Introduction

Pandora's box has been opened. Businesses in all industries run on computer data, and now there's no turning back.

When I was little, offices were still full of filing cabinets. Each customer, patient, client, vendor, and supplier had their own labeled manila folder in one of those cabinets. In fact, many offices have kept their filing cabinets well into the 21st century. Spilling your coffee on a few forms could damage lucrative business data. Unauthorized data access happened if someone found the secretary's physical key and unlocked cabinets they weren't entitled to. Some cabinets were designed to be fire resistant. But backing up all that data to a second location for the sake of business continuity in a disaster is always a good idea, one that was often not conducted because a clerk would have to put each page through the photo copier one by one, ever so tediously.

Now businesses keep their lucrative data on computers, whether that business is Smith's Convenience on the street corner or a multibillion-dollar military contractor. Some of these businesses still have filing cabinets, but they're working hard to digitize as much as possible.

The computer data that flows through businesses in all industries isn't just sensitive data on customers. It isn't all precious financial data, either. Some of it is security patches for our operating systems, applications, and firmware. Some of it is the email your employees are sending and receiving, whether on a company-owned PC or on their phone wherever they are. Some of it even keeps devices in the office running-your smart thermostats and your internet-connected heart monitors.

Keeping all the data that flows through your business secure is absolutely vital. Otherwise, a cybercriminal could steal your trade secrets or your clients' credit card data. Or they could perform a distributed denial-of-service attack on your production systems. Or they could infect your whole network with ransomware, both on the premises and on the cloud. Your company can be liable for any sensitive data that's stolen, especially if it results in your customers and vendors being harmed. And if your production systems face even a couple of hours of downtime, your business could lose millions in productivity. Chances are there are data privacy and security regulations that also apply to your business, and you could face hefty fines for security incidents and noncompliance. Often, fines can be in the millions under laws such as the European Union's General Data Protection Regulation.

A few hundred thousand dollars spent on improving your security will likely save your business millions of dollars in the long run. But simply spending money isn't enough. You need to spend it wisely, and you need to work on security every day. As cybersecurity expert Bruce Schneier says, "Security is a process, not a product."

I have spent the past several years researching and writing about cybersecurity for business on behalf of many major tech brands, such as AT&T Cybersecurity, Venafi, BlackBerry Cylance, Comodo, and Sophos. And every day I work, I have discussions with people who directly work on improving the security of businesses of all sizes and in a wide variety of industries.

I know it can be overwhelming when people are tasked with improving their company's cybersecurity. Where do you start? More importantly, how do you convince your executives that having a decent security budget and hiring security professionals is important? It's a struggle many people around the world face all the time.

I'm a regular computer security geek. But I've been adjacent to businesspeople my whole life. My (now retired) mother went from working in payroll to being a human resources director and vice president for Bayerische Landesbank back when they had a Toronto branch in the 1990s. I have friends who work as equity traders for companies like Manulife Financial. More importantly, I'm friends with many chief information security officers (CISOs).

So, I'm a geek and a "creative class" person according to Richard Florida. But although I don't fit in with the suits on Bay Street and Wall Street, I know how they think. I know what makes them tick: money, of course!

Ultimately, applying the advice in this book will cost you money, but it will save your business a lot more money over time. Spend $1 now to prevent losing $10 in the future. Think beyond next quarter's profits! Security-harden your business for the years ahead.

I'm going to be honest with you. Looking at the business bestsellers often makes me cringe. I distrust all books that say they're going to make me rich. I'm not an individualist-capitalist (I don't have any capital!); I believe in society, and I believe we're all interdependent. I think some of your success is in your hands, but a lot of your fate is in the hands of other people. I strongly believe that absolutely no one is "self-made."

I pride myself in sharing honest and useful information with the world, not tips on how to leverage market disruption for maximum capital gains, or whatever. I might as well tell you a 100 percent cabbage soup diet will make you permanently skinny and cure all disease on Earth. Honestly, my conscience doesn't feel good about that stuff. This book is for businesspeople, whether you wear a Brooks Brothers suit or a Lacoste polo shirt and khakis or a hard hat and overalls or jeans and a T-shirt. Cyber threats are bad now, and they'll only get worse. Make sure your business thrives in the ever-evolving cyber threat landscape with the eight steps in this book.

That's what I love to do: take useful information, share it in simple language, and break it down into manageable little bites. This book won't make your brain hurt. You can read one chapter at a time, or even just a few pages at a time, and glean useful insight that you can use in your everyday lives-as long as working in a business is part of your everyday life.

This book is based on the research I've done and knowledge I've acquired through years of work as a cybersecurity news and information scribe. And my knowledge is augmented with the insight of many of the world's top CISOs and other business leaders in security. It was a great pleasure for me to interview all these people and pick their brains a little bit for your benefit. This book is further enhanced with the findings of business security research studies and the aftermath of some of the most notable business security incidents. Mistakes become valuable when we make sure we learn from them!

Let's summarize the topics I cover in this book. Chapters 1 through 8 cover what this book is all about: 8 Steps to Better Security. Each of those chapters is one of those steps. Chapter 9 will show you how to put it all together.

• Chapter 1, "Step 1: Foster a Strong Security Culture": This is where everything starts-not with an audit or a security budget, but with how to make sure everyone in your organization takes security seriously, from your janitor to your CEO. Policy is vital, but it's useful only if it influences people's behavior. The best information security policies in the world become ineffective if people don't abide by them and enforce them. I'm fascinated by psychology and sociology, and these areas are a lot more important to cybersecurity than laypeople assume. This chapter will explain how you can begin to foster a strong security culture, whether you're a new startup or a 50-year-old company. If you do something more than three times, it'll become a habit. Making sure your habits and attitudes are good will set the foundation for everything your business does with regard to cybersecurity. Effective information security is paramount in the 21st century, regardless of your company's industry or size. So, let's get off to the best possible start. This chapter will show you how.
• Chapter 2, "Step 2: Build a Security Team": If your company is medium-sized or larger, you'll benefit from having staff who work on cybersecurity as their full-time job. If your company is smaller, your one to five IT specialists will need to be tasked to manage your business's information security, even if your IT specialist is the nerd who comes into your little shop once a week to make sure your point-of-sale works properly. How your company builds a security team will vary according to your size and industry. The principles and advice in this chapter are designed to be useful for businesses of all kinds. The buck must stop somewhere. Make sure the buck stops with people who are ready to security-harden your company and rise to the challenge of any potential security incidents. This chapter includes tips on what sort of experience and credentials people should have in particular roles, so you can hire and delegate intelligently
• Chapter 3, "Step 3: Regulatory Compliance": In business-speak, this is a major "pain point" for most companies. Pretty much all companies of all sizes and in all industries must comply with your region's general data privacy regulations. On top of that, if your company is in the medical field, there are usually regulations specific to healthcare data that must be complied with. If your company is in finance, there are usually financial-sector data privacy regulations as well. On top of that, if your company is in or deals with the public sector, there...