editione1.0.0
Updated October 9, 2023Key points are highlighted like this:
important An important note.
danger A danger or caution.
confusion A confusion or reminder.
In addition, you’ll find other items highlighted:
resourcesAdditional readings or resources.
exampleAn example or scenario or sample document.
storyA personal story from the author.
important If you’re reading this Holloway Edition of the book online, please remember you can add comments and suggestions. No book is perfect. This will help it improve in future revisions, and selected helpful comments will be published to assist other readers!
I want to give you permission not to read this entire book.
Let me explain.
When it comes to securing what matters to us, we each start at a different place and have different goals. We bring with us a set of experiences, expectations, and skills. We each operate in a different set of circumstances with a different set of constraints. Your pathway towards security will be different to others around you and as such, your needs from this book will be different.
While you can of course read this material sequentially, you are equally encouraged to approach it in a way that suits you and where you are now:
If you have never approached security before, you will find that our sections progressively guide you from securing yourself to securing increasingly big or complex environments. By following that journey, you will learn how to identify where the value lies in your organization (and therefore what you may want to prioritize for protection) and then, step by step, build up the actions and understanding needed to build security into your environment.
If you are not new to security or you have already begun to take some actions to reduce common risks, you may wish to use the sections as a way to self-assess your maturity. By looking at the topics covered and the actions and suggestions we have included, you will be able to confirm your successes as well as identify any areas you may want to dig further into.
If you have been managing security for a while, your reasons for reading this book may be different: your aim may not be to improve your own posture but to empower others in your world to take similar actions or to communicate these concepts to those who do not share your experience. In this sense, Security for Everyone can be a tool to scale your security practice and enable others to join you in improving the security of what matters in your world. When you are approaching this book, instead of assessing your own maturity, assess the maturity of those you wish to lift up. Starting where they are will allow you to understand their challenges and find ways to assist and support as they mature.
As well as your personal experience with security, the environment you are trying to protect can change your requirements for security.
For individual security, this means the difference between protecting an occasional internet user from phishing attacks, and protecting a high-net-worth individual while they frequently trade stocks online. This difference in circumstances will change all aspects of your security approach—the risks you face, the impacts if they were to be exploited, and the processes, actions, and technologies you can use to manage the situation safely.
For those of us protecting businesses or other organizations, the field in which we work makes a big difference too. Whether you are in the finance sector or retail, non-profits or high tech—our industry, size, profile, and the types of data we handle will change the risks we face and the standards we are required to meet.
Whatever your environment or context, understand and work with where you are now. By working on the risks and requirements that are truly relevant to you, you are able to focus your time and resources to reduce the likelihood of security incidents in a meaningful way.
As your environment or business changes, the associated risk may change too. Be sure to review your context regularly, and don’t be afraid to change your security approach as the world around you changes. For example, if your organization grows, the risk changes around it.
When we are approaching security for the first time, it can be daunting. Not only is there a lot to think about and cover, but many of the actions we need to take are associated with technologies or technical concepts that we may not be familiar with. Depending on your background and the role you play in your company, these can be a real challenge. It can be easy to dismiss security as something you can handle when you are technical enough or when you hire someone who has that specialist knowledge. In reality, sometimes it’s that delay or reluctance that makes us the most vulnerable. There is no right time to start security or perfect skill set that prepares you for it. The sooner we get started, the more small steps we can take to reduce our risk.
While technology has a role to play in securing our data, people, and systems, it is only part of the picture. Security requires us to balance technology, processes, and human actions to change the way we face situations that could cause us harm.
For example, take malicious or phishing emails. Buying a mail security product can feel like the answer to our problems. It should block suspicious email from reaching us. However, it takes more than buying a tool for this to work; without policy and process to configure and maintain that new tool, it will not prevent malicious email.
If we do not empower our people to identify and respond to emails that do slip through the cracks as we configure our defenses, we may still suffer from the consequences of this attack.
important We will encourage you to apply the advice here as you read by making your own lists of devices, accounts, and data. As your business grows bigger, it will become more and more important to be aware of these assets, so that you can make sure they are secure. The need for security will grow over time, and having a list you can call upon and reference can be helpful in the long run.
How you keep and manage those lists will be up to you. We don’t encourage you to keep other sensitive information with those lists (like account passwords). However, these lists will give you a bit of a “security blueprint” for yourself and your business. Keep it safe, as you would any other type of blueprint-like document. I am more of a “list on my Google Keep” or “Asana board shared privately with the SafeStack team” kind of gal, but there is nothing wrong with good old fashion pen and paper lists stuck to your home office whiteboard.
In Part II we address small businesses, in Part III we move on to startups, and Part IV is dedicated to mid-size and growing companies that are refining their strategy. The line between a small business and a startup is not always obvious, so let’s define what we mean. It is important to get this straight, as this dictates the security strategies we recommend you follow.
For the purposes of this book, especially in Part II and Part III, we are using the term “small business” and “startup” to refer to businesses that meet the criteria in the table below. If your business is larger or more mature than the “startup” stage, you will likely find Part IV most helpful.