Details

<p>Preface: What to Expect from This Book xv</p> <p><b>Chapter 1 Introduction 1</b></p> <p>Summary of a Board’s Incident Response 5</p> <p>Checklist for a Board’s Incident Response 8</p> <p><b>Chapter 2 Cybersecurity Basics 11</b></p> <p>CIA Framework 13</p> <p>Key Cybersecurity Concepts and Terminology for Board Members 19</p> <p>Threats and Risks 19</p> <p>Vulnerabilities and Exploits 20</p> <p>Malware 21</p> <p>Social Engineering 22</p> <p>Encryption and Data Protection 23</p> <p>Authentication and Access Control 24</p> <p>Common Cyber Threats and Risks Faced by Companies 26</p> <p>Phishing 26</p> <p>Malware 27</p> <p>Ransomware 28</p> <p>Business Email Compromise 29</p> <p>Insider Threats 30</p> <p>Third-Party Risk 31</p> <p>Mistakes/Errors 32</p> <p>Emerging Threats 33</p> <p>Advanced Persistent Threats 34</p> <p>Supply Chain Attacks 35</p> <p>Data Destruction 36</p> <p>Zero-Day Exploits 37</p> <p>Internet of Things Attacks 38</p> <p>Cloud Security 39</p> <p>Mobile Device Security 40</p> <p>Key Technologies and Defense Strategies 42</p> <p>Firewall Technology 42</p> <p>Intrusion Detection/Prevention Systems 43</p> <p>Encryption 44</p> <p>Multifactor Authentication 45</p> <p>Virtual Private Network 46</p> <p>Antivirus and Anti-malware Software 47</p> <p>Endpoint Detection and Response 48</p> <p>Patch Management 49</p> <p>Cloud Technology 49</p> <p>Identity and Access Management 50</p> <p>Mobile Device Management 51</p> <p>Data Backup and Recovery 52</p> <p>Zero-Trust Architecture 54</p> <p>Micro-segmentation 55</p> <p>Secure Access Service Edge 56</p> <p>Containerization 56</p> <p>Artificial Intelligence and Machine Learning 57</p> <p>Blockchain 59</p> <p>Quantum Computing 61</p> <p>Threat Intelligence 64</p> <p>What Is Threat Intelligence? 65</p> <p>How Can Threat Intelligence Help Organizations? 65</p> <p>What Should Board Members Know About Threat Intelligence? 66</p> <p>Threat Actors 67</p> <p>External Threat Actors 68</p> <p>State-Sponsored Attackers 68</p> <p>Hacktivists 70</p> <p>Cybercriminals 70</p> <p>Competitors 72</p> <p>Terrorists 72</p> <p>Internal Actors 73</p> <p>Employees 73</p> <p>Contractors 75</p> <p>Third-Party Vendors 76</p> <p>Motivations of Threat Actors 77</p> <p>Financial Gain 77</p> <p>Political and Strategic Objectives 78</p> <p>Ideological Beliefs 79</p> <p>Personal Motivations 80</p> <p>Tactics, Techniques, and Procedures 81</p> <p>Examples of TTPs Used by Different Threat Actors 81</p> <p>MITRE ATT&CK Framework 83</p> <p>Chapter 2 Summary 85</p> <p><b>Chapter 3 Legal and Regulatory Landscape 87</b></p> <p>Overview of Relevant Cybersecurity Regulations and Laws 90</p> <p>Federal Regulations in the United States 90</p> <p>The Federal Trade Commission Act 90</p> <p>The Gramm-Leach-Bliley Act 92</p> <p>The Health Insurance Portability and Accountability Act 94</p> <p>State Regulations in the United States 97</p> <p>Data Breach Notification Laws 97</p> <p>California Consumer Privacy Act 99</p> <p>European Union Regulations 101</p> <p>General Data Protection Regulation 101</p> <p>Network and Information Security Directive 102</p> <p>ePrivacy Directive 104</p> <p>Industry Standards 105</p> <p>Payment Card Industry Data Security Standard 105</p> <p>National Institute of Standards and Technology 107</p> <p>Securities Exchange Commission 108</p> <p>2011 Cybersecurity Disclosure Guidance 108</p> <p>2018 Cybersecurity Disclosure Guidance 108</p> <p>2023 Proposal for New Cybersecurity Requirements 109</p> <p>Discussion of Compliance Requirements and Industry Standards 112</p> <p>Compliance Requirements 112</p> <p>Sarbanes-Oxley Act 112</p> <p>New York State Department of Financial Services Cybersecurity Regulation 114</p> <p>Industry Standards 117</p> <p>Center for Internet Security Controls 117</p> <p>International Organization for Standardization 27001 118</p> <p>Individual Director Liability 120</p> <p>Chapter 3 Summary 124</p> <p><b>Chapter 4 Board Oversight of Cybersecurity 127</b></p> <p>The Board’s Role in Overseeing Cybersecurity Strategy 129</p> <p>Legal Responsibilities 130</p> <p>Developing an Effective Cybersecurity Governance Framework 131</p> <p>Best Practices for Board Engagement and Reporting 133</p> <p>Regular Reporting 133</p> <p>Use of Metrics 134</p> <p>Executive Briefings 136</p> <p>Cybersecurity Drills 137</p> <p>Independent Assessments 138</p> <p>Overcoming Objections to Effective Cybersecurity Oversight 139</p> <p>Promoting a Cybersecurity Culture 141</p> <p>Chapter 4 Summary 143</p> <p><b>Chapter 5 Board Oversight of Cybersecurity: Ensuring Effective Governance 145</b></p> <p>The Role of the Board in Overseeing Cybersecurity 147</p> <p>Developing an Effective Cybersecurity Governance Framework 150</p> <p>Conduct a Cybersecurity Risk Assessment 150</p> <p>Implement a Threat Intelligence Program 150</p> <p>Develop a Risk Management Framework 150</p> <p>Prioritize High-Impact Risks 151</p> <p>Regularly Review and Update Risk Management Strategies 151</p> <p>Strategies for Identifying, Assessing, and Prioritizing Cyber Risks 152</p> <p>Conducting Cybersecurity Risk Assessments 154</p> <p>How to Develop and Promote a Culture of Cybersecurity 156</p> <p>Chapter 5 Summary 158</p> <p><b>Chapter 6 Incident Response and Business Continuity Planning 161</b></p> <p>Implementing Cybersecurity Policies and Procedures 164</p> <p>Incident Response and Business Continuity Planning 165</p> <p>Incident Response Plan 166</p> <p>Business Continuity Planning 166</p> <p>Incident Response Planning 167</p> <p>Defining the Types of Assessments 170</p> <p>Penetration Testing 170</p> <p>Vulnerability Scanning 171</p> <p>Security Risk Assessments 173</p> <p>Threat Modeling 174</p> <p>Social Engineering Assessments 175</p> <p>Compliance Assessments 176</p> <p>Red Team/Blue Team Exercise 177</p> <p>Chapter 6 Summary 178</p> <p><b>Chapter 7 Vendor Management and Third-Party Risk 181</b></p> <p>The Importance of Third-Party Risk Management for Board Members 183</p> <p>Best Practices for Managing Third-Party Cyber Risk 184</p> <p>Legal and Regulatory Considerations in Third-Party Risk Management 185</p> <p>Sample Questions to ask Third-Party Vendors 187</p> <p>Chapter 7 Summary 189</p> <p><b>Chapter 8 Cybersecurity Training and Awareness 191</b></p> <p>Importance of Cybersecurity Awareness for All Employees 193</p> <p>Strategies for Providing Effective Training and Awareness Programs 195</p> <p>More Detail on Effective Training Strategies 198</p> <p>Chapter 8 Summary 200</p> <p><b>Chapter 9 Cyber Insurance 201</b></p> <p>Understanding Cyber Insurance 202</p> <p>What Is Cyber Insurance? 202</p> <p>Why Is Cyber Insurance Important? 203</p> <p>Evolution of Cyber Insurance 204</p> <p>The Role of the Board in Cyber Insurance 204</p> <p>Key Components of Cyber Insurance 205</p> <p>Types of Coverage 205</p> <p>Policy Limits and Deductibles 206</p> <p>Exclusions 207</p> <p>Retroactive Dates 207</p> <p>Policy Periods 208</p> <p>Cyber Risk Assessments 208</p> <p>Evaluating and Purchasing Cyber Insurance 209</p> <p>Assessing the Organization’s Risk Profile 209</p> <p>Determining the Appropriate Level of Coverage 210</p> <p>Selecting an Insurer 211</p> <p>Negotiating Terms and Conditions 211</p> <p>Implementing the Policy 212</p> <p>Managing and Reviewing the Cyber Insurance Policy 213</p> <p>Filing a Claim 213</p> <p>Managing a Claim Dispute 214</p> <p>Reviewing and Renewing the Policy 214</p> <p>Chapter 9 Summary 215</p> <p><b>Chapter 10 Conclusion: Moving Forward with Cybersecurity Governance 219</b></p> <p>The Board’s Role in Cybersecurity Governance 222</p> <p>Key Takeaways and Action Items for Board Members 225</p> <p>Chapter 10 Summary 226</p> <p>Appendix A Checklist of Key Considerations for Board Members 229</p> <p>Appendix B Sample Questions 231</p> <p>Appendix C Sample Board Meeting Agenda 233</p> <p>Appendix D List of Key Vendors 235</p> <p>Appendix E Cybersecurity Resources 237</p> <p>Appendix F Cybersecurity Books 239</p> <p>Appendix G Cybersecurity Podcasts 241</p> <p>Appendix H Cybersecurity Websites and Blogs 243</p> <p>Appendix I Tabletop Exercise: Cybersecurity Incident Response 245</p> <p>Appendix J Articles 249</p> <p>About the Author 253</p> <p>Acknowledgments 255</p> <p>Index 257</p>

<p><b>BART R. McDONOUGH,</b> the CEO and Founder of Agio, uses his extensive 20-plus years of IT and cybersecurity expertise to decode complex cybersecurity subjects, establishing him as a reliable resource for clients. His acclaimed book <i>Cyber Smart</i> provides a user-friendly guide to navigating the intricate landscape of cybersecurity for professionals and families alike. In addition to his role as a strategic cybersecurity advisor to boards, McDonough has also contributed valuable insights and perspectives as a member of several boards. Throughout his notable career, he has offered expert cybersecurity counsel to some of the world’s premier money managers. Bart received his undergraduate degree from the University of Connecticut and his Master’s degree from Yale University.

<p><b>AN EASY-TO-READ BLUEPRINT FOR CONTEMPORARY CYBERSECURITY THAT RESPONDS TO TODAY’S MOST URGENT RISKS</b> <p><i>Cyber Guardians: Empowering Board Members for Effective Cybersecurity</i> is an insightful and comprehensive discussion of how to apply contemporary cybersecurity best practices to companies of all shapes and sizes. In the book, veteran cybersecurity advisor Bart McDonough walks you through how to fulfil your directorial responsibilities as a board member at an organization with respect to IT and data security. <p>Written specifically for those without an extensive technical background, the book teaches you the current cybersecurity landscape, the legal and regulatory requirements you’re bound by, and the importance of risk management and assessments in the maintenance of responsible cybersecurity policies and frameworks. It also includes real-world case studies and examples of cybersecurity done right and wrong, demonstrating the consequences to organizations and board members of failing to comply with relevant legislation and regulations. <p><i>Cyber Guardians</i> is the intuitive and practical guide that officers, directors, and managers across organizations of any size have been seeking, paving the way towards responsible cybersecurity, without compromising accessibility.

US