Cyber

Ed.8

Chief
Cybersecurity
2020
Top Trends Shaping
Management
Priorities
INTERVIEW: Deidre Diamond,
CEO at CyberSN and brainbabe.org,
"There's a perfect storm in cybersecurity"
Cyber
Ed. 8

Chief Magazine

2019 was an action-packed year for cybersecurity, marked

by significant new data privacy regulations as well as me-
ga-breaches and massive fines. What will 2020 bring?

This edition of Cyber Chief Magazine reveals the important

trends that will determine how organizations address cyber-
security challenges in 2020, and shares strategies that will
help you prepare for the threats and seize the opportunities.

The Cyber Chief team

cyber.chief@netwrix.com
 Contents

Cybersecurity: Extra Security

Facts and Figures
18 How to reduce cybersecurity
complexity and successfully
4 Data security successes and failures manage risks
in 2019

95 %
22 The ultimate list of data security
solutions for protecting sensitive
data
of cloud security failures
will be the customer’s fault
28 Establishing efficient data
Gartner governance processes
to add business value

Focus
First-Hand Experience

6 Top IT priorities for 2020

32 “A perfect storm in cybersecurity”,
interview with Deidre Diamond,
10 Data privacy trends, issues founder and CEO at CyberSN and
and сoncerns for 2020 brainbabe.org

Analysis

14 Mitigating the risk of ransomware attacks

in the public sector
Cybersecurity: Facts and Figures

Data security successes and failures

in 2019
Data security Data privacy

$124 107
$ $ $ BILLION COUNTRIES
Global investment have enacted legislation to
in information security protect data and privacy
in 2019

Gartner United Nations Conference

on Trade and Development

Largest data protection fines

Equifax Marriott, Inc. Active Assurances

$575M $121M $198K

British Airways Google PwC

$224M $57M $165K Lexology.com

Breaches

IN THE FIRST
5,183 breaches
reported 7.9B records
exposed
9 MONTHS OF 2019

Data Breach QuickView Report

What to expect in 2020

Data security Data privacy

95 %
of cloud security failures Regulations coming into force
will be the customer’s fault

Gartner
CCPA California LGPD Brazil
January 1 August 15
Organizations don’t expect to be in full
compliance with the CCPA until July 1.
Cybercrime damage
worldwide will double
“CCPA Readiness: Second Wave,”
8 Iapp, OneTrust
$6T
6

4 $3T Privacy class-

2 action lawsuits
0 will increase by

2015 2021
300 %
2019 Official Annual Cybercrime Report,
Cybersecurity Ventures 2020 Predictions, Forrester

TOP Data protection strategy

projects
for CISO/security
officers Top initiative for executives:
Enterprise data strategy
Data security 90 %
Advanced organizations will
Cybersecurity awareness
62 % double their data strategy budget
among employees
40% of companies will launch
Data privacy 59 %
data literacy programs for all users
2020 Netwrix IT Trends Report 2020 Predictions, Forrester
Focus

Top
IT Priorities
for 2020

Ryan Brooks
Cybersecurity Expert, Netwrix Product Evangelist
In October 2019, Netwrix asked IT pros to name Although data privacy didn’t make the medal
the five IT projects that will be their top priorities podium, it was named by 43% of respondents.
in 2020. We got feedback from 846 respondents Moreover, it boasted a strong showing among
worldwide. This is what we learned from their re- organizations of all sizes and verticals. With the
sponses. explosion of compliance regulations focused on
data privacy, such as the GDPR and the CCPA,
According to the Netwrix IT Trends 2020 report, data privacy is likely to be a top IT priority for the
data security takes the gold medal as the dominant next several years.
priority for 2020. It was named by 74% of respon-
dents — including 90% of CISOs and security offi-
cers, regardless of their organization’s size, vertical
or location. This is no surprise, given the rising num-
ber of breaches and the shortage of cybersecurity
experts to combat them.

IT
2020
These same factors also likely contribute to au-
tomation of manual processes winning the sil-
ver medal in the survey. Increased automation
was cited by 53% of respondents, including 57%
of large businesses. Automation helps organi-
zations boost the productivity and effectiveness
TRENDS
of their current IT and cybersecurity talent. Report
The bronze medal goes to raising cybersecurity
awareness, which was cited by 51% of respon-
dents. Organizations recognize the importance
of effecting a cultural shift among employees,
both IT and non-IT. Surprisingly, this trend is
even stronger among SMBs than large enter-
Learn More
prises; 60% of SMBs say they will focus on train-
ing staff about cybersecurity hygiene.

7
 TOP 5 74 %

53%
DATA SECURITY

AUTOMATION OF MANUAL PROCESSES
IT PRIORITIES
51% CYBER SECURITY AWARENESS AMONG EMPLOYEES

43% DATA PRIVACY

37% CLOUD MIGRATION

№1 PRIORITY
BY ORGANIZATION SIZE

Raising cybersecurity
awareness among LARGE Automation of manual
SMBs employees (60%) ENTERPRISES processes (57%)

TOP TRENDS
FOR CISOs

90% 62% 43%

Data security Cyber security Data privacy
awareness among
employees

2020 Netwrix IT Trends Report

 Top IT Priorities for 2020

KEY FINDINGS BY THE NUMBERS

74 %
of organizations named
data security as their top
IT priority for 2020.

54 %
of respondents plan to focus on
automating manual tasks.

43 %
of organizations
mentioned data privacy
as their top goal.

52 %
of them are subject to
privacy regulations.
33 %
of organizations intend to
focus on digital transformation,
integrating their existing
solutions and cloud migration
projects; these goals are
ONLY mostly relevant for larger
20 % organizations.

of organizations plan to fo-

cus on addressing the skills
shortage through education
of existing IT personnel or
talent acquisition.
Focus

Data Privacy
Trends, Issues
and Concerns
for 2020
Ryan Brooks
Cybersecurity Expert, Netwrix Product Evangelist
One defining feature of 2019 was an increasing
focus on data privacy around the world, includ-
ing a variety of new government regulations. Data
privacy is a hot topic because cyber attacks are
increasing in size, sophistication and cost. Accen-
ture reports that the average cost of cybercrime
has increased 72% in the last five years, reaching
US$13.0 million in 2018.
In this article, we will talk about pressing data
privacy issues and how they can influence your
business.
Why is data privacy
important?
The recent focus on privacy concerns is driven by
numerous cyber security attacks that led to mas-
sive breaches of personal data. In response, reg-
ulations designed to strengthen consumer priva-
cy protection have been developed in countries
around the world, from the U.S. to India to Aus-
tralia. The EU’s GDPR (General Data Protection
Regulation) in particular has had an important im-
pact. In addition, many individual states in the U.S.
have adopted their own privacy protection laws,
such as the CCPA (California Consumer Privacy
Act), and their number is still growing. We should
expect more legislative activities in the future, as
Congress is working to implement a U.S. federal
data privacy law.
Exactly why is data privacy important? It is import-
ant to consumers because a breach of personal
information can damage an individual’s funda-
mental rights and freedoms, including the risk of
identity theft and other types of fraud. But data
privacy concerns are also important to organiza-
tions. Any unauthorized collection, careless pro-
cessing or inadequate protection of personal data
introduces multiple risks. In particular, organiza-
tions that fail to comply with privacy requirements
are at risk of steep fines, lawsuits and other pen-
alties. The CCPA, for example, grants the private
right of action if a breach occurs and data was
not encrypted or anonymized, and GDPR fines
can reach 20 million euros or 4% of a company’s
global annual turnover for the preceding financial
year. Authorities can even ban the business from
processing personal data in the future.
These severe consequences for noncompliance
are perhaps the strongest driver for rising privacy
awareness among organizations. Organizations
have to take privacy into account before they use
an individual’s data, for example, by selling cus-
tomers’ personal data to third parties To meet
modern compliance requirements and satisfy
consumers, all organizations have to take steps to
protect the healthcare records, financial data and
other personally identifiable information (PII) they
process and store against cyber attacks.
11
A focus on data privacy is
a differentiator
Apart from legal sanctions, organizations face
reputational risks if they fail to ensure data priva-
cy protection. To maintain customer trust today, a
company must demonstrate that data privacy is
one of its core values. Indeed, while many busi-
nesses still view privacy policies as a set-and-
forget legal routine, the consumer’s attitude has
changed. According to PwC research, only 25%
of consumers believe most companies handle
their personal data responsibly.
As people become more aware of the loose han-
dling of their data by social networks, tech giants
and governments, implementing strong control
over handling of personal information is becom-
ing a powerful business advantage. According
to Gartner, brands that put in place user-level
control of marketing data will reduce custom-
er churn by 40% and increase lifetime value by
25% in 2023. Thus, companies will be working to
meet the transparency bar by ensuring they can
explain why they collect and share specific data,
as well as prove that they have properly asked
consumers for permission and notified them
about data collection and processing.
12
Defending against supply chain
attacks
One key trend for the coming year will be
third-party risk management. While breaches at
large enterprises dominate the headlines, their
supply chains are an attractive target for hackers
as well, because of their digital connections to
larger enterprises.
Therefore, companies need to ensure that their
partners, suppliers, re-sellers, and service pro-
viders are protecting data properly. For exam-
ple, the GDPR requires working only with third
parties that demonstrate they have measures
in place to protect personal data. According-
ly, organizations need to take a risk-based ap-
proach to evaluating partners and vendors, and
establish agreements about topics such as data
breach notification obligations and cooperation
in fulfilling data subject requests.
The importance of employee training
will grow
One key trend for 2020 will be efforts to increase
data privacy awareness — organizations will be
focusing on teaching staff about sensitive data
security and data management policies. Cre-
ating a privacy- and security-aware culture is a
requirement of many cybersecurity regulations.
Educating people about their rights and obliga-
tions — and regularly testing their adherence to
your information privacy policy — is critical to se-
curity and compliance.

Conclusion
The coming years will undoubtedly bring new

Achieve,
regulations with more stringent requirements
and steeper penalties. However, there is no rea-

Maintain
son to delay implementing core best practices.
Indeed, if you want to avoid appearing in the

and Prove
next big data breach headline, it is vital to start
managing your risks now and make privacy a

Compliance
fundamental part of your DNA.

Learn More

13
Analysis

Mitigating
the Risk of
Ransomware
Attacks in the
Public Sector
Ryan Brooks
Cybersecurity Expert, Netwrix Product Evangelist
Ransomware attacks were on the rise around the
world in 2019. In the U.S. alone, more than 620
government entities, public institutions, health-
care service providers, school districts, colleges
and universities had their data held hostage.
These relentless attacks have interrupted ev-
eryday life in U.S. cities by massively disrupting
municipal operations, emergency and medical
services, and educational institutions.
Why governmental
agencies and public
institutions are
a primary target
Attackers target public institutions for several
key reasons. First, they are more likely to pay
up. After all, the goal of a ransomware attack
is to disrupt operations badly enough and long
enough that the organization will pay the ran-
som. According to Coveware, a typical ransom-
ware incident lasts for 9.6 days — an eternity
for any governmental organization and public
institution under the constant pressure of pub-
lic scrutiny because so many people depend on
its services. For example, DCH Health Systems,
a network of Alabama hospitals, paid an undis-
closed sum to attackers after encryption of criti-
cal files forced staff to use paper copies instead
of digital records and turn away new patients.
Similarly, more than 50 educational organiza-
tions experienced ransomware attacks last year,
forcing some of them to delay the beginning of
the academic year for thousands of students
and their families; one district paid $88,000 for
the decryption key after negotiating the payout
down from $176,000.
Second, many governmental agencies and
public institutions lack the resources to pro-
tect against cyber attacks in general and ran-
somware in particular. Many of them, especial-
ly smaller organizations, use managed service
providers (MSPs) to help with IT operations,
which often requires granting the MSPs elevat-
ed privileges. This provides an additional entry
point for attackers, who target the MSP and dis-
tribute their ransomware to many of its clients
at once. For instance, a single threat actor at-
tacked 23 Texas government organizations us-
ing this attack path.
Of course, some municipalities refuse to pay
ransom, which is the strategy recommended
by many law enforcement agencies. Baltimore,
for instance, declined to pay over $75.000 in
bitcoin to an attacker and instead decided to
recover the data from backups. Even so, the
financial damage can be significant. Baltimore
estimates the cost of the malware attack at $18
million, which includes not just remediation but
hardening of the environment against future at-
tacks.
15
How government would require annual cybersecurity training for
government employees. Dozens of other states

and public are requiring security awareness programs as

well. By teaching cybersecurity best practices,

institutions these programs aim to install proper habits and

procedures for protecting information resources.

are responding
to ransomware Strategies for
attacks mitigating the risk
LEGISLATION. of ransomware
The U.S. Senate passed the DHS Cyber Hunt and
There is no reason to believe that any organiza-
Incident Response Teams Act, which authorizes
tion can block all ransomware attacks. But there
the Department of Homeland Security to send
are ways to minimize the damage of ransomware
teams to help private and public entities battle
infections. For example, when ransomware hit
ransomware attacks.
Louisiana state government systems in Novem-
CYBERSECURITY INSURANCE. ber 2019, the state was able to quickly detect the
attack and neutralize it before it caused serious
In November 2019, the city of Baltimore ap-
damage — because back in December 2017, the
proved the purchase of $20 million in cyber
state had established procedures for dealing
liability insurance to cover any additional dis-
with cyber attacks and the agencies were pre-
ruptions to the city’s networks in 2020. Cyber lia-
pared.
bility insurance will typically pay the ransom and
other extortion-related expenses, as well as re-
The following measures can help you limit the
covery costs for restoring or replacing programs
impact of a ransomware attack:
and data.

MANDATORY TRAINING. Take regular, comprehensive backups and

keep them secure. Good backups are prob-
After a coordinated attack on 23 Texas gov-
ably the best answer to the question, “How
ernment organizations, the state announced it

16
do I recover from a ransomware attack?” Reg- Monitor user behavior. To spot ransomware
ularly back up all critical information, and keep in a timely manner, audit activity around data
the backups isolated from your network. and set up alerts on abnormal spikes in file
activity, which are indicative of ransomware
Use network segmentation and intrusion in progress.
prevention technologies. Segment your net-
Conduct regular employee awareness
work to block ransomware from spreading.
training. People are the weakest link in your
Use network access controls, firewalls, vir-
security, and their mistakes can cost the or-
tual local area networks (VLANs) and other
ganization a fortune. Therefore, invest in rais-
techniques for intrusion prevention.
ing security awareness through comprehen-
sive training tailored to the specific groups of
Properly configure your web filter, firewall
users accessing your network.
and antivirus software to block access to
malicious websites and scan all files that are
Increase attention to supply chain securi-
downloaded.
ty. Third-party risk management should get
more attention. The recent attacks on Texas
Properly configure access to shared fold-
cities through MSPs are the first sign of this
ers. If you use shared network folders, cre-
new threat vector, but it will become increas-
ate a separate network share for each user.
ingly popular as public agencies increase
Since malware spreads using its victim’s ac-
cloud adoption as mandated by the Federal
cess rights, make sure that access is restrict-
Cloud Computing Strategy.
ed to the fewest users and systems possible.
Otherwise, the infection of one computer can
lead to the encryption of all documents in all
folders on the network.
Conclusion
A final tip: Don’t pay ransom. Paying ransom helps
Enforce least privilege access. More broad-
make these attacks a viable “business model” for
ly, limit the damage ransomware can do by
the perpetrators. By establishing healthy habits,
minimizing privileges based on each user’s
you can mitigate the risk of ransomware causing
job requirements and performing period-
serious damage and recover without engaging
ic assessments to ensure adherence to the
with the attackers.
principle of least privilege.

17
Extra Security

How to Reduce
Cybersecurity
Complexity and
Successfully
Manage Risks

Matt Middleton-Leal
General Manager EMEA, CISSP
Managing cyber risks is an increasingly difficult
challenge. Even as businesses generate more
and more data and adopt new technologies and
processes, cybercriminals are busy developing
new attack strategies and more sophisticated
malware. It is little wonder that the number of
data breaches has increased by 67% over the
last five years, as reported in a study by Accen-
ture and the Ponemon Institute. Indeed, security
sprawl and its impact on risks management are
constantly discussed at industry events such as
Infosecurity Europe 2019, demonstrating that
the professional community is quite concerned
about how to efficiently manage cyber risk to-
day.
In my line of work, I get to speak with dozens
of companies every month, all of which spend
considerable time and money in pursuit of en-
terprise data security. The following are the
best practices that I have seen help these or-
ganizations successfully manage cybersecurity
risks in complex IT environments.
1. Make
cybersecurity
a strategic
business goal.
Organizations often consider cybersecurity to be
a technology issue rather than a business con-
cern. This perspective leads IT teams to invest
in hot technologies to address urgent security
issues, rather than take a strategic approach to
cybersecurity. Moreover, there is often a lack
of effective communication between the IT de-
partment and C-level management; neither side
knows how to articulate their needs and work
together to reach a decision that supports busi-
ness goals. As a result, organizations purchase
siloed solutions, increasing complexity and mak-
ing it even more difficult for IT teams to manage
cyber risks.
BEST PRACTICES
Organizations should change this underly-
ing mindset and establish a dialog between IT
teams and non-IT management. One goal of
this dialog should be to better prioritize securi-
ty investments. A person responsible for IT se-
curity should provide line-of-business leaders
with risk information, highlighting the areas that
19
are the most risky. This will enable the business
leaders to prioritize investments and give the IT
department a defined direction for future invest-
ment. The second objective of the dialog should
be to integrate security throughout all the or-
ganization’s business processes. This involves
many different areas, from the development of
adequate security policies in accordance with
a security-by-design framework to educating
employees and establishing a security-centric
culture. Only through such conversations can
organizations align cybersecurity with business
strategy and ensure that security acts as a busi-
ness enabler rather than a roadblock.
guest reservation database, which was merged
with Marriott’s reservation system after the ac-
quisition. Another example is Equifax, whose ag-
gressive growth strategy resulted in a complex
IT environment with custom-built legacy systems.
This made IT security especially challenging and
led to the highly publicized data breach.
BEST PRACTICES
Organizations that maintain a unified security
posture rather than siloed systems have a bet-
ter chance of detecting vulnerabilities and data
breaches in their early stages, when the damage
is entirely preventable. To achieve this, organi-
zations should regularly inventory their systems,

2. Maintain a unified
delete duplicate technologies and replace stand-
alone solutions with cross-system applications.

security posture.
This approach will provide IT teams with a birds-
eye view of risks across the IT infrastructure and
simplify risk management.

A critical strategy for reducing cybersecurity

complexity is unifying your security posture. Or-
ganic growth, mergers and acquisitions (M&A),
3. Identify your
and other business changes often leave behind
a fragmented set of security tools and a hodge-
most sensitive data
podge of legacy IT systems that likely contain
vulnerabilities. A textbook example of M&A cyber
and monitor activity
risk is Marriott, which recently reported a mas-
sive data breach that began years earlier at Star-
around it.
wood, a chain Marriott acquired, evidently with-
out properly taking an inventory of its IT assets. Experts predict that by 2020, 83% of enterprise
The attackers had gained access to the Starwood workloads will be in the cloud. Therefore, there

20
will be more and more data flowing between
on-premises and public, private or hybrid cloud
storages. Any sensitive data, such as PII, PCI or
PHI, that pops up in any insecure location will be
vulnerable to both insider and outsider threats,
which can result in data breaches and fines for
non-compliance.
BEST PRACTICES
To avoid security incidents, organizations should
regularly locate the data they have, classify it ac-
cording to its sensitivity and implement security
controls consistently, starting with the most sen-
sitive data. It is crucial to regularly assess and mit-
igate data risks like improper configuration and
access settings. It is also essential to monitor ac-
tivity around sensitive data and get alerts about
anomalous behavior so suspicious sessions can
be terminated quickly.
4. Empower IT teams
to be proactive
rather than reactive.
Perhaps one of the most difficult challenges in
protecting against cyber threats is the scarcity of
cybersecurity talent. (ISC)2 predicts that Europe
will face a shortfall of 350,000 cybersecurity
professionals by 2022. Without skilled people
on board, IT teams struggle to combat evolving
cyber threats and meet increasingly tough com-
pliance regulations, especially when they are al-
ready overwhelmed by mundane daily tasks like
resolving user lockouts, resetting passwords, and
keeping systems and applications patched. As a
result, IT departments cannot effectively manage
cyber risks.
BEST PRACTICES
Automating as many routine tasks as possible
will free up IT teams to focus on more strategic
matters, such as keeping abreast of the threat
landscape, improving cyber risk management,
and reducing the time to detect and respond to
incidents. Moreover, enabling existing staff to be
more effective will help the organization weather
the current shortage of skilled cybersecurity pro-
fessionals.
Conclusion
There is no doubt that both data volumes and
IT system complexity will continue to grow. The
best way to mitigate the associated cybersecuri-
ty risks is to follow proven best practices. Great
first steps are to align technology to your busi-
ness; regularly inventory your security solutions
to ensure integration and remove duplication;
secure your most important data first; and auto-
mate routine tasks to improve IT team efficiency.
21
 Extra Security

Extra Security

Top 12
Data Security
Solutions to
Protect Your
Sensitive
Information
Ilia Sotnikov

Jeff Melnik
Manager Solutions Engineering
Data breaches are all over the news, and organi-
zations are acutely aware that even if they have
achieved PCI compliance or SOX compliance,
new compliance regulations like the GDPR de-
mand more stringent data security controls. To
help you improve your security and compliance
posture, we have put together a list of the top 12
data security solutions for protecting sensitive
data and passing audits.
1. Data Discovery
and Classification
In order to protect your data effectively, you need
to know exactly what sensitive information you
have. A data discovery and classification solution
will scan your data repositories for the types of
data you consider important, based on industry
standards or your custom requirements (such as
PCI DSS data, GDPR data and IP), sort it into cat-
egories and clearly label it with a digital signature
denoting its classification. You can use those la-
bels to focus your data security resources and
implement controls that protect data in accor-
dance with its value to the organization. If data
is modified, its classification can be updated.
However, controls should be in place to prevent
users from falsifying the classification level; for
example, only authorized users should be able
to downgrade the classification of data.
Tools like Netwrix Data Classification make data
discovery and classification easier and more ac-
curate.
2. Firewall
A firewall is one of the first lines of defense for a
network because it isolates one network from an-
other. Firewalls exclude undesirable traffic from
entering the network. In addition, you can open
only certain ports, which gives hackers less room
to maneuver to get in or download your data. De-
pending on the organization’s firewall policy, the
firewall might completely disallow some traffic
or all traffic, or it might perform a verification on
some or all of the traffic.
Firewalls can be standalone systems or included
in other infrastructure devices, such as routers
or servers. You can find both hardware and soft-
ware firewall solutions.
3. Backup
and recovery
A backup and recovery solution helps organiza-
tions protect themselves in case data is deleted
or destroyed. All critical business assets should
be duplicated periodically to provide redundancy
23
so that if there is a server failure, accidental de-
letion or malicious damage from ransomware or
other attacks, you can restore your data quickly.
4. Antivirus
Antivirus software is one of the most widely ad-
opted security tools for both personal and com-
mercial use. There are many different antivirus
software vendors in the market, but they all use
pretty much the same techniques to detect ma-
licious code, namely signatures and heuristics.
Antivirus solutions help to detect and remove
trojans, rootkits and viruses that can steal, modify
or damage your sensitive data.
5. Intrusion
Detection and
Prevention Systems
(IDS/IPS)
Traditional intrusion detection systems (IDS) and
intrusion prevention systems (IPS) perform deep
packet inspection on network traffic and log po-
tentially malicious activity. An IDS can be config-
ured to evaluate system event logs, look at sus-
picious network activity, and issue alerts about
24
sessions that appear to violate security settings.
An IPS offers detection capabilities but can also
terminate sessions that are deemed malicious,
but usually these are limited to very crude and
obvious attacks such as DDoS. There is almost
always an analytical step between alert and ac-
tion — security admins assess whether the alert
is a threat, whether the threat is relevant to them,
and whether there’s anything they can do about
it. IPS and IDS are a great help with data protec-
tion because they can stop a hacker from getting
into your file servers using exploits and malware,
but these solutions require good tuning and anal-
ysis before making a session drop decision on an
incoming alert.
6. Security
Information and
Event Management
(SIEM)
Security information and event management
(SIEM) solutions provide real-time analysis of se-
curity logs that are recorded by network devic-
es, servers and software applications. Not only
do SIEM solutions aggregate and correlate the
events that come in, but they can perform event
deduplication: removing multiple reports on the
same instance and then act based on alert and
trigger criteria. It also usually provides analytics
toolkit that will help you find only those events
that you currently need such as events related
to data security. SIEM solutions are vital for data
security investigations.
7. Data Loss
Prevention (DLP)
Data loss prevention systems monitor worksta-
tions, servers and networks to make sure that
sensitive data is not deleted, removed, moved
or copied. They also monitor who is using and
transmitting data to spot unauthorized use.
8. Access Control
In most cases, users should not be allowed to
copy or store sensitive data locally; instead, they
should be forced to manipulate the data remote-
ly. Moreover, sensitive data should ideally never
be stored on a portable system of any kind. All
systems should require a login of some kind, and
should have conditions set to lock the system if
questionable usage occurs.
In addition, sensitive files should be accessed
only by authorized personnel. User permissions
should be granted in strict accordance with the
principle of least privilege. An access control list
(ACL) specifies who can access what resource
and at what level. It can be an internal part of
an operating system or application. ACLs can
be based on whitelists or blacklists. A whitelist
is a list of items that are allowed; a blacklist lists
things that are prohibited. In the file management
process, whitelist ACLs are used more common-
ly, and they are configured at the file system lev-
el. For example, in Microsoft Windows, you can
configure NTFS permissions and create NTFS ac-
cess control lists from them. You can find more in-
formation about how to properly configure NTFS
permissions in this list of NTFS permissions man-
agement best practices. Remember that access
controls should be implemented in every appli-
cation that has role-based access control (RBAC);
examples include Active Directory groups and
delegation.
9. Cloud Security
Solutions
Individuals and enterprises tend to collect and
store more and more data. This has led to direct
attached storage (DAS), network area storage
(NAS), storage area networks (SAN) and now
cloud storage. Cloud storage enables you to
store more and more data and let your provider
25
worry about scaling issues instead of local ad-
ministrators.
Despite these benefits, from a security stand-
point, cloud storage can be troublesome. You
need to be sure the cloud provider can adequate-
ly protect your data, as well as make sure you
have proper redundancy, disaster recovery, and
so on. Make sure that you encrypt the data, back
it up, and implement as much control as possible.
You can get help from cloud security providers
that sell security as a service (SECaaS), a sub-
scription-based business model in which a large
service provider integrates its security services
into a corporate infrastructure and makes them
available on a subscription basis. No on-premise
hardware is needed by the subscriber, and the
services offered can include such things as au-
thentication, antivirus, antimalware/spyware, and
intrusion detection. In this way, SECaaS can serve
as a buffer against many online threats.
10. Auditing
To protect your sensitive information properly,
you also need to audit changes in your systems
and attempts to access critical data. For example,
any account that exceeds the maximum number
of failed login attempts should automatically be
reported to the information security administra-
tor for investigation. Being able to spot changes
26
to sensitive information and associated permis-
sions is critical. By using historical information
to understand how sensitive data is being used,
who is using it, and where it is going, you can
build effective and accurate policies the first time
and anticipate how changes in your environment
might impact security. This process can also help
you identify previously unknown risks. There are
third-party tools that simplify change manage-
ment and auditing of user activity, such as Net-
wrix Auditor.
11. Data Encryption
Data encryption is very important when you have
top secret files that you don’t want to be read
even if they are stolen. Network sniffing and oth-
er hacker attacks targeted on stealing informa-
tion is so common that passwords, credit card
numbers and other sensitive information can be
stolen over unencrypted protocols. Encrypted
communication protocols provide a solution to
this lack of privacy. For example, without Secure
Sockets Layer (SSL) encryption, credit card trans-
actions at popular websites would be either very
inconvenient or insecure.
Although private data can be protected by cryp-
tographic algorithms, encryption can also be
used by hackers. Expensive network intrusion
detection systems designed to sniff network traf-
fic for attack signatures are useless if the attack-
er is using an encrypted communication channel.
Often, the encrypted web access provided for
customer security is used by attackers because
it is difficult to monitor. Therefore, all critical data
should be encrypted while at rest or in transit
over the network.
Portable systems should also use encrypted
disk solutions if they will hold important data of
any kind. For desktop systems that store critical
or proprietary information, encrypting the hard
drives will help avoid the loss of critical informa-
tion. In addition to software-based encryption,
hardware-based encryption can be applied.
Within the advanced configuration settings on
some BIOS configuration menus, you can choose
to enable or disable a Trusted Platform Module
(TPM) — chip that can store cryptographic keys,
passwords or certificates. A TPM can be used to
assist with hash key generation and to help pro-
tect smartphones and others devices in addition
to PCs.
12. Physical
Security
Physical security is often overlooked in discus-
sions about data security. Having a poor physical
security policy could lead to a full compromise
of your data. Each workstation should be locked
down so that it cannot be removed from the area.
Also, a lock should be placed so that the case
cannot be opened up, exposing the internals of
the system; otherwise, hard drives or other sen-
sitive components that store data could be re-
moved and compromised. It’s also good practice
to implement a BIOS password to prevent attack-
ers from booting into other operating systems
using removable media.
Another enterprise data leakage instrument is a
smartphone with a camera that can take high-res-
olution photos and videos and record good-qual-
ity sound. It is very hard to protect your docu-
ments from insiders with these mobile devices or
detect a person taking a photo of a monitor or
whiteboard with sensitive data, but you should
have a policy that disallows camera use in the
building.
Monitoring all critical facilities in your company
by video cameras with motion sensors and night
vision is essential for spotting unauthorized peo-
ple trying to steal your data via direct access to
your file servers, archives or backups, as well as
spotting people taking photos of sensitive data in
restricted areas.
Each person’s workspace area and equipment
should be secure before being left unattended.
For example, check doors, desk drawers and
windows, and don’t leave papers on your desk.
27
 Extra Security

Establishing
Efficient Data
Governance
Processes to Add
Business Value
Matt Middleton-Leal
General Manager EMEA, CISSP

28
These days, organizations are awash with more
data than ever before. The challenges this pres-
What makes
ents are compounded by evolving regulatory
changes such as the General Data Protection
a value-driven
Regulation (GDPR), which has necessitated sig-
nificant changes when it comes to the storage
information
and handling of EU citizens’ data.
governance
Today’s CIOs face a common challenge to es-
tablish an information governance program that
program?
will enable the organization to embrace the da-
ta-driven era, while maintaining IT security and
The concept of information governance emerged
ensuring compliance during its implementation.
from compliance, where the former concerns
data protection and retention according to spe-
The success of an information governance
cific standards. However, as volumes of data in-
program requires collaboration from the entire
crease in the data-driven era, information gover-
C-Suite, with CIOs, CISOs, chief data officers
nance has evolved to include the management
(CDO), and chief compliance officers taking a
of other types of data, including non-sensitive.
strategic role. If organizations assign this task to
the CDO only, it may not lead to the desired ef-
A recent report by The Compliance, Governance
fect, as they often lack the necessary authority
and Oversight Counsel found that 60% of corpo-
and resources.
rate data has no “business, legal or regulatory
value.” If an organization is flooded with infor-
In fact, Gartner predicted that 90% of enterpris-
mation, it complicates the protection of sensitive
es will have hired a CDO by 2019 to unlock the
data, boosts storage costs, and hinders an em-
value of their information assets, but just half
ployee’s ability to locate necessary information
will be considered a success in this regard.
among thousands of files. A holistic information
governance program tackles all these issues and
provides businesses with analytical insights and
value.

29
 organizations handle their data. Here are a few
Visibility into enterprise content is a fundamental best practice tips for success:
aspect of value-driven information governance.
It includes the ability to discover various types of Establish metrics
data, classify it effectively and precisely, as well
To establish actionable metrics as well as to set
as to define ROT files across critical data sourc-
timely goals, it is important to calculate costs thor-
es. This empowers IT teams to clean up unneces-
oughly. To evaluate storage costs, businesses
sary data, to enhance records management, and
should include costs of terabytes used, the cost
to improve search capability. Such an approach
of labor required to manage systems, as well as
can be applied to critical business areas, and
the cost of space to house them.
metrics can be set based on their performance
measures.
They should consider the average size of emails,
number of employees, file systems, the total
For example, analysts from Osterman Research
number of SharePoint Installations and so on,
suggest storage costs, user productivity, and
and then multiply all parameters by the annual
costs of eDiscovery process as metrics, calcu-
growth rate. With this information at hand, organi-
lating that effective information governance can
zations will be able to evaluate cost savings from
save an organization of 2,500 employees $52.8
the information governance program before and
after implementation.

Tips for
Deploy the right technologies
implementing It is essential to deploy a combination of technol-

effective ogies that enable an organization to understand

various types of data as well as to maintain secu-

information rity controls over it throughout its lifecycle. The

former starts with automated data classification

governance that covers the broadest variety of organizations’

information assets.

The implementation of a proper information gov-

It is important that businesses consider if their
ernance program can present a headache for
technology can accurately identify sensitive data
CIOs and CISOs, as it changes the ways in which

30
as well as complex data such as proprietary PDF
files, for instance, and, identify duplicate or irrele-
vant content enterprise-wide. They must also en-
sure it can integrate with security solutions such
as data loss prevention tools or auditing technol-
ogies as well as with the required data sources.

Implement a defensible deletion

program
EBOOK
Defensible deletion reduces risk by eliminating
information in-line with an organization’s legal

Practical Steps
obligations and company guidelines. It also en-
sures the deletion of unnecessary information.

to Establishing
While many organizations conduct annual au-
dits of their records in-line with compliance stan-

Good Information
dards, this type of activity should be conducted
more regularly, and cover both sensitive and

Governance
non-sensitive data.

The approach I have described considers infor-

mation governance as a vital step towards in-
creasing an organization’s overall data maturity.
In the data-driven era, an effective strategy for
data governance will help IT and security teams
Learn More
to articulate the value of such a program to the
C-Suite, and ensure that value is derived from
enterprise data without compromising on secu-
rity or compliance.

31
Interview

A perfect
storm in
cybersecurity
Deidre Diamond
CEO at CyberSN and brainbabe.org

There are 2 million
cybersecurity roles
empty worldwide
Is there a shortage of cybersecurity talent? What
are the main challenges that cybersecurity pros
are facing? If you are looking to understand the
issues that matter most in cybersecurity, there is
no better person to ask than Deidre Diamond,
founder and CEO of CyberSN and brainbabe.
org.
Deidre has spent over 20 years leading technol-
ogy and cybersecurity organizations, leverag-
ing her strong sales background in cybersecu-
rity software. Today, she is working to transform
the cybersecurity employment marketplace
through her two organizations: CyberSN, the
largest staffing firm in the U.S. focused solely
on cybersecurity, which works as a bridge be-
tween cybersecurity professionals and employ-
ers; its motto is “Where talent meets its match.”
Brainbabe.org develops opportunities for hiring
and retaining women in cybersecurity, and also
supports those already in the profession, with
a communication framework that advances and
empowers both women and men in the work-
place.
We asked Deidre for her insights into the cyber-
security skills gap, the role of automation in cy-
bersecurity and cybersecurity trends for 2020.
What are the top challenges in hiring
in cybersecurity?
Deidre:
The cybersecurity talent marketplace is very
complex, and there are many problems to be
solved. A critical one is connecting cybersecuri-
ty experts with their future employers. Although
a large portion of the community — 89% — are
interested in looking at new opportunities, and
as much as 99% are open to moving to new jobs,
people often waste a lot of time on job search-
ing. There is difficulty in matching a job opening
with the right person with the appropriate skills.
A big part of this problem is that job descrip-
tions are inaccurate. Cybersecurity has 35 job
categories and around 115 titles. “Security en-
gineer” can have eight different profiles. With
changing technologies, there are many more
titles coming that we don’t know about yet. This
complexity can be addressed by writing job de-
scriptions and profiles in a common language
so they make sense.
There is also a salary problem. IT pros normally
make 25% more in cybersecurity than in technol-
ogy. That’s a challenge for businesses because
it’s hard for them to meet salary requirements.
33
Do you see a shortage of experts?
If so, what is needed to address
that problem?
Deidre:
Right now, there are 2 million cybersecurity
roles empty worldwide, and 500,000 of them
are in the U.S. However, the biggest problem
is talent retention. Right now, the industry is
not retaining cybersecurity professionals. If we
want to solve the talent shortage, we need to
have clearly defined roles and responsibilities,
succession planning, and training — we need to
invest in career development.
The more companies invest in their cyberse-
curity talent, the sooner we will see the impact
because people will be willing to stay in cyber-
security. When companies have entry-level spe-
cialists and succession planning in their securi-
ty departments, that would change the game.
Right now, everybody expects specialists to
come out of school already trained, and that’s
not how schools work — there is no hands-on
training. That is starting to transform, mainly be-
cause universities see the problem, but it takes
an eternity to change.
An average cybersecurity employee does a 3-in-1 job,
and most of them are emergency workers.
34
How do you see the role of
automation in cybersecurity?
Can automation help solve
the skills shortage?
Deidre:
With advancements in technology, there is au-
tomation in all industries, and we welcome it. It
helps from the perspective of jobs that people
like to do — burnout happens less. And that’s
critical, because people who are trying to man-
age vulnerabilities have jobs with high burnout
rates. An average cybersecurity employee does
a 3-in-1 job, and most of them are emergency
workers. Automation will help people enjoy
their work, be more efficient, and be able to do
things that are more powerful for the company.
Because attacks are growing and being secure
is more important than being compliant, it is un-
likely that the shortage will become less. We are
going to cover part of the job through automa-
tion, but certainly that won’t enable us to fully
bridge the gap.
Has anything changed
in the cybersecurity hiring
Final word
market over the last five years?
Right now, there is an imbalance between de-
Deidre: mand and supply of cybersecurity profession-
als. Combined with the lack of gender diversity
The conversation about equality and inclusion is
and ease of burnout of these professionals, it
at the forefront now. Many initiatives today focus
seems like the industry is in a critical situation.
on policies that push organizations to appreci-
ate diversity. People have begun to understand
With the rise of cyber attacks and the emer-
the need for women in cybersecurity. For a long
gence of new technologies and regulations, the
time it was thought that tech and cybersecuri-
demand for cybersecurity professionals is not
ty were a man’s world, a man’s job. That really
going to decrease any time soon. Therefore, it’s
caused a pipeline problem in the U.S.; we are
ultimately important to pay more attention to the
short of women significantly. But there is also an
many different factors that contribute to a bal-
inclusion challenge — we find that women leave
anced workforce and workplace for cyber pros.
the industry, so the problem is also about cul-
One of these factors is automation — making
ture and working to explain that cybersecurity is
sure to automate as many internal processes
more than a keyboard and a hoodie.
as possible. This simple thing will help ensure
that those few cyber professionals in your orga-
The good news that there is a conscious conver-
nization that you spent so much time searching
sation about diversity, which was hard to imag-
for can focus on what’s really important and let
ine several years ago. There are many organi-
tools and software do the rest.
zations, including my own, focused on making
changes, though it takes time. There are many
programs like “Girls Who Code” and “Brown-
ie Cybersecurity Badge,” and universities and
communities are helping girls think about cyber-
security and be attracted to it.

35
About Netwrix
Netwrix is a software company that enables information security and governance professionals to
reclaim control over sensitive, regulated and business-critical data, regardless of where it resides.

Over 10,000 organizations worldwide rely on Netwrix solutions to secure sensitive data, realize the
full business value of enterprise content, pass compliance audits with less effort and expense, and
increase the productivity of IT teams and knowledge workers.

For more information visit www.netwrix.com

WHAT DID YOU THINK

OF THIS CONTENT?

CORPORATE HEADQUARTER: PHONES: OTHER LOCATIONS: SOCIAL:

300 Spectrum Center Drive 1-949-407-5125 Spain: +34 911 982608

Suite 200 Irvine, CA 92618 Toll-free (USA): 888-638-9749 Netherlands: +31 858 887 804
Sweden: +46 8 525 03487
565 Metro Place S, Suite 400 Switzerland: +41 43 508 3472
1-201-490-8840 netwrix.com/social
Dublin, OH 43017 France: +33 9 75 18 11 19
Germany: +49 711 899 89 187
5 New Street Square +44 (0) 203 588 3023 Hong Kong: +852 5808 1306
London EC4A 3TW Italy: +39 02 947 53539

Copyright © Netwrix Corporation. All rights reserved. Netwrix is trademark of Netwrix Corporation and/or one or more of its subsidiaries and may be registered in
the U.S. Patent and Trademark Office and in other countries. All other trademarks and registered trademarks are the property of their respective owners.

36