Cyber Chief Cybersecurity 2020 Top Trends Shaping Management Priorities INTERVIEW: Deidre Diamond, CEO at CyberSN and brainbabe.org, "There's a perfect storm in cybersecurity" Ed.8 Cyber Chief Ed. 8 Magazine 2019 was an action-packed year for cybersecurity, marked by significant new data privacy regulations as well as mega-breaches and massive fines. What will 2020 bring? This edition of Cyber Chief Magazine reveals the important trends that will determine how organizations address cybersecurity challenges in 2020, and shares strategies that will help you prepare for the threats and seize the opportunities. The Cyber Chief team cyber.chief@netwrix.com Contents Cybersecurity: Facts and Figures 4 Extra Security 18 How to reduce cybersecurity complexity and successfully manage risks 22 The ultimate list of data security solutions for protecting sensitive data 28 Establishing efficient data governance processes to add business value Data security successes and failures in 2019 95 % of cloud security failures will be the customer’s fault Gartner Focus 6 Top IT priorities for 2020 10 Data privacy trends, issues and сoncerns for 2020 Analysis 14 Mitigating the risk of ransomware attacks in the public sector First-Hand Experience 32 “A perfect storm in cybersecurity”, interview with Deidre Diamond, founder and CEO at CyberSN and brainbabe.org Cybersecurity: Facts and Figures Data security successes and failures in 2019 Data security $ $ Data privacy $124 107 BILLION COUNTRIES Global investment in information security in 2019 have enacted legislation to protect data and privacy Gartner United Nations Conference on Trade and Development $ Largest data protection fines Equifax Marriott, Inc. $121M $198K British Airways Google PwC $575M $224M Active Assurances $57M $165K Lexology.com Breaches 5,183 breaches reported 7.9B records exposed IN THE FIRST 9 MONTHS OF 2019 Data Breach QuickView Report What to expect in 2020 Data security Data privacy 95 % Regulations coming into force of cloud security failures will be the customer’s fault Gartner January 1 8 “CCPA Readiness: Second Wave,” Iapp, OneTrust $6T 6 $3T Privacy classaction lawsuits will increase by 2 0 2015 2021 2019 Official Annual Cybercrime Report, Cybersecurity Ventures TOP August 15 Organizations don’t expect to be in full compliance with the CCPA until July 1. Cybercrime damage worldwide will double 4 CCPA California LGPD Brazil projects for CISO/security officers Data security 90 % Cybersecurity awareness among employees 62 % Data privacy 59 % 2020 Netwrix IT Trends Report 300 % 2020 Predictions, Forrester Data protection strategy Top initiative for executives: Enterprise data strategy Advanced organizations will double their data strategy budget 40% of companies will launch data literacy programs for all users 2020 Predictions, Forrester Focus Top IT Priorities for 2020 Ryan Brooks Cybersecurity Expert, Netwrix Product Evangelist In October 2019, Netwrix asked IT pros to name Although data privacy didn’t make the medal the five IT projects that will be their top priorities podium, it was named by 43% of respondents. in 2020. We got feedback from 846 respondents Moreover, it boasted a strong showing among worldwide. This is what we learned from their re- organizations of all sizes and verticals. With the sponses. explosion of compliance regulations focused on data privacy, such as the GDPR and the CCPA, According to the Netwrix IT Trends 2020 report, data privacy is likely to be a top IT priority for the data security takes the gold medal as the dominant next several years. priority for 2020. It was named by 74% of respondents — including 90% of CISOs and security officers, regardless of their organization’s size, vertical or location. This is no surprise, given the rising numexperts to combat them. These same factors also likely contribute to automation of manual processes winning the silver medal in the survey. Increased automation was cited by 53% of respondents, including 57% of large businesses. Automation helps organizations boost the productivity and effectiveness of their current IT and cybersecurity talent. IT 2020 ber of breaches and the shortage of cybersecurity TRENDS Report The bronze medal goes to raising cybersecurity awareness, which was cited by 51% of respondents. Organizations recognize the importance of effecting a cultural shift among employees, both IT and non-IT. Surprisingly, this trend is even stronger among SMBs than large enterprises; 60% of SMBs say they will focus on train- Learn More ing staff about cybersecurity hygiene. 7 TOP 5 IT PRIORITIES 74 % DATA SECURITY 53% AUTOMATION OF MANUAL PROCESSES 51% CYBER SECURITY AWARENESS AMONG EMPLOYEES 43% DATA PRIVACY 37% CLOUD MIGRATION №1 PRIORITY BY ORGANIZATION SIZE SMBs Raising cybersecurity awareness among employees (60%) TOP LARGE Automation of manual ENTERPRISES processes (57%) TRENDS FOR CISOs 90% Data security 2020 Netwrix IT Trends Report 62% Cyber security awareness among employees 43% Data privacy Top IT Priorities for 2020 KEY FINDINGS BY THE NUMBERS 74 % of organizations named data security as their top IT priority for 2020. 54 % of respondents plan to focus on automating manual tasks. 43 % of organizations mentioned data privacy as their top goal. 52 % of them are subject to privacy regulations. 33 % ONLY 20 % of organizations plan to focus on addressing the skills shortage through education of existing IT personnel or talent acquisition. of organizations intend to focus on digital transformation, integrating their existing solutions and cloud migration projects; these goals are mostly relevant for larger organizations. Focus Data Privacy Trends, Issues and Concerns for 2020 Ryan Brooks Cybersecurity Expert, Netwrix Product Evangelist One defining feature of 2019 was an increasing Exactly why is data privacy important? It is import- focus on data privacy around the world, includ- ant to consumers because a breach of personal ing a variety of new government regulations. Data information can damage an individual’s funda- privacy is a hot topic because cyber attacks are mental rights and freedoms, including the risk of increasing in size, sophistication and cost. Accen- identity theft and other types of fraud. But data ture reports that the average cost of cybercrime privacy concerns are also important to organiza- has increased 72% in the last five years, reaching tions. Any unauthorized collection, careless pro- US$13.0 million in 2018. cessing or inadequate protection of personal data introduces multiple risks. In particular, organiza- In this article, we will talk about pressing data tions that fail to comply with privacy requirements privacy issues and how they can influence your are at risk of steep fines, lawsuits and other pen- business. alties. The CCPA, for example, grants the private right of action if a breach occurs and data was Why is data privacy important? not encrypted or anonymized, and GDPR fines can reach 20 million euros or 4% of a company’s global annual turnover for the preceding financial year. Authorities can even ban the business from processing personal data in the future. The recent focus on privacy concerns is driven by numerous cyber security attacks that led to mas- These severe consequences for noncompliance sive breaches of personal data. In response, reg- are perhaps the strongest driver for rising privacy ulations designed to strengthen consumer priva- awareness among organizations. Organizations cy protection have been developed in countries have to take privacy into account before they use around the world, from the U.S. to India to Aus- an individual’s data, for example, by selling cus- tralia. The EU’s GDPR (General Data Protection tomers’ personal data to third parties To meet Regulation) in particular has had an important im- modern compliance requirements and satisfy pact. In addition, many individual states in the U.S. consumers, all organizations have to take steps to have adopted their own privacy protection laws, protect the healthcare records, financial data and such as the CCPA (California Consumer Privacy other personally identifiable information (PII) they Act), and their number is still growing. We should process and store against cyber attacks. expect more legislative activities in the future, as Congress is working to implement a U.S. federal data privacy law. 11 A focus on data privacy is a differentiator Defending against supply chain attacks Apart from legal sanctions, organizations face One key trend for the coming year will be reputational risks if they fail to ensure data priva- third-party risk management. While breaches at cy protection. To maintain customer trust today, a large enterprises dominate the headlines, their company must demonstrate that data privacy is supply chains are an attractive target for hackers one of its core values. Indeed, while many busi- as well, because of their digital connections to nesses still view privacy policies as a set-and- larger enterprises. forget legal routine, the consumer’s attitude has changed. According to PwC research, only 25% Therefore, companies need to ensure that their of consumers believe most companies handle partners, suppliers, re-sellers, and service pro- their personal data responsibly. viders are protecting data properly. For example, the GDPR requires working only with third As people become more aware of the loose han- parties that demonstrate they have measures dling of their data by social networks, tech giants in place to protect personal data. According- and governments, implementing strong control ly, organizations need to take a risk-based ap- over handling of personal information is becom- proach to evaluating partners and vendors, and ing a powerful business advantage. According establish agreements about topics such as data to Gartner, brands that put in place user-level breach notification obligations and cooperation control of marketing data will reduce custom- in fulfilling data subject requests. er churn by 40% and increase lifetime value by 25% in 2023. Thus, companies will be working to meet the transparency bar by ensuring they can explain why they collect and share specific data, The importance of employee training will grow as well as prove that they have properly asked consumers for permission and notified them One key trend for 2020 will be efforts to increase about data collection and processing. data privacy awareness — organizations will be focusing on teaching staff about sensitive data security and data management policies. Creating a privacy- and security-aware culture is a requirement of many cybersecurity regulations. 12 Educating people about their rights and obligations — and regularly testing their adherence to your information privacy policy — is critical to security and compliance. Conclusion The coming years will undoubtedly bring new regulations with more stringent requirements and steeper penalties. However, there is no reason to delay implementing core best practices. Indeed, if you want to avoid appearing in the next big data breach headline, it is vital to start managing your risks now and make privacy a fundamental part of your DNA. Achieve, Maintain and Prove Compliance Learn More 13 Analysis Mitigating the Risk of Ransomware Attacks in the Public Sector Ryan Brooks Cybersecurity Expert, Netwrix Product Evangelist Ransomware attacks were on the rise around the of digital records and turn away new patients. world in 2019. In the U.S. alone, more than 620 Similarly, more than 50 educational organiza- government entities, public institutions, health- tions experienced ransomware attacks last year, care service providers, school districts, colleges forcing some of them to delay the beginning of and universities had their data held hostage. the academic year for thousands of students These relentless attacks have interrupted ev- and their families; one district paid $88,000 for eryday life in U.S. cities by massively disrupting the decryption key after negotiating the payout municipal operations, emergency and medical down from $176,000. services, and educational institutions. Second, many governmental agencies and Why governmental agencies and public institutions are a primary target Attackers target public institutions for several key reasons. First, they are more likely to pay up. After all, the goal of a ransomware attack is to disrupt operations badly enough and long enough that the organization will pay the ransom. According to Coveware, a typical ransomware incident lasts for 9.6 days — an eternity for any governmental organization and public institution under the constant pressure of public scrutiny because so many people depend on its services. For example, DCH Health Systems, a network of Alabama hospitals, paid an undisclosed sum to attackers after encryption of critical files forced staff to use paper copies instead public institutions lack the resources to protect against cyber attacks in general and ransomware in particular. Many of them, especially smaller organizations, use managed service providers (MSPs) to help with IT operations, which often requires granting the MSPs elevated privileges. This provides an additional entry point for attackers, who target the MSP and distribute their ransomware to many of its clients at once. For instance, a single threat actor attacked 23 Texas government organizations using this attack path. Of course, some municipalities refuse to pay ransom, which is the strategy recommended by many law enforcement agencies. Baltimore, for instance, declined to pay over $75.000 in bitcoin to an attacker and instead decided to recover the data from backups. Even so, the financial damage can be significant. Baltimore estimates the cost of the malware attack at $18 million, which includes not just remediation but hardening of the environment against future attacks. 15 How government and public institutions are responding to ransomware attacks LEGISLATION. The U.S. Senate passed the DHS Cyber Hunt and Incident Response Teams Act, which authorizes the Department of Homeland Security to send teams to help private and public entities battle ransomware attacks. CYBERSECURITY INSURANCE. In November 2019, the city of Baltimore approved the purchase of $20 million in cyber liability insurance to cover any additional disruptions to the city’s networks in 2020. Cyber liability insurance will typically pay the ransom and other extortion-related expenses, as well as recovery costs for restoring or replacing programs and data. MANDATORY TRAINING. After a coordinated attack on 23 Texas government organizations, the state announced it 16 would require annual cybersecurity training for government employees. Dozens of other states are requiring security awareness programs as well. By teaching cybersecurity best practices, these programs aim to install proper habits and procedures for protecting information resources. Strategies for mitigating the risk of ransomware There is no reason to believe that any organization can block all ransomware attacks. But there are ways to minimize the damage of ransomware infections. For example, when ransomware hit Louisiana state government systems in November 2019, the state was able to quickly detect the attack and neutralize it before it caused serious damage — because back in December 2017, the state had established procedures for dealing with cyber attacks and the agencies were prepared. The following measures can help you limit the impact of a ransomware attack: Take regular, comprehensive backups and keep them secure. Good backups are probably the best answer to the question, “How do I recover from a ransomware attack?” Reg- Monitor user behavior. To spot ransomware ularly back up all critical information, and keep in a timely manner, audit activity around data the backups isolated from your network. and set up alerts on abnormal spikes in file activity, which are indicative of ransomware Use network segmentation and intrusion prevention technologies. Segment your network to block ransomware from spreading. Use network access controls, firewalls, virtual local area networks (VLANs) and other techniques for intrusion prevention. Properly configure your web filter, firewall and antivirus software to block access to malicious websites and scan all files that are downloaded. Properly configure access to shared folders. If you use shared network folders, create a separate network share for each user. Since malware spreads using its victim’s access rights, make sure that access is restricted to the fewest users and systems possible. Otherwise, the infection of one computer can lead to the encryption of all documents in all folders on the network. Enforce least privilege access. More broadly, limit the damage ransomware can do by minimizing privileges based on each user’s job requirements and performing periodic assessments to ensure adherence to the principle of least privilege. in progress. Conduct regular employee awareness training. People are the weakest link in your security, and their mistakes can cost the organization a fortune. Therefore, invest in raising security awareness through comprehensive training tailored to the specific groups of users accessing your network. Increase attention to supply chain security. Third-party risk management should get more attention. The recent attacks on Texas cities through MSPs are the first sign of this new threat vector, but it will become increasingly popular as public agencies increase cloud adoption as mandated by the Federal Cloud Computing Strategy. Conclusion A final tip: Don’t pay ransom. Paying ransom helps make these attacks a viable “business model” for the perpetrators. By establishing healthy habits, you can mitigate the risk of ransomware causing serious damage and recover without engaging with the attackers. 17 Extra Security How to Reduce Cybersecurity Complexity and Successfully Manage Risks Matt Middleton-Leal General Manager EMEA, CISSP Managing cyber risks is an increasingly difficult challenge. Even as businesses generate more and more data and adopt new technologies and processes, cybercriminals are busy developing new attack strategies and more sophisticated malware. It is little wonder that the number of data breaches has increased by 67% over the last five years, as reported in a study by Accen- 1. Make cybersecurity a strategic business goal. ture and the Ponemon Institute. Indeed, security sprawl and its impact on risks management are Organizations often consider cybersecurity to be constantly discussed at industry events such as a technology issue rather than a business con- Infosecurity Europe 2019, demonstrating that cern. This perspective leads IT teams to invest the professional community is quite concerned in hot technologies to address urgent security about how to efficiently manage cyber risk to- issues, rather than take a strategic approach to day. cybersecurity. Moreover, there is often a lack of effective communication between the IT de- In my line of work, I get to speak with dozens partment and C-level management; neither side of companies every month, all of which spend knows how to articulate their needs and work considerable time and money in pursuit of en- together to reach a decision that supports busi- terprise data security. The following are the ness goals. As a result, organizations purchase best practices that I have seen help these or- siloed solutions, increasing complexity and mak- ganizations successfully manage cybersecurity ing it even more difficult for IT teams to manage risks in complex IT environments. cyber risks. BEST PRACTICES Organizations should change this underlying mindset and establish a dialog between IT teams and non-IT management. One goal of this dialog should be to better prioritize security investments. A person responsible for IT security should provide line-of-business leaders with risk information, highlighting the areas that 19 are the most risky. This will enable the business guest reservation database, which was merged leaders to prioritize investments and give the IT with Marriott’s reservation system after the ac- department a defined direction for future invest- quisition. Another example is Equifax, whose ag- ment. The second objective of the dialog should gressive growth strategy resulted in a complex be to integrate security throughout all the or- IT environment with custom-built legacy systems. ganization’s business processes. This involves This made IT security especially challenging and many different areas, from the development of led to the highly publicized data breach. adequate security policies in accordance with a security-by-design framework to educating employees and establishing a security-centric culture. Only through such conversations can organizations align cybersecurity with business strategy and ensure that security acts as a business enabler rather than a roadblock. BEST PRACTICES Organizations that maintain a unified security posture rather than siloed systems have a better chance of detecting vulnerabilities and data breaches in their early stages, when the damage is entirely preventable. To achieve this, organizations should regularly inventory their systems, 2. Maintain a unified security posture. A critical strategy for reducing cybersecurity complexity is unifying your security posture. Organic growth, mergers and acquisitions (M&A), and other business changes often leave behind a fragmented set of security tools and a hodgepodge of legacy IT systems that likely contain vulnerabilities. A textbook example of M&A cyber risk is Marriott, which recently reported a massive data breach that began years earlier at Star- delete duplicate technologies and replace standalone solutions with cross-system applications. This approach will provide IT teams with a birdseye view of risks across the IT infrastructure and simplify risk management. 3. Identify your most sensitive data and monitor activity around it. wood, a chain Marriott acquired, evidently without properly taking an inventory of its IT assets. Experts predict that by 2020, 83% of enterprise The attackers had gained access to the Starwood workloads will be in the cloud. Therefore, there 20 will be more and more data flowing between on board, IT teams struggle to combat evolving on-premises and public, private or hybrid cloud cyber threats and meet increasingly tough com- storages. Any sensitive data, such as PII, PCI or pliance regulations, especially when they are al- PHI, that pops up in any insecure location will be ready overwhelmed by mundane daily tasks like vulnerable to both insider and outsider threats, resolving user lockouts, resetting passwords, and which can result in data breaches and fines for keeping systems and applications patched. As a non-compliance. result, IT departments cannot effectively manage cyber risks. BEST PRACTICES To avoid security incidents, organizations should regularly locate the data they have, classify it according to its sensitivity and implement security controls consistently, starting with the most sensitive data. It is crucial to regularly assess and mitigate data risks like improper configuration and access settings. It is also essential to monitor activity around sensitive data and get alerts about anomalous behavior so suspicious sessions can be terminated quickly. BEST PRACTICES Automating as many routine tasks as possible will free up IT teams to focus on more strategic matters, such as keeping abreast of the threat landscape, improving cyber risk management, and reducing the time to detect and respond to incidents. Moreover, enabling existing staff to be more effective will help the organization weather the current shortage of skilled cybersecurity professionals. 4. Empower IT teams to be proactive rather than reactive. Conclusion Perhaps one of the most difficult challenges in first steps are to align technology to your busi- protecting against cyber threats is the scarcity of ness; regularly inventory your security solutions cybersecurity talent. (ISC)2 predicts that Europe to ensure integration and remove duplication; will face a shortfall of 350,000 cybersecurity secure your most important data first; and auto- professionals by 2022. Without skilled people mate routine tasks to improve IT team efficiency. There is no doubt that both data volumes and IT system complexity will continue to grow. The best way to mitigate the associated cybersecurity risks is to follow proven best practices. Great 21 Extra Security Extra Security Top 12 Data Security Solutions to Protect Your Sensitive Information Ilia Sotnikov Jeff Melnik Manager Solutions Engineering Data breaches are all over the news, and organi- Tools like Netwrix Data Classification make data zations are acutely aware that even if they have discovery and classification easier and more ac- achieved PCI compliance or SOX compliance, curate. new compliance regulations like the GDPR demand more stringent data security controls. To help you improve your security and compliance posture, we have put together a list of the top 12 2. Firewall data security solutions for protecting sensitive A firewall is one of the first lines of defense for a data and passing audits. network because it isolates one network from an- 1. Data Discovery and Classification other. Firewalls exclude undesirable traffic from entering the network. In addition, you can open only certain ports, which gives hackers less room to maneuver to get in or download your data. Depending on the organization’s firewall policy, the firewall might completely disallow some traffic In order to protect your data effectively, you need or all traffic, or it might perform a verification on to know exactly what sensitive information you some or all of the traffic. have. A data discovery and classification solution will scan your data repositories for the types of Firewalls can be standalone systems or included data you consider important, based on industry in other infrastructure devices, such as routers standards or your custom requirements (such as or servers. You can find both hardware and soft- PCI DSS data, GDPR data and IP), sort it into cat- ware firewall solutions. egories and clearly label it with a digital signature denoting its classification. You can use those labels to focus your data security resources and implement controls that protect data in accordance with its value to the organization. If data is modified, its classification can be updated. 3. Backup and recovery However, controls should be in place to prevent A backup and recovery solution helps organiza- users from falsifying the classification level; for tions protect themselves in case data is deleted example, only authorized users should be able or destroyed. All critical business assets should to downgrade the classification of data. be duplicated periodically to provide redundancy 23 so that if there is a server failure, accidental de- sessions that appear to violate security settings. letion or malicious damage from ransomware or An IPS offers detection capabilities but can also other attacks, you can restore your data quickly. terminate sessions that are deemed malicious, 4. Antivirus Antivirus software is one of the most widely adopted security tools for both personal and commercial use. There are many different antivirus software vendors in the market, but they all use pretty much the same techniques to detect malicious code, namely signatures and heuristics. Antivirus solutions help to detect and remove trojans, rootkits and viruses that can steal, modify or damage your sensitive data. 5. Intrusion Detection and Prevention Systems (IDS/IPS) but usually these are limited to very crude and obvious attacks such as DDoS. There is almost always an analytical step between alert and action — security admins assess whether the alert is a threat, whether the threat is relevant to them, and whether there’s anything they can do about it. IPS and IDS are a great help with data protection because they can stop a hacker from getting into your file servers using exploits and malware, but these solutions require good tuning and analysis before making a session drop decision on an incoming alert. 6. Security Information and Event Management (SIEM) Security information and event management Traditional intrusion detection systems (IDS) and (SIEM) solutions provide real-time analysis of se- intrusion prevention systems (IPS) perform deep curity logs that are recorded by network devic- packet inspection on network traffic and log po- es, servers and software applications. Not only tentially malicious activity. An IDS can be config- do SIEM solutions aggregate and correlate the ured to evaluate system event logs, look at sus- events that come in, but they can perform event picious network activity, and issue alerts about deduplication: removing multiple reports on the 24 same instance and then act based on alert and should be granted in strict accordance with the trigger criteria. It also usually provides analytics principle of least privilege. An access control list toolkit that will help you find only those events (ACL) specifies who can access what resource that you currently need such as events related and at what level. It can be an internal part of to data security. SIEM solutions are vital for data an operating system or application. ACLs can security investigations. be based on whitelists or blacklists. A whitelist is a list of items that are allowed; a blacklist lists 7. Data Loss Prevention (DLP) Data loss prevention systems monitor workstations, servers and networks to make sure that sensitive data is not deleted, removed, moved or copied. They also monitor who is using and transmitting data to spot unauthorized use. 8. Access Control In most cases, users should not be allowed to copy or store sensitive data locally; instead, they should be forced to manipulate the data remotely. Moreover, sensitive data should ideally never things that are prohibited. In the file management process, whitelist ACLs are used more commonly, and they are configured at the file system level. For example, in Microsoft Windows, you can configure NTFS permissions and create NTFS access control lists from them. You can find more information about how to properly configure NTFS permissions in this list of NTFS permissions management best practices. Remember that access controls should be implemented in every application that has role-based access control (RBAC); examples include Active Directory groups and delegation. 9. Cloud Security Solutions be stored on a portable system of any kind. All systems should require a login of some kind, and Individuals and enterprises tend to collect and should have conditions set to lock the system if store more and more data. This has led to direct questionable usage occurs. attached storage (DAS), network area storage (NAS), storage area networks (SAN) and now In addition, sensitive files should be accessed cloud storage. Cloud storage enables you to only by authorized personnel. User permissions store more and more data and let your provider 25 worry about scaling issues instead of local ad- to sensitive information and associated permis- ministrators. sions is critical. By using historical information to understand how sensitive data is being used, Despite these benefits, from a security stand- who is using it, and where it is going, you can point, cloud storage can be troublesome. You build effective and accurate policies the first time need to be sure the cloud provider can adequate- and anticipate how changes in your environment ly protect your data, as well as make sure you might impact security. This process can also help have proper redundancy, disaster recovery, and you identify previously unknown risks. There are so on. Make sure that you encrypt the data, back third-party tools that simplify change manage- it up, and implement as much control as possible. ment and auditing of user activity, such as Netwrix Auditor. You can get help from cloud security providers that sell security as a service (SECaaS), a subscription-based business model in which a large 11. Data Encryption service provider integrates its security services into a corporate infrastructure and makes them Data encryption is very important when you have available on a subscription basis. No on-premise top secret files that you don’t want to be read hardware is needed by the subscriber, and the even if they are stolen. Network sniffing and oth- services offered can include such things as au- er hacker attacks targeted on stealing informa- thentication, antivirus, antimalware/spyware, and tion is so common that passwords, credit card intrusion detection. In this way, SECaaS can serve numbers and other sensitive information can be as a buffer against many online threats. stolen over unencrypted protocols. Encrypted communication protocols provide a solution to 10. Auditing this lack of privacy. For example, without Secure To protect your sensitive information properly, inconvenient or insecure. Sockets Layer (SSL) encryption, credit card transactions at popular websites would be either very you also need to audit changes in your systems and attempts to access critical data. For example, Although private data can be protected by cryp- any account that exceeds the maximum number tographic algorithms, encryption can also be of failed login attempts should automatically be used by hackers. Expensive network intrusion reported to the information security administra- detection systems designed to sniff network traf- tor for investigation. Being able to spot changes fic for attack signatures are useless if the attack- 26 er is using an encrypted communication channel. down so that it cannot be removed from the area. Often, the encrypted web access provided for Also, a lock should be placed so that the case customer security is used by attackers because cannot be opened up, exposing the internals of it is difficult to monitor. Therefore, all critical data the system; otherwise, hard drives or other sen- should be encrypted while at rest or in transit sitive components that store data could be re- over the network. moved and compromised. It’s also good practice to implement a BIOS password to prevent attack- Portable systems should also use encrypted ers from booting into other operating systems disk solutions if they will hold important data of using removable media. any kind. For desktop systems that store critical or proprietary information, encrypting the hard Another enterprise data leakage instrument is a drives will help avoid the loss of critical informa- smartphone with a camera that can take high-res- tion. In addition to software-based encryption, olution photos and videos and record good-qual- hardware-based encryption can be applied. ity sound. It is very hard to protect your docu- Within the advanced configuration settings on ments from insiders with these mobile devices or some BIOS configuration menus, you can choose detect a person taking a photo of a monitor or to enable or disable a Trusted Platform Module whiteboard with sensitive data, but you should (TPM) — chip that can store cryptographic keys, have a policy that disallows camera use in the passwords or certificates. A TPM can be used to building. assist with hash key generation and to help protect smartphones and others devices in addition Monitoring all critical facilities in your company to PCs. by video cameras with motion sensors and night vision is essential for spotting unauthorized peo- 12. Physical Security ple trying to steal your data via direct access to your file servers, archives or backups, as well as spotting people taking photos of sensitive data in restricted areas. Each person’s workspace area and equipment Physical security is often overlooked in discus- should be secure before being left unattended. sions about data security. Having a poor physical For example, check doors, desk drawers and security policy could lead to a full compromise windows, and don’t leave papers on your desk. of your data. Each workstation should be locked 27 Extra Security Establishing Efficient Data Governance Processes to Add Business Value Matt Middleton-Leal General Manager EMEA, CISSP 28 These days, organizations are awash with more data than ever before. The challenges this presents are compounded by evolving regulatory changes such as the General Data Protection Regulation (GDPR), which has necessitated significant changes when it comes to the storage and handling of EU citizens’ data. Today’s CIOs face a common challenge to establish an information governance program that What makes a value-driven information governance program? will enable the organization to embrace the data-driven era, while maintaining IT security and ensuring compliance during its implementation. The success of an information governance program requires collaboration from the entire C-Suite, with CIOs, CISOs, chief data officers (CDO), and chief compliance officers taking a strategic role. If organizations assign this task to the CDO only, it may not lead to the desired effect, as they often lack the necessary authority and resources. In fact, Gartner predicted that 90% of enterprises will have hired a CDO by 2019 to unlock the value of their information assets, but just half will be considered a success in this regard. The concept of information governance emerged from compliance, where the former concerns data protection and retention according to specific standards. However, as volumes of data increase in the data-driven era, information governance has evolved to include the management of other types of data, including non-sensitive. A recent report by The Compliance, Governance and Oversight Counsel found that 60% of corporate data has no “business, legal or regulatory value.” If an organization is flooded with information, it complicates the protection of sensitive data, boosts storage costs, and hinders an employee’s ability to locate necessary information among thousands of files. A holistic information governance program tackles all these issues and provides businesses with analytical insights and value. 29 organizations handle their data. Here are a few Visibility into enterprise content is a fundamental aspect of value-driven information governance. It includes the ability to discover various types of data, classify it effectively and precisely, as well as to define ROT files across critical data sources. This empowers IT teams to clean up unnecessary data, to enhance records management, and to improve search capability. Such an approach can be applied to critical business areas, and metrics can be set based on their performance measures. For example, analysts from Osterman Research suggest storage costs, user productivity, and costs of eDiscovery process as metrics, calculating that effective information governance can save an organization of 2,500 employees $52.8 Tips for implementing effective information governance The implementation of a proper information governance program can present a headache for CIOs and CISOs, as it changes the ways in which 30 best practice tips for success: Establish metrics To establish actionable metrics as well as to set timely goals, it is important to calculate costs thoroughly. To evaluate storage costs, businesses should include costs of terabytes used, the cost of labor required to manage systems, as well as the cost of space to house them. They should consider the average size of emails, number of employees, file systems, the total number of SharePoint Installations and so on, and then multiply all parameters by the annual growth rate. With this information at hand, organizations will be able to evaluate cost savings from the information governance program before and after implementation. Deploy the right technologies It is essential to deploy a combination of technologies that enable an organization to understand various types of data as well as to maintain security controls over it throughout its lifecycle. The former starts with automated data classification that covers the broadest variety of organizations’ information assets. It is important that businesses consider if their technology can accurately identify sensitive data as well as complex data such as proprietary PDF files, for instance, and, identify duplicate or irrelevant content enterprise-wide. They must also ensure it can integrate with security solutions such as data loss prevention tools or auditing technologies as well as with the required data sources. Implement a defensible deletion program Defensible deletion reduces risk by eliminating EBOOK information in-line with an organization’s legal obligations and company guidelines. It also ensures the deletion of unnecessary information. While many organizations conduct annual audits of their records in-line with compliance standards, this type of activity should be conducted more regularly, and cover both sensitive and non-sensitive data. Practical Steps to Establishing Good Information Governance The approach I have described considers information governance as a vital step towards increasing an organization’s overall data maturity. In the data-driven era, an effective strategy for data governance will help IT and security teams to articulate the value of such a program to the Learn More C-Suite, and ensure that value is derived from enterprise data without compromising on security or compliance. 31 Interview A perfect storm in cybersecurity Deidre Diamond CEO at CyberSN and brainbabe.org There are 2 million cybersecurity roles empty worldwide What are the top challenges in hiring in cybersecurity? Deidre: Is there a shortage of cybersecurity talent? What The cybersecurity talent marketplace is very are the main challenges that cybersecurity pros complex, and there are many problems to be are facing? If you are looking to understand the solved. A critical one is connecting cybersecuri- issues that matter most in cybersecurity, there is ty experts with their future employers. Although no better person to ask than Deidre Diamond, a large portion of the community — 89% — are founder and CEO of CyberSN and brainbabe. interested in looking at new opportunities, and org. as much as 99% are open to moving to new jobs, people often waste a lot of time on job search- Deidre has spent over 20 years leading technol- ing. There is difficulty in matching a job opening ogy and cybersecurity organizations, leverag- with the right person with the appropriate skills. ing her strong sales background in cybersecurity software. Today, she is working to transform A big part of this problem is that job descrip- the cybersecurity employment marketplace tions are inaccurate. Cybersecurity has 35 job through her two organizations: CyberSN, the categories and around 115 titles. “Security en- largest staffing firm in the U.S. focused solely gineer” can have eight different profiles. With on cybersecurity, which works as a bridge be- changing technologies, there are many more tween cybersecurity professionals and employ- titles coming that we don’t know about yet. This ers; its motto is “Where talent meets its match.” complexity can be addressed by writing job de- Brainbabe.org develops opportunities for hiring scriptions and profiles in a common language and retaining women in cybersecurity, and also so they make sense. supports those already in the profession, with a communication framework that advances and There is also a salary problem. IT pros normally empowers both women and men in the work- make 25% more in cybersecurity than in technol- place. ogy. That’s a challenge for businesses because it’s hard for them to meet salary requirements. We asked Deidre for her insights into the cybersecurity skills gap, the role of automation in cybersecurity and cybersecurity trends for 2020. 33 Do you see a shortage of experts? If so, what is needed to address that problem? How do you see the role of automation in cybersecurity? Can automation help solve the skills shortage? Deidre: Right now, there are 2 million cybersecurity Deidre: roles empty worldwide, and 500,000 of them With advancements in technology, there is au- are in the U.S. However, the biggest problem tomation in all industries, and we welcome it. It is talent retention. Right now, the industry is helps from the perspective of jobs that people not retaining cybersecurity professionals. If we like to do — burnout happens less. And that’s want to solve the talent shortage, we need to critical, because people who are trying to man- have clearly defined roles and responsibilities, age vulnerabilities have jobs with high burnout succession planning, and training — we need to rates. An average cybersecurity employee does invest in career development. a 3-in-1 job, and most of them are emergency workers. Automation will help people enjoy The more companies invest in their cyberse- their work, be more efficient, and be able to do curity talent, the sooner we will see the impact things that are more powerful for the company. because people will be willing to stay in cybersecurity. When companies have entry-level spe- Because attacks are growing and being secure cialists and succession planning in their securi- is more important than being compliant, it is un- ty departments, that would change the game. likely that the shortage will become less. We are Right now, everybody expects specialists to going to cover part of the job through automa- come out of school already trained, and that’s tion, but certainly that won’t enable us to fully not how schools work — there is no hands-on bridge the gap. training. That is starting to transform, mainly because universities see the problem, but it takes an eternity to change. An average cybersecurity employee does a 3-in-1 job, and most of them are emergency workers. 34 Has anything changed in the cybersecurity hiring market over the last five years? Final word Right now, there is an imbalance between de- Deidre: The conversation about equality and inclusion is at the forefront now. Many initiatives today focus on policies that push organizations to appreciate diversity. People have begun to understand the need for women in cybersecurity. For a long time it was thought that tech and cybersecurity were a man’s world, a man’s job. That really caused a pipeline problem in the U.S.; we are short of women significantly. But there is also an inclusion challenge — we find that women leave the industry, so the problem is also about culture and working to explain that cybersecurity is more than a keyboard and a hoodie. The good news that there is a conscious conversation about diversity, which was hard to imagine several years ago. There are many organizations, including my own, focused on making mand and supply of cybersecurity professionals. Combined with the lack of gender diversity and ease of burnout of these professionals, it seems like the industry is in a critical situation. With the rise of cyber attacks and the emergence of new technologies and regulations, the demand for cybersecurity professionals is not going to decrease any time soon. Therefore, it’s ultimately important to pay more attention to the many different factors that contribute to a balanced workforce and workplace for cyber pros. One of these factors is automation — making sure to automate as many internal processes as possible. This simple thing will help ensure that those few cyber professionals in your organization that you spent so much time searching for can focus on what’s really important and let tools and software do the rest. changes, though it takes time. There are many programs like “Girls Who Code” and “Brownie Cybersecurity Badge,” and universities and communities are helping girls think about cybersecurity and be attracted to it. 35 About Netwrix Netwrix is a software company that enables information security and governance professionals to reclaim control over sensitive, regulated and business-critical data, regardless of where it resides. Over 10,000 organizations worldwide rely on Netwrix solutions to secure sensitive data, realize the full business value of enterprise content, pass compliance audits with less effort and expense, and increase the productivity of IT teams and knowledge workers. For more information visit www.netwrix.com WHAT DID YOU THINK OF THIS CONTENT? CORPORATE HEADQUARTER: PHONES: OTHER LOCATIONS: 300 Spectrum Center Drive Suite 200 Irvine, CA 92618 1-949-407-5125 Toll-free (USA): 888-638-9749 Spain: +34 911 982608 Netherlands: +31 858 887 804 Sweden: +46 8 525 03487 Switzerland: +41 43 508 3472 France: +33 9 75 18 11 19 Germany: +49 711 899 89 187 Hong Kong: +852 5808 1306 Italy: +39 02 947 53539 565 Metro Place S, Suite 400 Dublin, OH 43017 5 New Street Square London EC4A 3TW 1-201-490-8840 +44 (0) 203 588 3023 SOCIAL: netwrix.com/social Copyright © Netwrix Corporation. All rights reserved. Netwrix is trademark of Netwrix Corporation and/or one or more of its subsidiaries and may be registered in the U.S. Patent and Trademark Office and in other countries. All other trademarks and registered trademarks are the property of their respective owners. 36