Cyber

Ed.12

2020: IT security lessons

Chief
to learn

Top 7 cyber security

predictions for 2021

Data Security
Challenges 2021
Cyber
Ed. 12

Chief Magazine

2020 tested organizations for their adaptability, flexibility and stress resis-
tance. In particular, IT and security management teams had to quickly adapt
to new ways of working and implement new technologies with nearly no
time for planning and testing. Many of them were forced to prioritize service
availability over security; in fact, 85% of CISOs admit that they sacrificed cy-
bersecurity to quickly enable working from home.

Now that we are all more comfortable with the new normal, it’s time for cyber-
security leaders to re-examine their earlier decisions with the goal of closing
security gaps and getting ready for intense cyber threats in 2021.

This edition of Cyber Chief Magazine outlines the main focuses, risks and
considerations in the coming year for cybersecurity leaders and shares strat-
egies that will help you prepare for the most important challenges and seize
the opportunities.

The Cyber Chief team

[email protected]
 Contents

Cloud: Extra Security

Facts and Figures
20 ROI: Expert tips for justifying security
4 Data security: What happened in investments
2020, continues in 2021

26 All you need to know about

cybersecurity assessment
Cyber attack trends

300–400%
cyberattacks 31 The importance of data classification
FBI’s Cyber Division report for data loss prevention

630%
external attacks on 35 How to calculate return on security
cloud accounts
McAfee, Cloud Adoption and Risk Report investment

Focus
First-Hand Experience
6 Top seven cyber security
predictions for 2021 40 Flagler Bank mitigates IT risks
and secures sensitive data
10 Common cloud computing security
issues and how to mitigate them

Analysis

14 2020: IT security lessons to learn

Data security trends in 2020

Cloud adoption

50 %
use of cloud services
McAfee, Cloud Adoption and Risk Report

Cyber attack trends

300–400% 630%
cyberattacks external attacks on
FBI’s Cyber Division cloud accounts
MonsterCloud,

Ransomware threat

800% 47%
ransomware attacks of ransomware attacks
McAfee, Cloud Adoption and Risk targeted RDP
Kroll

Top reasons for breaches

45% 28% 22%

Hacking Errors Social engineering

Verizon 2020 Data Breach

What to expect in 2021

Work from home will continue

300 % 21 %
in remote work of US information workers
of pre-COVID levels will work from home,
Forrester Predictions 2021 compared to 7% in 2019

Cloud adoption will accelerate

35 % 30%
in global public cloud of firms will increase spend
infrastructure market on cloud, security and risk,
Forrester Predictions 2021 networks, and mobility

Insider threat will grow

The share of data breaches
caused by insiders will increase from 25% to 33%
Forrester Predictions 2021 in 2020 in 2021

Top IT budget priorities for CIOs

61% 58% 53%

Cybersecurity Data analytics Cloud services
Gartner CIO Agenda
Focus

Top Seven
Cyber Security
Predictions for
2021
Ilia Sotnikov
VP of Product Management at Netwrix,
Official member of Forbes Technology Council
The year of 2020 has definitely shaken up the over security has made misconfigurations
IT pros. The lockdown tested organizations inevitable, resulting in overexposed data.
for their reliance on distributed workforces,
forcing accelerated digital transformation and
broadening the IT threat landscape. Making
3. Hackers will increasingly target
predictions for the future is a tricky business but
service providers.
I can state firmly that ripple effects of this year
won’t let security pros yawn their way through The shortage of cybersecurity experts will lead
2021. In this article, I will outline the key trends more organizations to turn to managed service
that will impact organizations in 2021 and beyond. providers (MSPs). In response, hackers will
conduct targeted attacks on MSPs in order to
get access to not just one organization but all of
the MSP’s customers.
1. Ransomware will do more damage
in order to motivate payments
Next-gen ransomware will be designed to do
4. The rapid digital transformation in
damage that is more difficult to recover from
2020 will have a delayed impact on
in order to force organizations into paying the
cybersecurity in 2021.
ransom. One example is “bricking” devices
by modifying the BIOS or other firmware. In 2020, organizations were forced to quickly
Cybercriminals will also be expanding to new adapt to new ways of working and implement
targets, such as operational technology and IoT new technologies; and through their own
devices, which may have a much more visible admission via the upcoming Netwrix survey
impact on the physical world. with little experience and nearly no time for
planning and testing. In 2021, the security gaps
caused by the inevitable mistakes during this
rapid transition will be exploited, and we will
2. Cloud misconfigurations will be one
see new data breach patterns like the recent
of the top causes of data breaches.
Twitter hacks.
A lack of clear understanding of the shared
responsibility model due to the rapid transition
to the cloud will backfire in 2021. The speed of
transition coupled with prioritizing productivity

7
 insurance. However, those policies will come with
5. Proof of value will drive business
their own security standards and requirements,
conversations.
such as regular risk assessment and effective
Executives will be looking for specific metrics detection and response capabilities. As a result,
in order to assess the value delivered by the organizations will focus as much on meeting
products and security measures the company those criteria as much as they do on complying
is using. The practice of justifying the value with the regulatory standards themselves.
of current investments and the necessity of
new investments will become more generally
accepted.

This year introduced significant challenges for

everyone. In 2021, organizations will have to deal
6. Companies will balance
with repercussions of the decisions they made
cybersecurity and business needs
when quickly transitioning to remote work, as
by focusing on risk.
well as respond to increased cybersecurity risks.
The challenges of the pandemic will force I suggest organizations return to cybersecurity
organizations to reassess their priorities. In fundamentals and focus on ensuring that
particular, IT teams will have to find the right sensitive data resides only in secure locations,
balance between ensuing strong security and data is not overexposed and excessive access
serving business needs like scalability and rights are revoked.
accessibility. Expectations will shift from the
unrealistic notion of ensuring 100% security to
determining and meeting acceptable levels of
risk and resilience.

7.Insurance and legislation will drive

mass adoption of core security best
practices.
To minimize the risk of incurring steep fines for
compliance failures, businesses will turn to cyber

8
 ON-DEMAND WEBINAR

Data Security in 2021:

Lessons Learned Looking Back
and What to Expect Looking
Forward
Watch Now

9
FOCUS

Common Cloud
Computing
Security Issues
and How to
Mitigate Them
Mike Tierney
VP of Customer Success,
Security and Compliance Expert
Securing your cloud environment effectively is
no easy task. What cloud security issues should
you be prepared for? What are the most serious
security risks? Which best practices are most
effective at keeping your data safe?
In this article, we will explore the two primary
cloud models and the principal security concerns
you will face when using each model.
Private vs public
cloud: How the
security issues differ
There are two primary models for cloud
environments: private and public. The cloud
computing security issues you will face are mostly
similar, but there are important differences that
you need to understand.
Public cloud. Here, organizations don’t have
much control over the details of the cloud
infrastructure or the vendor’s security controls.
There are various public cloud offerings,
including IaaS (infrastructure as a service),
PaaS (platform as a service) and SaaS (software
as a service). Using a public cloud requires a
thorough investigation of the provider’s security
commitments and a clear understanding of
the division of responsibilities. That way, you
can ensure your business needs are met and
establish a high level of trust in your providers.
Private cloud. Companies have full visibility
and control over their infrastructure and
applications. The flip side of gaining that
full control is that you also have complete
responsibility for:
▪ Deploying and maintaining the hardware
and software
▪ Ensuring the physical security of your
infrastructure
▪ Implementing appropriate security controls
to protect against security threats and attacks
Top Cloud Security
Issues and How to
Mitigate Them
Data breaches in the cloud have become
commonplace. They can be caused by outside
attackers, malicious insiders or mistakes by well-
intentioned admins. The first line of defense is
to follow proven cloud computing best practices.
It’s also essential to fully understand the most
critical cloud security issues. Here are the top 5
risks and how to mitigate them.
11
Misconfigurations of security
controls
Applicable to private and public clouds
In May 2019, the contact information of nearly 50
million Instagram users was exposed to anyone
on the internet. The cause? The database simply
was not password protected.
In this case, the database was hosted on an Amazon
server, but the problem of misconfiguration is not
limited to the public cloud. Indeed, in the public
cloud there is less chance of screwing up because
you have access to fewer configurations, while in
a private cloud, you need to configure everything
yourself, including setting up your firewalls,
controlling encryption of sensitive data and deciding
when to require multi-factor authentication.
Even a single misconfiguration, whether in the
private or in public cloud, can be devastating,
as the example above clearly illustrates. To
mitigate your risk, be sure to:
▪ Establish baseline configurations.
▪ Regularly audit your configurations and
correct any drift from your baseline.
▪ Enable continuous change monitoring
so you can detect and revert suspicious
changes before they lead to a breach.
▪ Ensure you can investigate each change quickly
and thoroughly. Be sure you will know exactly
which settings were modified, who made the
change, and when and where it happened.
12
Security of access
Applicable to private and public clouds
Proper management of access in the cloud is
essential to minimizing the risk of data loss due to
external attackers, malicious insiders, and errors
like accidental sharing of sensitive data. There are
many effective strategies, including the following:
▪ Adhering to the least-privilege principle
when assigning access rights to both users
and admins
▪ Conducting regular entitlement reviews and
revoking excessive rights
▪ Monitoring for unauthorized changes and access
▪ Classifying your data
▪ Establishing & enforcing policies that determine
how different types of data can be shared
Data security
Applicable to private and public clouds
There are many ways to improve data security. It’s
essential to identify and mitigate vulnerabilities
that could be exploited, as well as to monitor
activity around your data, since lack of visibility
enables malicious attackers free rein to steal
information or do other damage.
One essential best practice for protecting your
data is to perform data discovery across your IT
ecosystem and classify each file by its content.
Shared responsibilities exercise their data privacy rights under the GDPR,
CCPA and other regulations.
Applicable to private and public clouds

How to strengthen
In the public cloud, responsibility for cloud data
security is shared between the cloud provider

security and
and the customer. You need to lock down all
responsibilities and security guarantees as you

compliance in the
negotiate a contract. While most cloud providers
offer an array of features and configuration

choices to help keep your data safe, you shouldn’t
rely solely on them. Instead, supplement native
security measures with your own to comply with
legal and business requirements.
Compliance concerns
cloud
The Netwrix data security platform delivers the
deep insight and centralized control you need to
strengthen security in your public and private cloud
environments. In particular, it enables you to:

Applicable to private and public clouds ▪ Accurately classify sensitive information in the
cloud and automatically reduce its exposure
If your organization is subject to any compliance
▪ Enforce least privilege by seeing through the
regulations, you need to be able to demonstrate
tangled permissions structure of cloud-based
to auditors that you have adequate control over
systems and spotting broken inheritance
and insight into the cloud environments you
▪ Know right away about changes to
use. Among other things, that usually involves
configuration and permissions that could
proving that your cloud services are configured
compromise security
properly, that you have appropriate controls in
▪ Detect even the most clever threat actors
place around any regulated data you store in the
with user behavior analytics
cloud, and demonstrating that you have insight
▪ Troubleshoot incidents quickly with Google-
into activity around that data. Naturally, classifying
like search of audit data
your data is an invaluable part of the process, so
▪ Establish required security controls and
you know exactly what regulated data you have
prove compliance to auditors with far less
and where it resides. In addition, you need a way
effort and expense
to accurately and promptly satisfy data subject
• Streamline the process of satisfying DSARs
access requests (DSARs) whenever customers
to avoid penalties

13
 Analysis

2020: IT Security
Lessons to Learn
Elena Vodopyan
Content marketing manager and a member of
the Cyber Chief editorial team

14
The year 2020 reshaped business processes
and accelerated changes in the way we work,
communicate and live. The shift to remote
work put a lot of strain on business processes,
IT departments and security teams, and
cybercriminals used panic and chaos to exploit
the situation.
Here, we analyze the experiences of the past
year and explore the most important challenges
we should be prepared for in 2021, as well as
share some comments from IT security pros.
Digitalization of the
hybrid workforce
will continue; insider
threats are not going
away
In 2020, the corporate perimeter went from fluid
to non-existent. With the need to quickly meet the
demands of a newly remote workforce, companies
had to transform the way they operate, even
while they had reduced teams, less investments
in security and more cyberattacks. Cloud security
became a new challenge for the many businesses
that were not prepared to shift to a secure online
environment. The speed of the transition, coupled
with prioritizing productivity over security, made
cloud security misconfigurations inevitable. “Those
organizations that were already modernizing to
support a flexible workforce were in good shape for
the shift to remote working — but from our recent
survey, 50% of organizations still aren’t ready to
support and secure the flexible workforce,” says
Todd Gifford, CTO at Optimising IT.
71% of companies believe that remote workers
put their organizations at risk of data breach.
Ponemon, Cybersecurity in the Remote Work Era
(2020)
60% of organizations found new security gaps as
a result of the transition to remote work.
Netwrix, 2020 Cyber Threats Report
In 2021, businesses will continue learn how to
navigate hybrid work scenarios and adopt more
technologies to enable workforce connections
across physical locations. Companies will be
normalizing policies to replace the stop-gap
measures that were quickly deployed when they
had to quickly pivot to work-from-home. Otherwise,
the security gaps caused by the inevitable mistakes
15
during this rapid transition will be exploited, and
we will see new cloud security breaches linked
to reduced security standards.
To combat these threats, companies will
have to accelerate their plans for automation
and security. Torsten George, cybersecurity
evangelist at Centrify, expects that even
the most sophisticated solutions might not
be effective until they re-learn how to spot
insider threats. “A lot of attention is paid to
insider threat awareness but not always to the
remedies. Fortunately, more tools are relying on
AI technology to address this challenge, such as
data loss prevention (DLP) and user and entity
behavior analytics (UEBA). However, these tools
have to establish a behavioral baseline first,
because those baselines basically need to be
redone to make those tools effective again.”
“2021 will be a time to take stock and
retrospectively apply due diligence to all cloud
applications and services brought online to
support remote working in 2020. This means
ensuring that security controls meet at least pre-
COVID standards — with visibility, detection and
response capabilities across cloud services,
applications and infrastructure — across both
current and 'old normal' cloud applications
and services,” says Sam Humphries, security
strategist, Exabeam.
16
The “ransomware-
turned-data-breach”
trend will cause
more problems than
ever
In 2021, ransomware should top the list of concerns
for every company. While it used to target specific
industries, now it is everywhere, targeting big and
small companies alike. BitDefender’s Mid-Year
Threat Landscape Report (2020) revealed a 715%
increase in ransomware attack frequency in 2020.
With ransomware variants continuing to evolve
into more sophisticated threats, organizations
will need a data protection strategy to outsmart
them. “2021 will be our most challenging year yet
in combating ransomware in the enterprise. The
attacks don't just attempt to execute a lockout or
encrypt data anymore, but are increasingly aimed
at extracting or stealing data from organizations.
While some cybercriminals may sell the data on
the dark web, others may threaten to leak the data
for a higher payout on the ransom. We predict that
this will become hackers’ ransomware end game
— though the risk of detection rises along with
the potential payday,” commented Flint Brenton,
CEO of Centrify.
 ability to recover is just as critical as all the protection
walls companies are building. Companies need to
The average ransom amount is close to 1
invest in recovery solutions that are very fast and
million USD.
affordable, as this will save money in the long run
Kroll, A Deep Dive Into the Latest Maze as opposed to paying a ransom. Paying ransom
Ransomware TTPs makes you a target, but being able to recover and
avoid downtime following an attack makes you
wasted effort for those who want to profit from
harming companies. After all, ransom doesn’t
Every fourth organization suffered a work if the target doesn’t have to pay it.”
ransomware or other malware attack in the
early months of 2020.

Netwrix, 2020 Cyber Threats Report

Some experts expect regulatory groups to

Privacy regulations
impose stricter and larger fines as a way to
encourage companies to proactively fight
will increase;
ransomware. Therefore, businesses will invest
more in cybersecurity to tackle ransomware
adopting a privacy-
attacks and avoid legal penalties. Trevor Bidle,
Chief Information Security Officer at US Signal,
confident approach
says: “This is especially critical following the
announcement by the U.S. Department of the
will help scale the
Treasury’s Office of Foreign Assets Control’s
(OFAC) that paying ransom will not only encourage
business
hackers to continue these attacks — but could
now go against OFAC regulations.” Organizations still face the challenge of handling
data, securing it and developing privacy by design.
Avi Raichel, CIO at Zerto, says it’s smarter to With the growing value of privacy, stringent
prepare to recover than to pay ransom: “2021 will data privacy laws have been paralyzing some
be the year of what I like to call ‘recoverware.’ The businesses for the last few years. However, some

17
businesses are already getting more privacy- “we may see a lot of forward-thinking MSPs
confident by adopting visible accountability for investing in education and attracting talent to
privacy. With a “privacy by design’ approach, it close their cybersecurity skills gap and leverage
might be easier to succeed in 2021. that legislation as a competitive differentiator in
the market.”
Phil Strazzulla, CEO & Founder of Select Software
Reviews, expects that the amount of data getting
passed around will shrink down to a minimum. “It's
one thing to pass around packets of PII when it's
all on your secure corporate network, but as that
network becomes less physical and more virtual,
that data becomes a liability.”

Patrick Walsh, CEO at IronCore Labs, predicts that

cloud providers will start offering more advanced
data privacy features. “Privacy regulations in
California and Europe have made it risky and
expensive to hold the personal information of
customers without proper protection. As a result,
we expect the trend toward stronger data controls
for SaaS customers to accelerate with more ‘bring
your own key’ and ‘customer-held encryption
key’ offerings and wider adoption of end-to-end
encryption.”

In 2021, we will also see an increase in legislation

around privacy. In the US, California, Nevada, and
Maine led the way, but now 23 states have adopted
similar regulations. Jay Ryerse, VP Cybersecurity
Initiatives at ConnectWise, said that as soon as
we see legislation regulating MSPs on its way,

18
 RESEARCH

2020 Cyber Threats Report

Learn More

19
Extra Security

ROI: Expert Tips

for Justifying
Security
Investments
Ilia Sotnikov
VP of Product Management at Netwrix,
Official member of Forbes Technology Council
The challenges of time, or the time needed to patch a vulnerable
server. But how do you show the expected return

ROI in IT security on a security investment without stepping into

the realm of assumptions and probabilities? This
pushes a lot of IT pros, myself included, out of
Over the last few months, I’ve had a number of
their comfort zone.
conversations about the need to justify security
spending. This year has been tough for a lot
Let’s use these insights as an opportunity to see
of organizations, so IT budgets are generally
what’s out there.
not growing. Plus, the money already allocated
often had to be re-prioritized to meet changing
business needs. At the same time, executives
and board members become painfully aware of
today’s cyber risks and the cost of not paying
The four pillars of
attention. They expect the IT team and IT security
leaders to provide solid data points that enable
ROI
the most effective security investment decisions.
When I have a chance to talk about security
investments, whether in people, processes or
That’s where many companies I talk to run into an
technology, I always try to ask one question: How
unexpected roadblock. For decades, IT (and IT
do you think this can pay off? The answers vary
security) has been treated as a purely technical
greatly, but they can be distilled into one or more
discipline, and top technical professionals were
of these four categories:
promoted into IT leadership positions. They can
walk you through any sophisticated technology ▪ This investment will save us money by
question, but not all of them speak the “business” reducing ongoing costs.
language. This makes it tough for both sides of the ▪ This investment will help us comply with
conversation to come to productive decisions. contractual obligations or industry or
government regulations.
Another challenge for many IT leaders is a lack ▪ This investment will reduce our business risks
of factual data to rely on. In technology, you work (by reducing probability, impact or both).
with facts, and you have precise and defensible ▪ This investment will enable us pursue new
measurements. For example, you can report on business opportunities.
the number of incidents over a given period of

21
All four elements seem to be good reasons to in professional communities or conferences.
invest. But where does each of these fit in the
conversation, and how do you put it all together? In general, it is true that regulations attempt to set
Let’s look at each element in turn. minimum guidelines for securing certain types
of data or activities. However, no regulation can
give you a universal guidebook for securing your
Operational cost savings specific business against the current threats at a
particular moment in time.
Cost savings is one of the most obvious measures
of ROI, especially when the CIO or head of IT is
Compliance can be an effective way to start
also responsible for security. If a project enables
an ROI conversation and get attention in a less
you to reduce storage space, consolidate
mature organization where the executive team
licenses, or reduce time and effort through
is less aware of the real risks. However, it is
automation, you can calculate the returns with
potentially thin ice: You should never give in to
reasonable certainty.
a false sense of security based on ticking all the
boxes of any compliance checklist.
The caveat here is to understand this should
never be the only reason for the investment.
Another pitfall you want to avoid is creating the
The main goal of IT security is to manage risk,
perception that IT security team is a “necessary
and you’re doing yourself a disservice with any
evil” that executives will tolerate and even fund,
project that does not start there. However, cost
but would happily get rid of if they could.
savings works great as an additional reason
to invest in something that reduces a risk the
I am definitely not arguing you should not bring
company cares about.
up compliance in a budgeting conversation. On
the contrary, you should be aware of the current
and anticipated regulatory requirements for
Compliance
your industry and jurisdiction. However, similar
Organizations know they must comply with to operational cost reduction, I think it would
relevant regulations simply to continue staying be a mistake to over-rely on compliance as the
in business. Many IT security teams leverage this primary way to justify a security investment.
and position new security initiatives as a must for
compliance. It’s not uncommon to hear a tip like
“use compliance to fund your security initiatives”

22
Risk reduction You will have to rely on expert opinion to estimate
the cost or risk and the level of reduction.
The primary goal of any IT security organization
However, this does not mean you need to just
is risk management and mitigation. But
guess. There is a two-way approach to avoiding
understanding risks can be complicated: Is a newly
guesses:
discovered vulnerability a risk for your particular
company? Should you pay attention to the news
▪ Learn from inside. Learn from your business
about state-backed APT groups like Lazarus?
risk management process, and try to be
consistent with it. You’ll need to establish
The key is to match IT security risk management
a connection with the C-suite in order to
to the overall business risk management in your
do this, and you’ll need their input on the
organization. Defense or financial organizations
estimated losses.
usually have a mature and established risk
management strategy, sometimes with a
▪ Learn from the outside. See if there is a
dedicated role of Chief Risk Officer; if your
relevant CISO group or forum you can
organization has someone in that position, that’s
join to learn from the experience of other
who you want to learn from. But every organization
companies. Another good source is industry
is constantly making decisions about risk. Often,
research, such as the "Cost of Data Breach
this responsibility falls to the CFO and the CEO. I
Report" by the Ponemon Institute, sponsored
believe you should seek their advice to build an
by IBM.
aligned and consistent risk management strategy
for the organization. Failing to do so creates
Don’t overcomplicate this — agree on an
additional work and can leave the organization
approach and use it consistently. After a few
exposed to real threats that IT overlooked due to
quarters, you will be able to see (and prove)
lack of business involvement.
trends and be able to adjust if needed.

This brings us back to the challenge that I started

with: How do you measure risk and expected
savings? I won’t even try to unpack it all in one
post; there are long books on the subject (here’s
a good one: "How to Measure Anything in
Cybersecurity Risk" by Douglas W. Hubbard and
Richard Seiersen).
Business opportunity
You might well have heard talks about “security
as business enabler” at various industry events
in the last few years. Most people seem to agree
this is a great idea, but not many organizations
succeed in delivering on this promise.

23
As with other aspects of ROI, communication
approach. Use the tools and data available
is crucial here. You have to build connections
to you.
and stay in touch with the executive team and
business unit leaders. That way, you will have
▪ Learn to speak the business language.
a chance to make security a part of each new
Security is not (only) a technical issue. There’s
project discussion — and an inseparable part
a lot you can learn from the CFO or CRO and
of the implementation plan — from the very
the CEO, and you can use these conversations
beginning.
to help them learn more as well. Building a
comprehensive risk management program
Since you’re not the owner of a new business
that encompasses financial, reputational and
project, you cannot estimate the size of the
security risks will help your business become
returns on the opportunity overall. However, you
stronger on all fronts.
don’t have to. I recommend referring to these
new initiatives in your ROI conversations, but
▪ Keep communication lines open with
without trying to provide specific numbers.
leaders across the business. Security
investment can (and often should) be part of
new projects and new opportunities. Help
business leaders see security not as a cost

Key takeaways center, but as a strategic initiative.

▪ Leverage and balance all four ROI

I started to work on this article in order to
arguments. Although risk reduction should
summarize my personal takeaways from all
be the starting point, always consider
the conversations I had this year about ROI in
how the same dollar spent can help your
security. Here’s my list:
organization achieve compliance, reduce
▪ Use your judgement and expertise to operational costs and/or support business
estimate the risk mitigation for each opportunities.
investment. You don't have to be precise;
accept imperfection. Remember that risk
management expertise probably exists
elsewhere in your company — try to learn
from those people and leverage the same

24
 REPORT

A Data Risk Assessment Is the

Foundation of Data Security
Governance
Data risk assessment has become critical due to stringent data
protection and privacy regulations like GDPR, CCPA and HIPAA. For a
limited time, access the Gartner report to learn how to perform data risk
assessment effectively.

Complimentary Access

25
Extra Security

All You Need

to Know about
Cybersecurity
Assessment
Ryan Brooks
Cybersecurity Expert, Netwrix Product Evangelist
According to the national Common and Exploits risk assessment, a part of the risk management
(CVE) database, there are more than 11,000 process, in that it incorporates threat-based
known vulnerabilities in commonly used software approaches to evaluate cyber resilience. A
and systems. IBM has calculated that breaches of complete security assessment includes a
these vulnerabilities cost large enterprises $3.92 close look at the company’s overall security
million on average; for 60% of those breaches, infrastructure.
patches were available but not applied.

To protect your assets, you need to perform Components

regular cybersecurity assessments. Threats
evolve constantly, and what protected you in
the past might not be effective against today’s
threats. You may also have legal obligations
to conduct routine assessments, particularly if
regulations like GDPR and HIPAA apply to your
business.
In all cases, the more you know about the
threats you face, the better prepared you will be
to improve your cyber resilience.
A cybersecurity assessment examines a
company’s information technology infrastructure
as well as its security-related policies and
practices. It evaluates:
▪ Existing protective systems
▪ Compliance with security regulations
▪ Vulnerability to security incidents
▪ Resilience against potential harm
With this combined data, security teams can
identify vulnerabilities and strengthen defenses.

Goals
What is a
Cybersecurity
A cybersecurity assessment aims to close
vulnerability gaps and remediate weaknesses,

Assessment?
prioritizing issues with the highest potential for
bottom-line impact.

A cybersecurity assessment examines your Assessments also help cybersecurity

security controls and how they stack up against teams improve communication with upper
known vulnerabilities. It’s similar to a cyber management. The most effective security

27
strategies are integrated into all company STEP 1.
operations. To make that happen, you need buy-
Define Your Existing Security Posture
in from decision-makers.
Your security posture is the overall strength of
To achieve these goals, a cybersecurity your cybersecurity framework. It incorporates
assessment needs to include the following hardware, software and where the two interact,
information: as well as the policies and processes that move
data along your network. This includes:
▪ The nature and value of the company’s cyber
assets
▪ Taking inventory of the protections built into
▪ The origin of potential threats
your tech stack
▪ The vulnerabilities that could allow cyber
▪ Documenting the procedures you use to
threats to materialize
mitigate risk
▪ The likelihood of harm
▪ The risk or possible impact on operations If you don’t have formal protocols in place, you’ll
and assets need to document that fact.
▪ Level of compliance with privacy and security
regulations
STEP 2.

Review Compliance Requirements

Most companies have to comply with at least

What Are the Steps one cybersecurity regulation, but not every
business knows which controls apply to them.

in a Cybersecurity It’s important to close this knowledge gap by

assembling a complete list of:

Assessment? ▪ The regulations that apply to your company

▪ The security measures that each regulation

A complete cybersecurity assessment begins
with inventory, progresses to vulnerability
assessment, and ends with strategy.
mandates
If you don’t already have compliance software in
place, now is the time to get it. The right tools help
you stay compliant by identifying security gaps.

28
STEP 3.
Types of
Assess the Maturity of Existing
Security Controls Cybersecurity
This is the meat of your cybersecurity
assessment. It determines how well developed
Assessment
your security strategy is, based on your
company’s goals and industry norms. How you approach your security assessment will
depend on what information is most important.
You’ll start by defining your risk profile and
setting acceptable risk targets. Next, you’ll
evaluate your security maturity against those Assessment of Cyber Infrastructure
targets, measuring any gap between controls Effectiveness
and risks. You want to look at this information not
This type of assessment involves a complete
just in isolation, but against industry standards
inventory of your organization’s security
and required compliance standards.
controls and an evaluation of how well they
work. One effective technique is penetration
testing, in which specially trained cybersecurity
STEP 4.
professionals document their attempts to breach
Develop a Risk Mitigation Roadmap defenses. This can be performed internally or
ordered from a service provider.
This is where you develop a strategy to close
the gaps between your security posture
An effectiveness assessment also assesses the
and your risk targets. Your strategy needs to
resilience of your security posture: how quickly
prioritize action steps and the proper allocation
your security ecosystem could respond to and
of resources. To do that, consider the value and
recover from an attack.
cost of each asset. The prioritized plan will be
what you report to decision-makers, framing
recommendations against organizational Assessment of Operational
priorities. Resilience
Operational resilience measures an
organization’s ability to do two things:

29
▪ Prevent disruptions from happening
▪ Quickly respond to and recover from a
disruption in business processes
To test your operational resilience, you need to
evaluate how well your company:
• Adapts its management approach and
strategy based on prior threats
• Prepares for potential threats and monitors
critical functions of at-risk systems
• Withstands cyber assaults while maintaining
normal operations
• Recovers operations and restores tech
infrastructures after an assault
This type of assessment will test the responses
of your IT assets and systems as a whole, not
just your cybersecurity practices or security
posture.
Assessment of Management of
External Dependencies
Every organization depends on external entities
to some extent. Your organization can’t directly
monitor the vulnerabilities of every party in
your network, but you can evaluate and guard
against the risks posed by each relationship.
To assess how well your company manages
external relationships, you need to look at:
30
▪ Whether your company has a strategy for
external dependencies
▪ How the company identifies and manages
risks related to each dependency
▪ What relationship management systems
are in place to stay informed about risks
▪ Whether a plan is in place to maintain
continuity if a threat materializes
This is a complex and multifaceted process. It
will involve stakeholders from all departments
that have external dependencies.
Assessment of Risks and
Vulnerabilities
This assessment focuses on where your
ecosystem is more vulnerable to attack. To
find gaps, you have to look at your people as
well as your systems. In particular, you need
to determine how vulnerable your systems are
to social engineering, a strategy that hackers
use to trick employees into granting access
to crucial data. This will involve an evaluation
of your teams’ cybersecurity practices and
responses to potential threats.
Penetration testing is the other part of the
equation. By testing how easy it is for a hacker to
infiltrate your systems, you can pinpoint where
you need to strengthen your security controls.
Extra Security

The Importance of
Data Classification
for Data Loss
Prevention
Mike Tierney
VP of Customer Success,
Security and Compliance Expert

31
 What is data loss
Data loss prevention (DLP) tools and processes
help ensure that critical data is not accessed by

prevention (DLP)?
or tampered with by unauthorized users. The
underlying technology that can make or break
your success in data loss prevention is data
classification. Data loss prevention involves protecting
sensitive and critical information against
This article explains how data classification inappropriate access or tampering. Data loss
affects the success of your data loss prevention prevention tools and processes can reduce
measures. data leakage, data loss, data exfiltration, and
other risks to critical data.

How does data

What is data
classification help
classification?
with data loss
prevention?
Data classification is the process of organizing
data into relevant categories. These categories
can be general, such as Top Secret, Confidential
and Public, or quite specific, such as categories Data classification helps with DLP in several
aligned with particular regulatory compliance ways:
mandates like GDPR and HIPAA.

Helps establish a firm foundation of

Data classification helps you improve information
security and ensure data privacy by enabling
you to assign appropriate access permissions
and implement appropriate protection measures
for different types of data, such as regularly
identifying sensitive data that is overexposed.
strong data governance
Companies often try to put all their eggs in
one basket when it comes to DLP, hoping that
adopting a single comprehensive DLP product
will cover all their data protection needs.
But while DLP products do provide security
measures, such as lowering the risk of a file
on the network being delivered into the wrong
hands, they’re not a complete solution.
Rather than focusing only on protecting data
from loss with DLP solutions, you need the
broad foundation of strong data governance
throughout the entire data lifecycle. Data
governance requires you to know:
▪ What kinds of data you have
▪ Where your data resides
▪ Who is allowed to access your data
▪ Who is actually accessing your data
Data classification helps by identifying and labeling
sensitive and business-critical information, so you
can ensure it is stored only in secure locations and
enforce least-privilege and other access policies
to reduce the risk of a data breach.
Reduces the number of false positive
and false negative results
Accurate data classification is everything when
it comes to successful implementation of DLP
tools and processes. Inaccurate classification
can lead to the following outcomes:
▪ The DLP tool could restrict access to non-
sensitive data that was incorrectly tagged as
sensitive, hurting productivity and interfering
with critical business processes.
▪ The DLP could fail to flag unauthorized
operations on sensitive data that was
misclassified as non-sensitive, increasing the
risk of a breach.
Automates the data classification
process
Some DLP tools rely on manual classification
— users must specify which category their files
and other data falls into. This process puts you
at risk of both omissions and errors: Users may
fail to classify data at all, tag it inconsistently, or
simply pick the first or easiest classification type
to save time.
An automated data classification solution will
provide reliable and consistent classification
results across your company and ensure your
DLP tool is working with accurate tags.
33
DLP and Netwrix The success of any DLP strategy depends upon

Data Classification proper data governance and accurate data

Netwrix’s data classification software comes with
key features that help ensure accuracy and
consistency.
classification. Knowing exactly what types of
sensitive information you have will enable your
DLP solutions to work better, maximizing the
value of your investment.

▪ Reusable index — Eliminate the need for

lengthy data-recollection every time a new
file appears or a classification rule gets
changed, so accurate classification results
are always available.

▪ Flexible taxonomy manager — Empower

employees to easily create and modify
taxonomies to meet your organization’s
needs. Eliminate the need to purchase
professional services whenever taxonomies
need to be added or updated.

▪ Transparent classification results — See

precisely why files were classified the way
they were so you can analyze and modify
your rules to improve accuracy.

▪ Remediation workflows — Create automated

processes to quarantine sensitive data,
revoke excessive permissions and redact
data inside files.

34
 Extra Security
Extra Security

How to
Calculate
Return on
Security
Investment
Matt Middleton-Leal
Cybersecurity expert, CISSP
Ilia Sotnikov

35
During my 20+ year career in IT, I have been
or how a particular investment has performed
involved in projects from many different angles.
to date.
I have been an end user and a consultant; I have
managed technology and I have sold it. But
The simplest way to calculate ROI is to quantify
throughout it all, there has been one constant
some kind of “return” or “benefit” and divide it
challenge: How to assess the return on
by the “investment” or “cost”:
investment for a technology you either provide
or consume.

My journey has led me to IT security, and I

often hear statements like, “It’s hard to measure
the effectiveness of security investments. It’s
like insurance: you know you need it, but you
can’t put a value on it.” But this attitude is a no- Calculating ROI

go if you want to be an effective IT manager.

You absolutely need a method for accurately
calculating your return on security investment
(ROSI), so you can assess whether your cyber Why classic ROI doesn’t work for
security strategy is meeting the goals of your return on security investment
department and your organization, and, if
This ROI equation works only for investments
necessary, argue for additional budget. In this
that yield positive results, such as cost savings
blog post, I describe how to calculate ROSI.
or revenue enhancements. But what is a
security investment? This kind of investment
neither increases revenues directly nor

Classic return on
provides immediate payback; rather, security
investments are about risk management that

investment
Return on investment (ROI) is a profitability ratio
for a specific investment. It helps you determine
whether you should make a purchase or skip it,
results in loss prevention and risk mitigation.
Thus, a ROSI calculation should indicate how
much loss the organization could avoid due to
the security investment, so we need a different
formula.

36
Choosing the right
formulas, it is based on your assessment of the
specific risks that a given security investment

metrics for ROSI

will address. Therefore, you need to clearly
understand your security risk exposure and
estimate the value of each asset that the security
investment aims to protect. Here’s the formula:
Before we dive into how to calculate ROSI, it’s
important to ensure that the process is practical
and delivers reliable and actionable results. It’s
essential to make sure that your metrics are:

▪ Easy to gather on a regular basis. If it Quantitative risk analysis formula for calculating ROSI

costs a lot of time or money to gather the

Let’s explore how to calculate each of the
data you need, ROSI calculation will very
components in this formula.
quickly become a burden and outweigh any
perceived benefit.
▪ Relevant to your business and the risks it Annualized loss expectancy (ALE)
faces.
The annualized loss expectancy (ALE) is the
▪ Relatively accurate. Since you are estimating
total annual monetary loss per year expected
threats that could strike your company, your
to result from a specific exposure factor if the
calculations won’t be 100% accurate. Accept
security investment is not made. To calculate
that and do the best you can.
ALE, we multiply the single loss expectancy
(SLE) by the annualized rate of occurrence

Calculating ROSI —
(ARO):

the quantitative risk

analysis formula Calculating ALE

The SANS Institute offers a quantitative risk Here are the two components of the ALE
analysis formula for estimating ROSI that has formula:
been widely adopted. Unlike simple ROI

37
▪ Single loss expectancy (SLE) is the amount way will enable you to comparing the relative
of money that will be lost in a single security value of different security investments.
incident. To estimate SLE, you need to
inventory your data and other IT assets
and add up the direct costs (e.g., technical Example
investigations and legal penalties) and
Let’s estimate the ALE and mitigation ratio for a
indirect costs (e.g., business downtime and
fictional scenario and use them to calculate the
increased customer churn rate) of damage
ROSI for a proposed security investment.
to or loss of those assets.
­
Suppose you know that your file servers have
▪ Annualized rate of occurrence (ARO) is
shared folders containing files with sensitive
the estimated frequency or expectancy
information that are accessible by everyone
of a threat striking within a year. This is a
in your company. You know that this data
straightforward number and you can glean
overexposure increases the risk of data
from historical records. For instance, if a
compromise and loss, but you don’t know the
certain threat has struck your organization
exact number or location of the folders. To
only once in the last 10 years, it has an ARO
reduce this risk, your company is considering
of 0.1; if a threat occurs about 10 times each
investing in a solution for discovering sensitive
year, it has an ARO of 10.
data. To determine whether this investment is
justified, you need to do the math.

Mitigation ratio
The mitigation ratio is the percentage of risks
that the security investment would address.
According to Sonnenreich, Albanese and Stout
— some of the first researchers to tackle the
problem of quantifying the value of security
controls — it’s ok if your risk mitigation ratio is
approximate. The best approach is to assess the
predicted number of mitigated risks based on a
scoring algorithm you choose yourself. Even if
the data for the ROSI model is inaccurate, using
this algorithm in a repeatable and consistent
You predict that if you don’t have the solution,
you’ll have an average of 10 security incidents
per year (ARO = 10). Each incident could lead to
a breach costing around $40,000 in data loss,
fines, lost productivity and lost business (SLE =
40,000). Therefore, the ALE is 400,000.
The proposed data discovery solution is
expected to mitigate this risk by 94% (mitigation
ratio = 94%). The estimated cost of buying and
managing the solution is $60,000.
So you can calculate the using the ROSI formula
from above as follows:

38

Sample ROSI calculation
Using this calculation, you can argue that
this investment will save the company about
$316,000 ($400,000 * 0.94 – $60,000), for a
526% payback.
You can also use this formula to evaluate the
ROSI of an existing investment. Just be sure
to conduct an accurate risk assessment and
understand your company’s risk exposure.
Modifying the
ROSI formula with
additional metrics
You can modify the quantitative risk analysis
formula by including additional criteria that are
industry-specific or just more important for your
organization. Here are some examples:
▪ Risk profile versus industry peers —
Comparing your security budget
execution to your peers in your industry can
be quite useful. Industry-specific research
will help you identify quantitative best
practices, learn what threats your peers
encounter and how they address them, and
see baselines to orient yourself. I advise
starting with research conducted by Gartner.
▪ Compliance status — If your company
is subject to a new compliance standard
or wants to improve its compliance with
an existing one, you should include your
compliance status as a factor when evaluating
security investments. You can gather this
data by conducting regular internal audits
to check whether your processes align with
the security frameworks mandated by the
standard, checking your grades on recent
audits, and determining what areas you
need to work on.
▪ Organizational readiness to address
incidents — I wrote about security simulations
(“war-gaming”) in this blog post. You divide
your security pros into two groups: One
team attacks your infrastructure and the
other group defends it. By conducting these
games every once in a while, you will be able
to track performance of your team members
during the attack, test the effectiveness of
your security program and investments,
and compare the results you achieve with
the previous games. For example, you can
and look at how much time the team needed to
detect and respond to the attack and which
individuals performed better and who needs
additional training.
39
First-Hand Experience

Flagler Bank
Mitigates IT Risks and
Secures Sensitive
Data
Flagler Bank is a locally owned community
bank headquartered in Palm Beach County, FL,
U.S. The company has three full-service branch
offices and provides a full range of banking
services, including personal banking, business
banking, commercial loans and residential
mortgages.
Like any other financial organization, the Flagler
Bank stores a large amount of sensitive and
regulated financial data, such as customers’
income verifications, Social Security numbers
and employment history.
Because the bank did not have enough insight
into its IT vulnerabilities, this customer data was
at unnecessary risk. Moreover, the IT department
was just one person, IT Officer William Cintron,
so manually monitoring activity enterprise-wide
was simply not possible. As a result, critical
events that could lead to security incidents or
downtime might be overlooked.
Finding the Solution
How can our organization detect and mitigate IT
risks? How can we ensure the secure storage and
proper handling of critical business data? How can
we improve the efficiency of our IT department?
All these questions led the management team
to one conclusion: They needed an IT security
solution that would provide the deep visibility
required to identify and mitigate IT security risks,
as well as keep a close eye on everything going
on across the IT infrastructure.
The IT security solution the bank implemented
fit the bill perfectly. First, it provides valuable
insight into the bank’s security posture, including
visibility into effective permissions and system
configurations. With this actionable information,
the IT department can ensure appropriate
access controls are in place for all files containing
sensitive data and ensure all systems are properly
configured to reduce IT risk.
In addition, the solution delivers real-time alerting
on critical changes, including modifications
to configurations, security settings and critical
content. This prompt threat detection enables
the bank to action before suspicious activity
leads to a security incident. Moreover, the
security software has eliminated the need
for time-consuming and error-prone manual
monitoring of the native system logs, which
makes troubleshooting much faster and easier
and frees up IT staff time for more strategic
tasks. Mr. Cintron confirms, “I can identify and
mitigate our IT security risks, and I know exactly
what is going on across the network so I can
quickly identify a potential problem before it
leads to an incident.”
To read the complete case study, please visit:
www.netwrix.com/success_story_flagler_bank.html
41
About Netwrix
Netwrix is a software company that enables information security and governance professionals to
reclaim control over sensitive, regulated and business-critical data, regardless of where it resides.

Over 10,000 organizations worldwide rely on Netwrix solutions to secure sensitive data, realize the
full business value of enterprise content, pass compliance audits with less effort and expense, and
increase the productivity of IT teams and knowledge workers.

For more information visit www.netwrix.com

WHAT DID YOU THINK

OF THIS CONTENT?

CORPORATE HEADQUARTER: PHONES: OTHER LOCATIONS: SOCIAL:

300 Spectrum Center Drive 1-949-407-5125 Spain: +34 911 982608

Suite 200 Irvine, CA 92618 Toll-free (USA): 888-638-9749 Netherlands: +31 858 887 804
Sweden: +46 8 525 03487
565 Metro Place S, Suite 400 Switzerland: +41 43 508 3472
1-201-490-8840 netwrix.com/social
Dublin, OH 43017 France: +33 9 75 18 11 19
Germany: +49 711 899 89 187
5 New Street Square +44 (0) 203 588 3023 Hong Kong: +852 5808 1306
London EC4A 3TW Italy: +39 02 947 53539

Copyright © Netwrix Corporation. All rights reserved. Netwrix is trademark of Netwrix Corporation and/or one or more of its subsidiaries and may be registered in
the U.S. Patent and Trademark Office and in other countries. All other trademarks and registered trademarks are the property of their respective owners.

42