Cyber Security: An Introduction for Non-Technical Managers
IMPORTANT: CEJISS is not associated with resellers. CEJISS is not responsible for the content of external links
In his Cyber Security, Jeremy Swinfen Green provides some insights for ‘non - technical managers’, as the subtitle suggests. His intention is to map, after trying to give a holistic definition of the term, all the risks associated with the improper, malicious or incorrect use of technology, both for individuals and for companies. Understanding where the leak lies is critical in order to develop an effective strategy to address them, especially in a fully digitized world that puts a huge amount of data, private information and strategic projects online. Moreover, risks can cause damages to a company's organisational structure, to its operational efficiency, to the actual functioning of some components of the IT process and, not least, to its reputation on the market.
The book is divided by the author into three parts: the first one introduces what cybersecurity is, then those organizational steps that need to be taken to deal with risks and threats, and finally, that set of means and technologies aimed at protecting computer systems in terms of availability, confidentiality and integrity of computer assets.
In the second part, Green gives us an overview of the main threats to cybersecurity. By examining the most popular types of attacks, such as SQL injections, cross-site scripting, DOS or DDOS attacks, the author's advice is to develop a technology that protects individual applications rather than the entire IT infrastructure. The text also presents numerous case studies that help us understand when the theory of cybersecurity clashes with the practice of reality, as in the famous case of Edward Snowden or the theft from Apple's iCloud in 2014. What emerges from the pages of the book is that the most viable solution is to educate both technical people and laypersons to cybersecurity. This is a crucial issue because threats often lie not only in the willingness of hackers, but also in employees who are not accustomed to the most basic security procedures, or to customers and partners who fail to manage, voluntarily or not, a significant amount of valuable data. Risks that can result from malicious behaviour are enormous: monetary theft, server or computer damages, identity theft, loss of personal data, a drastic reduction in business, the inability to participate in online sales, theft of strategic information, theft of IP, damage to credibility and, above all, expensive repair costs.
We should be aware that information must be protected and to do so we must encrypt most of the files and make them inaccessible to unwanted people. Equipping ourselves with excellent antivirus systems, using appropriate security software or two-factor authentication are just some of the solutions that could make our life online easier and safer. We must also address the fact that the possibility of a cyber threat cannot be eliminated completely, but we can work to reduce the risk of being attacked. The author's valuable suggestion is that we should not believe that threats come only from organized groups of hackers who necessarily have a political or economic motive. Risks are hidden everywhere, even by connecting to a public WI-FI, or by misusing social networks.
In the third part, the author warns us of the importance of having a cybersecurity strategy, but before developing one we must understand that these security measures do not only have to do with the technological equipment owned by an organization: rather, it is an imperative in which everyone must be involved, from the executive director to the newcomer.
To be effective, a strategy must be holistic, involve the entire structure, appropriate, classify the right data, be conducted effectively, agile, lean, and engaging. Obviously, the whole process includes previous prevention, and a subsequent response. After having identified the risks, we can understand how to mitigate them, plan a response, test our plans and make them effective for the future. According to the author, there are many ways to manage risks: avoiding them, transferring them, reducing them and preserving them, but undoubtedly the most important is the framework of the cyber kill-chain, which is a model to reveal the stages of a cyberattack from recognition to annihilation.
The author closes this introduction to the world of cybersecurity by emphasizing the need for a company or organization to have digital governance, that is, the framework to establish responsibilities, roles and decision-making authorities for the online presence of a company, i.e. all its websites, mobile sites, social channels and any other Internet-enabled product. Digital governance is the framework for establishing awareness, control and achievement in the collection of online data. Establishing it is not easy; it is a real but necessary challenge, because in a completely digitalized world it becomes a priority for every company that wants to survive threats and build resilience to future risks.
Green offers a flowing text that is also suitable for a layman in the sector, even those who are not involved in cybersecurity on a daily basis, as demonstrated by the glossary of the main terms of computer language in the book. It is not meant to instruct, but rather to make experts and non-experts aware of the nature of the risks and threats that lie behind the wrong use of technology. For too long, cybersecurity has been relegated to the information technology sector but today, whether we like it or not, it belongs to a series of areas that, for coordination and organizational needs, must intersect to form a holistic network that protects people, companies and governments from cyber threats.