Hacker Extraordinaire

Kevin Mitnick is so notorious that you've likely heard of him, even if you've never taken an interest in cybersecurity. His name was mentioned in news headlines in the 1980s and 1990s.

Mitnick is known for conducting two major cyberattacks. The first one was in the news throughout the 1980s: a penetration of Digital Equipment Corporation's (DEC's) network, called The Ark. DEC was a major manufacturer of computer hardware and developer of computer software from the 1960s to the 1990s, focused on the enterprise market. It was perhaps best known for its PDP line of minicomputers. The minicomputers of the era were definitely not “mini” by today's standards. Early PDP hardware consisted of large boxes the size of a few refrigerators stacked together. Even the later PDP models produced in the 1970s were at least the size of a single refrigerator. They were classified as minicomputers simply because they didn't require the space of multiple rooms of a building. Anyway, I'm going to refrain from rambling on and on about the history of computing. Just understand that PDP computers are very important when it came to large businesses being able to process thousands or millions of customer records, in areas such as the airline industry or public utility companies. This was the most frequent way computers were used in the years before PCs (known as microcomputers) entered most people's homes.

In late 1979, a teenaged Kevin Mitnick acquired access to DEC's own computer system that he was not permitted to have. This was widely reported in the news during his criminal trial in the 1980s.

Mitnick intended to describe how he maliciously accessed DEC's computer system in his book, The Art of Deception, published by my own book's publisher, John Wiley & Sons, in 2002. This material didn't end up in the first edition of Mitnick's book, but he confirmed to Wired that he wrote this:

Claiming to be Anton Chernoff, one of the (DEC) project's lead developers, I placed a simple phone call to the system manager. I claimed I couldn't log in to one of “my” accounts and was convincing enough to talk the guy into giving me access and allowing me to select a password of my choice.

Something stands out to me here. Without an account name and password, he wouldn't have been able to get in. The way he acquired those credentials was by social engineering. Social engineering in a cybersecurity context is all about fooling human beings into helping you acquire access to computer systems you aren't allowed to have. The specific kind of social engineering Mitnick did is called vishing. Vishing is when someone uses phone calls to pretend to be a trusted party, such as DEC developer Anton Chernoff, to acquire information that you're not entitled to have and that you can use to facilitate a cyberattack. Vishing is a category of phishing, where media such as text messages, web pages, emails, or social media messages are used to impersonate trusted entities to acquire malicious computer access. All kinds of phishing, including vishing, are common types of social engineering attacks. Mitnick exploited human psychology. The Art of Deception, indeed.

Mitnick started to learn social engineering when he was really young. In the mid-1970s when he was 12, he wanted to be able to ride Los Angeles public transit for free. So, he dumpster dived for unused bus transfer slips. He tricked a bus driver into giving him a ticket punch by saying he needed it for a school project. From there, young Kevin Mitnick was able to spoof bus transfers for free rides. But he couldn't do it without social engineering the bus driver.

Mitnick's successful Los Angeles bus exploit gave him the confidence to attempt social engineering in other ways. He went on to trick his way into DEC's computer system. After years of criminal investigations and a trial, he was convicted in 1988 and sentenced to a year in prison and three years of supervised release. By the early 1990s, toward the end of his supervised release, he conducted his second notorious cyberattack.

Mitnick social engineered his way into the voicemail system of Pacific Bell, a major telecommunications company in California. His techniques were very similar to how he penetrated DEC. Those in the know didn't consider Mitnick to be a master of computer science; rather, he was a clever conman. Eventually, Mitnick targeted an actual computer science master, Tsutomu Shimomura. Shimomura studied physics with the famous physicist Richard Feynman before he pursued computer technology research at San Diego Supercomputer Center full time. Mitnick wanted access to Shimomura's work. He chose the wrong target this time, because Shimomura helped law enforcement investigate Mitnick's Pacific Bell breach and other criminal activities. The FBI arrested Mitnick in 1995, and he was in prison until 2000.

From there, Mitnick decided to use his skills in law-abiding ways. He wrote books, some of which were published by Wiley. And he also started his own cybersecurity firm, Mitnick Security Consulting, LLC.

The Importance of a Strong Security Culture

The cyber threat actors who will try to harm your company could be just glorified conmen like Mitnick or brilliant computer scientists like Shimomura. Either way, the majority of cyberattacks involve social engineering at one point or another. A strong security culture hardens against social engineering exploits by making your employees, contractors, and executives less likely to succumb to them. A strong security culture also encourages your workers to develop good habits in the ways that they use computer technology, so your precious data assets are better protected.

A strong security culture doesn't stop at your IT department. Everyone from the janitors to the CEO must be a part of it because computer systems aren't used only by people with IT certifications. Even an authorized person entering your office could put your computer networks at risk.

One of the most important things you can do to make sure your company can thrive in our rapidly evolving cyber threat landscape is to establish and maintain a strong security culture. And that's what step 1 is all about. With this crucial step taken care of, the other seven steps in my book will be feasible. For a cybersecure business, start with people's behaviors and attitudes.

Let's start by demystifying the word hacker, shall we?

Hackers Are the Bad Guys, Right?

When most people hear the word hacker, they think of cybercriminals. Apparently, hackers are the bad guys. This is a misconception that's not only reinforced in Hollywood movies and TV shows but also in the news. When cyberattacks are covered in TV news shows, newspapers, magazines, and online news sources, the bad guys who perpetrate the crimes are called hackers. Those of us who promote a more accurate use of the word face an uphill battle with the public consciousness.

One of my favorite books of all time is Steven Levy's Hackers. It was published by Dell, Penguin, and O'Reilly in various editions between 1984 and 2010. That book is one of the best ways to learn about the history of actual computer hackers, beginning with the first proper electronic computer, ENIAC, deployed in 1948. Levy covers the history of hacking from the 1950s onward.

Hackers are people who find new and innovative ways to use computer technology. Some of the people who became famous billionaires in the tech industry, such as Steve Wozniak, Steve Jobs, Bill Gates, and Mark Zuckerberg, started as hackers themselves. In fact, the street address of Facebook's Menlo Park, California, headquarters is 1 Hacker Way.

Hackers developed the computer technologies you use every day: the TCP/IP backbone of the modern internet, the Linux kernels of the Android systems and Red Hat servers you interact with whether or not you're aware, the GNU Public License and MIT Public License, much of the open-source code you directly or indirectly use was published under, and so on.

Hacking can develop useful new technological applications. But hacking can also be used harmfully. The general public seems to have focused on the latter connotation of the word hacker in lieu of its original meaning.

Many computer programmers, cybersecurity professionals, software engineers, and other computer technology specialists call themselves hackers, in the spirit of the original meaning of the word. If someone innovates with computer technology, you can safely call them a hacker.

I'm an advocate of an organization called Hacking Is Not a Crime, led by my friends Bryan McAninch, Chloé Messdaghi, and Phillip Wylie. Wylie is also the coauthor of the first book I cowrote for Wiley, The Pentester Blueprint. The book you're reading right now is my debut solo work for Wiley. And Wylie isn't related to Charles Wiley, who founded this company back in 1807. But perhaps this illustrates how tight knit the cybersecurity and hacker communities are: we tend to know each other quite well.

I'm an idea person within the cybersecurity community, so my contribution to Hacking Is Not a Crime's mission to promote the positive use of the word hacker is to use my work in the media and writing books like this in a mindful and responsible way. During the many years I have been writing about cybersecurity and hacking, I always refer to the people who use computer technology to harm as cyberattackers, cybercriminals, or cyber threat actors. This distinction is a vital pillar of both cybersecurity culture and hacker culture.

Even if you're 100 percent businessperson and 0 percent computer geek, understanding this will help you work with cybersecurity professionals and foster a strong security culture.

What Is Security Culture?

Lifestyle and wellness writer Tim Ferris once said, “Culture is what happens when people are left to their own devices.” There are all kinds of cultures in our world, from ethnic cultures and national cultures to the goth subculture I belong to. Humanity is comprised of perhaps millions of different cultures, depending on your definition of the word. And chances are you belong to multiple cultures. As for myself, some of the cultures I belong to in addition to goth culture are hacker culture, cybersecurity culture, autistic culture, Anglo-Canadian culture, and JRPG, anime, and manga fan cultures.

If you work in business, you probably know what corporate culture is. It's how the people in your company behave, how the people in your company feel about it, and the attitudes and styles your company reinforces, whether that's done deliberately or accidentally. Corporate culture can affect employee morale, which can have a measurable effect on your bottom line.

A strong security culture encourages the people in your company to behave in ways that facilitate your resilience to cyberattacks and help protect your precious data.

I spoke to J. Wolfgang Goerlich, Duo Security advisory CISO of Cisco Systems. CISO stands for chief information security officer. CISOs bridge the gap between the suits and the nerds. Goerlich has years of experience in securing corporate business computer networks. Here's what he told me about security culture:

Security culture comes from a partnership between security champions and security advocates. A security advocate is a member of the security team who focuses on getting practices into the hands of the workforce. It's more common for us to talk about security champions. A security champion is a member of the business itself, who collaborates with the security team on best practices. A culture of security has advocates working with champions to interpret and implement security controls. In a well-run security practice, controls will be usable and widely adopted, because of the partnership of advocates and champions.

All security controls are useless if it is ignored. Good security is usable security. Good security is adopted security. The starting point, then, is empathy and kindness for the people we are charged with defending.

Daniel Chromek is CISO for ESET, a major developer of antivirus software and various security products. I believe that everyone in your organization needs to develop good security habits. Here's what Chromek told me about that:

I would stress the word everyone. I'm in a better position compared to my peers (CISOs of other companies, including those outside of the cybersecurity industry) as we are a security company. This means multiple things. It's easier to explain to my business managers, as they natively understand that “we are a security company” means our brand is based on the security of the company. And even people in departments that don't need to understand security management understand that branding is important.

Security culture means that part of awareness training is decentralized. If someone is targeted by phishing, then they can speak to a colleague in the same room (now virtual) and ask them to take a look into it instead of going through an IT ticketing system.

People aware of security can smell if they are being deceived by FUD, so the communication from the security team needs to be straightforward. (Both Merriam-Webster and Urban Dictionary define FUD as fear, uncertainty, and doubt.) Also, security-aware people can point out bad (security) control selection or implementation very quickly by replacing auditors or specialists.