Kim Crawley - 8 Steps to Better Security: A Simple Cyber Resilience Guide for Business

Kim Crawley

I first met Kim Crawley in person in October 2019, in Toronto at SecTor, Canada's version of DEFCON. We'd been acquainted for a long time via Twitter, and she was the one who originally turned me onto SecTor and inspired me to submit a talk, citing the merits of her hometown and the conference. She was right about both. In between the superb sessions there, amidst the fantastic energy of that conference and the international vibe of the city, we walked around and talked about information security, cyber resilience, and neurodiversity, topics woven deeply into the fabric of both our lives. Over lunch one afternoon, our conversation came around to how our industry can do a better job of helping small and midsize organizations better prepare for strategic response to cybercrime. We agreed that by helping smaller and more vulnerable organizations, the larger organizations and the collective industry as a whole would also benefit. We compared notes on tactics and strategies that don't have to cost a lot of time or money.

Shortly after our time and discussions at SecTor, Covid-19 hit. Kim didn't slow down. She founded DisInfoSec, a pop-up infosec conference showcasing infosec professionals who identify as neurodivergent (including ADD, AHDH, autism, Asperger's, dyslexia, and more). Inspired by Lesley Carhart's PancakesCon and other events, DisInfoSec was a first-of-its-kind event and took place on July 11, 2020. The con included a lot of great talks and raised funds for the Autistic Self Advocacy Network, the Autistic Women and Nonbinary Network, and the Council of Canadians with Disabilities. Kim's commitment to improving inclusion and nudging the world to a better place is showcased in her actions, and this new book is merely an extension of her productive mindset.

If you're new to Kim's work, her past and present articles on infosec and cyber for AT&T Cybersecurity, Cylance, and others are some of the most accessible to read, especially for anyone who is new to those topics. Kim writes with spirit and an intimate awareness of the diverse audiences who may be reading, which makes her style a stand-out. Her new book is no exception: 8 Steps to Better Security: A Simple Cyber Resilience Guide for Business is an easy read for first-timers, seasoned veterans, and anyone else keen to learn more about infosec and cyber resilience using practical, quick-win steps you can take right away to better prepare your organization for a strategic response to unplanned events that would otherwise compromise your productivity, reputation, and bottom line. That's real peace of mind, and I don't know about you, but these days I'll take all of that I can get. Enjoy the book!

Chad Calease

Chief Information Security Officer

https://resilience.sh

Pandora's box has been opened. Businesses in all industries run on computer data, and now there's no turning back.

When I was little, offices were still full of filing cabinets. Each customer, patient, client, vendor, and supplier had their own labeled manila folder in one of those cabinets. In fact, many offices have kept their filing cabinets well into the 21st century. Spilling your coffee on a few forms could damage lucrative business data. Unauthorized data access happened if someone found the secretary's physical key and unlocked cabinets they weren't entitled to. Some cabinets were designed to be fire resistant. But backing up all that data to a second location for the sake of business continuity in a disaster is always a good idea, one that was often not conducted because a clerk would have to put each page through the photo copier one by one, ever so tediously.

Now businesses keep their lucrative data on computers, whether that business is Smith's Convenience on the street corner or a multibillion-dollar military contractor. Some of these businesses still have filing cabinets, but they're working hard to digitize as much as possible.

The computer data that flows through businesses in all industries isn't just sensitive data on customers. It isn't all precious financial data, either. Some of it is security patches for our operating systems, applications, and firmware. Some of it is the email your employees are sending and receiving, whether on a company-owned PC or on their phone wherever they are. Some of it even keeps devices in the office runningyour smart thermostats and your internet-connected heart monitors.

Keeping all the data that flows through your business secure is absolutely vital. Otherwise, a cybercriminal could steal your trade secrets or your clients' credit card data. Or they could perform a distributed denial-of-service attack on your production systems. Or they could infect your whole network with ransomware, both on the premises and on the cloud. Your company can be liable for any sensitive data that's stolen, especially if it results in your customers and vendors being harmed. And if your production systems face even a couple of hours of downtime, your business could lose millions in productivity. Chances are there are data privacy and security regulations that also apply to your business, and you could face hefty fines for security incidents and noncompliance. Often, fines can be in the millions under laws such as the European Union's General Data Protection Regulation.

A few hundred thousand dollars spent on improving your security will likely save your business millions of dollars in the long run. But simply spending money isn't enough. You need to spend it wisely, and you need to work on security every day. As cybersecurity expert Bruce Schneier says, Security is a process, not a product.

I have spent the past several years researching and writing about cybersecurity for business on behalf of many major tech brands, such as AT&T Cybersecurity, Venafi, BlackBerry Cylance, Comodo, and Sophos. And every day I work, I have discussions with people who directly work on improving the security of businesses of all sizes and in a wide variety of industries.

I know it can be overwhelming when people are tasked with improving their company's cybersecurity. Where do you start? More importantly, how do you convince your executives that having a decent security budget and hiring security professionals is important? It's a struggle many people around the world face all the time.

I'm a regular computer security geek. But I've been adjacent to businesspeople my whole life. My (now retired) mother went from working in payroll to being a human resources director and vice president for Bayerische Landesbank back when they had a Toronto branch in the 1990s. I have friends who work as equity traders for companies like Manulife Financial. More importantly, I'm friends with many chief information security officers (CISOs).

So, I'm a geek and a creative class person according to Richard Florida. But although I don't fit in with the suits on Bay Street and Wall Street, I know how they think. I know what makes them tick: money, of course!

Ultimately, applying the advice in this book will cost you money, but it will save your business a lot more money over time. Spend $1 now to prevent losing $10 in the future. Think beyond next quarter's profits! Security-harden your business for the years ahead.

I'm going to be honest with you. Looking at the business bestsellers often makes me cringe. I distrust all books that say they're going to make me rich. I'm not an individualist-capitalist (I don't have any capital!); I believe in society, and I believe we're all interdependent. I think some of your success is in your hands, but a lot of your fate is in the hands of other people. I strongly believe that absolutely no one is self-made.