Cyber Guardians

Preface: What to Expect from This Book xv Chapter 1 Introduction 1 Summary of a Board’s Incident Response 5 Checklist for a Board’s Incident Response 8 Chapter 2 Cybersecurity Basics 11 CIA Framework 13 Key Cybersecurity Concepts and Terminology for Board Members 19 Threats and Risks 19 Vulnerabilities and Exploits 20 Malware 21 Social Engineering 22 Encryption and Data Protection 23 Authentication and Access Control 24 Common Cyber Threats and Risks Faced by Companies 26 Phishing 26 Malware 27 Ransomware 28 Business Email Compromise 29 Insider Threats 30 Third-Party Risk 31 Mistakes/Errors 32 Emerging Threats 33 Advanced Persistent Threats 34 Supply Chain Attacks 35 Data Destruction 36 Zero-Day Exploits 37 Internet of Things Attacks 38 Cloud Security 39 Mobile Device Security 40 Key Technologies and Defense Strategies 42 Firewall Technology 42 Intrusion Detection/Prevention Systems 43 Encryption 44 Multifactor Authentication 45 Virtual Private Network 46 Antivirus and Anti-malware Software 47 Endpoint Detection and Response 48 Patch Management 49 Cloud Technology 49 Identity and Access Management 50 Mobile Device Management 51 Data Backup and Recovery 52 Zero-Trust Architecture 54 Micro-segmentation 55 Secure Access Service Edge 56 Containerization 56 Artificial Intelligence and Machine Learning 57 Blockchain 59 Quantum Computing 61 Threat Intelligence 64 What Is Threat Intelligence? 65 How Can Threat Intelligence Help Organizations? 65 What Should Board Members Know About Threat Intelligence? 66 Threat Actors 67 External Threat Actors 68 State-Sponsored Attackers 68 Hacktivists 70 Cybercriminals 70 Competitors 72 Terrorists 72 Internal Actors 73 Employees 73 Contractors 75 Third-Party Vendors 76 Motivations of Threat Actors 77 Financial Gain 77 Political and Strategic Objectives 78 Ideological Beliefs 79 Personal Motivations 80 Tactics, Techniques, and Procedures 81 Examples of TTPs Used by Different Threat Actors 81 MITRE ATT&CK Framework 83 Chapter 2 Summary 85 Chapter 3 Legal and Regulatory Landscape 87 Overview of Relevant Cybersecurity Regulations and Laws 90 Federal Regulations in the United States 90 The Federal Trade Commission Act 90 The Gramm-Leach-Bliley Act 92 The Health Insurance Portability and Accountability Act 94 State Regulations in the United States 97 Data Breach Notification Laws 97 California Consumer Privacy Act 99 European Union Regulations 101 General Data Protection Regulation 101 Network and Information Security Directive 102 ePrivacy Directive 104 Industry Standards 105 Payment Card Industry Data Security Standard 105 National Institute of Standards and Technology 107 Securities Exchange Commission 108 2011 Cybersecurity Disclosure Guidance 108 2018 Cybersecurity Disclosure Guidance 108 2023 Proposal for New Cybersecurity Requirements 109 Discussion of Compliance Requirements and Industry Standards 112 Compliance Requirements 112 Sarbanes-Oxley Act 112 New York State Department of Financial Services Cybersecurity Regulation 114 Industry Standards 117 Center for Internet Security Controls 117 International Organization for Standardization 27001 118 Individual Director Liability 120 Chapter 3 Summary 124 Chapter 4 Board Oversight of Cybersecurity 127 The Board’s Role in Overseeing Cybersecurity Strategy 129 Legal Responsibilities 130 Developing an Effective Cybersecurity Governance Framework 131 Best Practices for Board Engagement and Reporting 133 Regular Reporting 133 Use of Metrics 134 Executive Briefings 136 Cybersecurity Drills 137 Independent Assessments 138 Overcoming Objections to Effective Cybersecurity Oversight 139 Promoting a Cybersecurity Culture 141 Chapter 4 Summary 143 Chapter 5 Board Oversight of Cybersecurity: Ensuring Effective Governance 145 The Role of the Board in Overseeing Cybersecurity 147 Developing an Effective Cybersecurity Governance Framework 150 Conduct a Cybersecurity Risk Assessment 150 Implement a Threat Intelligence Program 150 Develop a Risk Management Framework 150 Prioritize High-Impact Risks 151 Regularly Review and Update Risk Management Strategies 151 Strategies for Identifying, Assessing, and Prioritizing Cyber Risks 152 Conducting Cybersecurity Risk Assessments 154 How to Develop and Promote a Culture of Cybersecurity 156 Chapter 5 Summary 158 Chapter 6 Incident Response and Business Continuity Planning 161 Implementing Cybersecurity Policies and Procedures 164 Incident Response and Business Continuity Planning 165 Incident Response Plan 166 Business Continuity Planning 166 Incident Response Planning 167 Defining the Types of Assessments 170 Penetration Testing 170 Vulnerability Scanning 171 Security Risk Assessments 173 Threat Modeling 174 Social Engineering Assessments 175 Compliance Assessments 176 Red Team/Blue Team Exercise 177 Chapter 6 Summary 178 Chapter 7 Vendor Management and Third-Party Risk 181 The Importance of Third-Party Risk Management for Board Members 183 Best Practices for Managing Third-Party Cyber Risk 184 Legal and Regulatory Considerations in Third-Party Risk Management 185 Sample Questions to ask Third-Party Vendors 187 Chapter 7 Summary 189 Chapter 8 Cybersecurity Training and Awareness 191 Importance of Cybersecurity Awareness for All Employees 193 Strategies for Providing Effective Training and Awareness Programs 195 More Detail on Effective Training Strategies 198 Chapter 8 Summary 200 Chapter 9 Cyber Insurance 201 Understanding Cyber Insurance 202 What Is Cyber Insurance? 202 Why Is Cyber Insurance Important? 203 Evolution of Cyber Insurance 204 The Role of the Board in Cyber Insurance 204 Key Components of Cyber Insurance 205 Types of Coverage 205 Policy Limits and Deductibles 206 Exclusions 207 Retroactive Dates 207 Policy Periods 208 Cyber Risk Assessments 208 Evaluating and Purchasing Cyber Insurance 209 Assessing the Organization’s Risk Profile 209 Determining the Appropriate Level of Coverage 210 Selecting an Insurer 211 Negotiating Terms and Conditions 211 Implementing the Policy 212 Managing and Reviewing the Cyber Insurance Policy 213 Filing a Claim 213 Managing a Claim Dispute 214 Reviewing and Renewing the Policy 214 Chapter 9 Summary 215 Chapter 10 Conclusion: Moving Forward with Cybersecurity Governance 219 The Board’s Role in Cybersecurity Governance 222 Key Takeaways and Action Items for Board Members 225 Chapter 10 Summary 226 Appendix A Checklist of Key Considerations for Board Members 229 Appendix B Sample Questions 231 Appendix C Sample Board Meeting Agenda 233 Appendix D List of Key Vendors 235 Appendix E Cybersecurity Resources 237 Appendix F Cybersecurity Books 239 Appendix G Cybersecurity Podcasts 241 Appendix H Cybersecurity Websites and Blogs 243 Appendix I Tabletop Exercise: Cybersecurity Incident Response 245 Appendix J Articles 249 About the Author 253 Acknowledgments 255 Index 257